Detection & Analysis

Common events and incidents

R2L port scanning - remote IP is scanning local IP, detected through logs. Rarely ever an impact but can lead to further attacks.
R2L DOS/DDOS - denial of service, traffic larger than the normal baseline level of traffic. Can take systems offline and prevent users from using internet services
L2L scanning - Siem rules can be made to detect this.security team vulnerability scanners should be whitelisted
Login failures - can be a lot of false positives, can be detected in logs, most likely false positive but a high amount could detect malicious activity

Baselines and Behaviour Profiles

Recording what is meant to be normal on a network
Can be anything that could signal an attack if it changes

Introduction to wireshark

Udp - display udp only
Http.request - display http requests only
Tcp.port - display tcp port
Window_size_value - size of 8000 bytes or over
&& - and
|| - or
Ip.dst_host - destination ip

YARA rules

Way of identifying specific files
Three components to include: rule name, identification values and conditions.
Rule HelloString : Hello
HelloString is the name of the rule Hello is the shorthand name
Strings: $a = “Hello”
String shows that you're looking for a text string $a is the variable name for the string
condition : $a
Since for the condition we put $a if the file contains ‘Hello’, it will be flagged.
Meta will add a human readable description to the rule
Use -m in command line to display meta data
Yargen can be used to automatically generate rules for malicious files
Malware can use strings in its code like IP addresses or bitcoin wallet ID
Yara myrule.yar somedirectory
Meta - used for description from the author of the rule
‘desc ‘ is shorthand for description
Strings - can be used to search for specific text or hexadecimal in files or programs.
You can use variables to met a condition
- Strings only match the exact text, you may need multiple strings if you want to search one work but with either a capital or not.
- Conditions - these are operators like <=, >=, !=. So you can search for if a string appears more than a specific number of times in a file.
- Combining keyworks - and, not, or can search for multiple conditions
Cmd and powershell
- Ipconfig /ALL - outputs network information
- Tasklist - check running processes adn programs
- Wmic process get description, executablepath - display running processes and associated binary file
- Net user - print a list of all system users
- Net localgroup administrators - list users in the administrators group
- Sc query | more - list all services and detailed information
- Netstat -ab - list open ports on a system

PreviousPreperation NextContainment, Eradication and Recovery

Last updated 2 years ago

Detection & Analysis

Common events and incidents

R2L port scanning - remote IP is scanning local IP, detected through logs. Rarely ever an impact but can lead to further attacks.
R2L DOS/DDOS - denial of service, traffic larger than the normal baseline level of traffic. Can take systems offline and prevent users from using internet services
L2L scanning - Siem rules can be made to detect this.security team vulnerability scanners should be whitelisted
Login failures - can be a lot of false positives, can be detected in logs, most likely false positive but a high amount could detect malicious activity

Baselines and Behaviour Profiles

Recording what is meant to be normal on a network
Can be anything that could signal an attack if it changes

Introduction to wireshark

Udp - display udp only
Http.request - display http requests only
Tcp.port - display tcp port
Window_size_value - size of 8000 bytes or over
&& - and
|| - or
Ip.dst_host - destination ip

YARA rules

Way of identifying specific files
Three components to include: rule name, identification values and conditions.
Rule HelloString : Hello
HelloString is the name of the rule Hello is the shorthand name
Strings: $a = “Hello”
String shows that you're looking for a text string $a is the variable name for the string
condition : $a
Since for the condition we put $a if the file contains ‘Hello’, it will be flagged.
Meta will add a human readable description to the rule
Use -m in command line to display meta data
Yargen can be used to automatically generate rules for malicious files
Malware can use strings in its code like IP addresses or bitcoin wallet ID
Yara myrule.yar somedirectory
Meta - used for description from the author of the rule
‘desc ‘ is shorthand for description
Strings - can be used to search for specific text or hexadecimal in files or programs.
You can use variables to met a condition
- Strings only match the exact text, you may need multiple strings if you want to search one work but with either a capital or not.
- Conditions - these are operators like <=, >=, !=. So you can search for if a string appears more than a specific number of times in a file.
- Combining keyworks - and, not, or can search for multiple conditions
Cmd and powershell
- Ipconfig /ALL - outputs network information
- Tasklist - check running processes adn programs
- Wmic process get description, executablepath - display running processes and associated binary file
- Net user - print a list of all system users
- Net localgroup administrators - list users in the administrators group
- Sc query | more - list all services and detailed information
- Netstat -ab - list open ports on a system

PreviousPreperation NextContainment, Eradication and Recovery

Last updated 2 years ago

Common events and incidents

Baselines and Behaviour Profiles

Introduction to wireshark

YARA rules

Cmd and powershell

Common events and incidents

Baselines and Behaviour Profiles

Introduction to wireshark

YARA rules

Cmd and powershell