adam's notes

Identifying Malicious Activity Example

1. Analyzing Suspicious Activity

  • Observing the SIEM dashboard, we can see:
    • spike in the number of authentication failures in trend graphs
    • indication of two level 12+ alerts

2. Confirming the Findings

  • system indicating the failed logon attempts is a Ubuntu Linux server
  • using command line, the failure events can be confirmed
    • cat /var/log/auth.log | grep -i 'failed password'
  • results indicate the user tux has experienced a password attack

3. Drilling Deeper into the Event

  • Returning to the SIEM dashboard and clicking on the authentication failure number filters the view to the matching events
    • highlights one of the many benefits of using a SIEM
  • Manually reviewing the host’s log file confirmed the events
    • but obtaining a clear view of the sequence of events is difficult to accomplish quickly
  • this view of the authentication failure events indicates several other problems:
    • the password attack was successful
    • and that the attacker performed several other tasks after obtaining access
  • observe that the attacker’s actions are correlated to known TTPs documented by the MITRE ATT&CK Framework

  • SIEM has determined that the:
    • password attack was successful
    • attacker gained access to the server and created a new user

4. Confirming the Findings

  • Connecting to the server we can filter /var/log/auth.log to show only the lines containing the words “new user”
    •  we see a new user named hax0r has been created

5. Observing a Backdoor

  • by reviewing the server’s network activity tab, we can observe that a suspicious port is in use
    • port 4444
      • associated with. Metasploit Framework

6. Confirming the Findings

  • The suspicious port shown by the SIEM can be confirmed by using the netstat (or ss) command on the server
  • Notice the application associated with port 4444 (it’s netcat)

7. Summary of the Event

  • In this example, we see a common pattern of events that is a clear indicator of compromise (IoC)
  • A password attack was launched against a server and was successful
  • attacker used the account to gain access to the server
  • because the account had privileged access, was able to quickly create a new account
  • attacker created a backdoor using netcat to provide access in case the breach account password was reset and the new account was removed

Graph View

Backlinks