Module 18: SIEM Part Two: Combining the Logs
Phase One: Web Server Initial Access
Enumeration and Command Injection of web01
Assumptions for this module-long lab: phase one was initiated shortly after Apr 27, 2022 @ 12:58:00.000 and ended just before Apr 27, 2022 @ 13:00:00.000.
Phase One Detection Rules
Creating a Web Enumeration detection rule
Creating a Command Injection detection rule
Example of detection rules in action
Phase Two: Lateral Movement to Application Server
Brute Force and Authentication to appsrv01
Utilizing fields like source.ip, host.ip, and event.action can assist in identifying brute force and authentication as event.action will easily identify the action taken and then filtering on failed/successful logins will show the attack path.
Phase Two Detection Rules
Creating a detection rule to identify SSH logins as root
Creating a detection rule to identify RDP Brute Force attempts
Example of detection rules in action
Phase Three: Persistence and Privilege Escalation on Application Server
Persistence and Privilege Escalation on appsrv01
Syslog rocks.
Phase Three Detection Rules
Creating a detection rule for DLL Creation by PowerShell
Creating a detection rule for finding Mimikatz
Custom query to detect PowerShell's access of lsass.exe
event.code: 10 and winlog.event_data.TargetImage : "C:\\Windows\\system32\\lsass.exe" and process.name: "powershell.exe"
Example of detection rules in action
Phase Four: Perform Actions on Domain Controller
Dump AD Database
Follow the strings, OSQuery can be useful... sometimes...
Phase Four Detection Rules
Creating a detection rule to catch ntdsutil dumping registry
Custom query to detect execution of ntdsutil.exe
event.code: "1" and process.name: "ntdsutil.exe"
Last updated