Найти в Дзене

The Digital Hunt: Tracking LOTL in Your Network - Part II


Authentication Logs
📌Authentication logs play a vital role in identifying unauthorized access attempts and tracking user activities across the network. The guidance recommends ensuring that logging is enabled for all control plane operations, including API calls and end-user logins, through services like Amazon Web Services CloudTrail, Azure Activity Log, and Google Cloud Audit Logs. These logs can provide valuable insights into potential LOTL activities by highlighting unusual access patterns or attempts to exploit authentication mechanisms.
📌A robust strategy for the separation of privileges is essential for identifying LOTL techniques through authentication logs. Practices such as restricting domain administrator accounts to only log into domain controllers and using Privileged Access Workstations (PAWs) in conjunction with bastion hosts can minimize credential exposure and reinforce network segmentation. Multifactor authentication adds an additional layer of security.
Host-based Logs
Sysmon and other host-based logging tools offer granular visibility into system activities that can indicate LOTL exploitation. By capturing detailed information about process creations, network connections, and file system changes, these tools can help organizations detect and investigate suspicious behavior that might otherwise go unnoticed.
Establishing Baselines and Secure Logging
A foundational step in detecting abnormal or potentially malicious behavior is the establishment of baselines for running tools and activities. This involves understanding the normal operational patterns of a system to identify deviations that may indicate a security threat. It's also essential to rely on secure logs that are less susceptible to tampering by adversaries. For instance, while Linux .bash_history files can be modified by nonprivileged users, system-level auditd logs are more secure and provide a reliable record of activities.
Leveraging Sysmon in Windows Environments
📌Sysmon, a Windows system monitoring tool, offers granular insights into activities such as process creations, network connections, and registry modifications. This detailed logging is invaluable for security teams in hunting for and detecting the misuse of legitimate tools and utilities. Key strategies include:
📌Using the OriginalFileName property to identify renamed files, which may indicate malicious activity. For most Microsoft utilities, the original filenames are stored in the PE header, providing a method to detect file tampering.
📌Implementing detection techniques to identify the malicious use of command-line and scripting utilities, especially those exploiting Alternate Data Streams (ADS). Monitoring specific command-line arguments or syntax used to interact with ADS can reveal attempts to execute or interact with hidden payloads.
Targeted Detection Strategies
Enhancing Sysmon configurations to log and scrutinize command-line executions, with a focus on patterns indicative of obfuscation, can help identify attempts by cyber threat actors to bypass security monitoring tools. Examples include the extensive use of escape characters, concatenation of commands, and the employment of Base64 encoding.
Monitoring Suspicious Process Chains
Monitoring for suspicious process chains, such as Microsoft Office documents initiating scripting processes, is a key indicator of LOTL activity. It's uncommon for Office applications to launch scripting processes like cmd.exe, PowerShell, wscript.exe, or cscript.exe. Tracking these process creations and the execution of unusual commands from Office applications can signal a red flag and warrants further investigation.
3 минуты