Some Interesting IR eventCodes are:
Login: 4624
Service install : 4697 ,7045
Service Start Type changed: 7040
New Process created: 4688
Login: 4624
Service install : 4697 ,7045
Service Start Type changed: 7040
New Process created: 4688
Wednesday, February 27, 2019
Thursday, February 21, 2019
Cyber Security Frameworks
Here is the list of some of the very helpful Cybersecurity frameworks for aligning security endeavors in the organization
- Attack Matrix for Enterprise
URL: https://attack.mitre.org/
Purpose: Break up attack sequence in parts and list tools and relevant details for each. Identify Attack milestones, help identify gaps and align defense strategy
Tags: BlueTeam, Strategy - Attack Eval for Enterprise
URL: https://attackevals.mitre.org/
Purpose: Evaluate how tools fit in overall defense strategy. Product Evaluations
Tags: BlueTeam, Product evaluations - Effectiveness ScoreCard - Cyber Kill Chain, Lockheed Martin
URL: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493920778.pdf
Purpose: Measure control effectiveness, where and how the controls fit in. Identify control gapsTags: BlueTeam, Analyst, Strategy
- PCI Forensics Investigation report Template
URL: https://www.pcisecuritystandards.org/documents/Final_PFI_Report_v2.1.pdf?agreement=true&time=1552226789177
Tags: Reporting Template
Wednesday, February 20, 2019
More WireShark
This is going to be a more of working notes style of post for various filters I use in WireSkark for different use cases and references to awesome material.
- Potential Flash Malware download:
http.content_type == "application/x-shockwave-flash" - Potential executable download:
frame contains "DOS mode" - Find hostname frames:
nbns.nb_flags.group == 0 - Http Methods:
http.request.method == "POST" - Http Redirects
http.response.code gt 300 && http.response.code lt 400 - Find Usernames in Kerberos tickets:
kerberos.cname_string == 1 - IRC traffic
tcp.port == 6666 || tcp.port == 6667 || tcp.port == 6668 || tcp.port == 6669 - DNS query: dns.qry.name
- Multiple Dns Answers : dns.count.answers gt 5
- Custom Fields:
- http.header.True-Client-IP
- http.header.WL-Proxy-Client-IP
- kerberos.CNameString
Pcap analysis - packettotal, security onion
References:
https://www.wiresharkbook.com/studyguide.html
https://www.wiresharkbook.com/troubleshooting.html
Subscribe to:
Comments (Atom)