Найти в Дзене

The Digital Hunt: Tracking LOTL in Your Network - Part III


Integrating Logs with SIEM Systems
Integrating Sysmon logs with Security Information and Event Management (SIEM) systems and applying correlation rules can significantly enhance the detection of advanced attack scenarios. This integration allows for the automation of the detection process and the application of analytics to identify complex patterns of malicious activity.
Linux and macOS Considerations
On Linux machines, enabling Auditd or Sysmon for Linux logging and integrating these logs with an SIEM platform can greatly improve the detection of anomalous activities. For macOS, utilizing tools like Santa, an open-source binary authorization system, can help monitor process executions and detect abnormal behavior by productivity applications
Review Configurations
Regularly reviewing and updating system configurations is essential to ensure that security measures remain effective against evolving threats. This includes verifying that logging settings are appropriately configured to capture relevant data and that security controls are aligned with current best practices. Organizations should also assess the use of allowlists and other access control mechanisms to prevent the misuse of legitimate tools by malicious actors.
Regular reviews of host configurations against established baselines are essential for catching indicators of compromise (IOCs) that may not be reverted through regular group policy updates. This includes changes to installed software, firewall configurations, and updates to core files such as the Hosts file, which is used for DNS resolution. Such reviews can reveal discrepancies that signal unauthorized modifications or the presence of malicious software.
📌 Bypassing Standard Event Logs: Cyber threat actors have been known to bypass standard event logs by directly writing to the registry to register services and scheduled tasks. This method does not create standard system events, making it a stealthy way to establish persistence or execute tasks without triggering alerts.
📌 System Inventory Audits: Conducting regular system inventory audits is a proactive measure to catch adversary behavior that may have been missed by event logs, whether due to incorrect event capture or activities that occurred before logging enhancements were deployed. These audits help ensure that any changes to the system are authorized and accounted for.
Behavioral Analysis
Comparing activity against normal user behavior is key to detecting anomalies. Unusual behaviors to look out for include odd login hours, access outside of expected work schedules or holiday breaks, rapid succession or high volume of access attempts, unusual access paths, concurrent sign-ins from multiple locations, and instances of impossible time travel.
NTDSUtil.exe and PSExec.exe
Specific attention is given to detecting misuse of NTDSUtil.exe and PSExec.exe, tools that, while legitimate, are often leveraged by attackers for malicious purposes, such as attempts to dump credentials or move laterally across the network. By focusing on the behavioral context of these tools' usage, organizations can more effectively distinguish between legitimate and malicious activities.
The Exploitation Process
A common tactic involves creating a volume shadow copy of the system drive, typically using vssadmin.exe with commands like Create Shadow /for=C:. This action captures a snapshot of the system's current state, including the Active Directory database. Following this, ntdsutil.exe is employed to interact with this shadow copy through a specific command sequence (ntdsutil snapshot “activate instance ntds” create quit quit). The attackers then access the shadow copy to extract the ntds.dit file from a specified directory. This sequence aims to retrieve sensitive credentials, such as hashed passwords, from the Active Directory, enabling full domain compromise.
3 минуты