Module 18: SIEM Part Two: Combining the Logs

Phase One: Web Server Initial Access

Enumeration and Command Injection of web01

Assumptions for this module-long lab: phase one was initiated shortly after Apr 27, 2022 @ 12:58:00.000 and ended just before Apr 27, 2022 @ 13:00:00.000.

Phase One Detection Rules

Creating a Web Enumeration detection rule

Rule Type and Custom Query for Web Enumeration

Group by fields for Web Enumeration

About rule details for Web Enumeration

Rule schedule and actions for Web Enumeration

Creating a Command Injection detection rule

Rule Type and Custom Query for Command Injection

About rule details for Command Injection

Example of detection rules in action

Phase One Alert Detection

Phase Two: Lateral Movement to Application Server

Brute Force and Authentication to appsrv01

Utilizing fields like source.ip, host.ip, and event.action can assist in identifying brute force and authentication as event.action will easily identify the action taken and then filtering on failed/successful logins will show the attack path.

Phase Two Detection Rules

Creating a detection rule to identify SSH logins as root

Define rule for SSH using root account

About rule for SSH using root account

Creating a detection rule to identify RDP Brute Force attempts

Define rule for RDP Brute Force

About rule for RDP Brute Force

RDP Brute Force Security Override

Example of detection rules in action

Phase Two Alert Detection

Phase Three: Persistence and Privilege Escalation on Application Server

Persistence and Privilege Escalation on appsrv01

Syslog rocks.

Phase Three Detection Rules

Creating a detection rule for DLL Creation by PowerShell

Define rule for DLL Creation by PowerShell

About rule for DLL Creation by PowerShell

Creating a detection rule for finding Mimikatz

Custom query to detect PowerShell's access of lsass.exe

event.code: 10 and winlog.event_data.TargetImage : "C:\\Windows\\system32\\lsass.exe" and process.name: "powershell.exe"

About rule for detecting PowerShell's access of lsass.exe

Example of detection rules in action

Phase Three Alert Detection

Phase Four: Perform Actions on Domain Controller

Dump AD Database

Follow the strings, OSQuery can be useful... sometimes...

Phase Four Detection Rules

Creating a detection rule to catch ntdsutil dumping registry

Custom query to detect execution of ntdsutil.exe

event.code: "1" and process.name: "ntdsutil.exe"

About rule for Active Directory Database Hashdump (ntdsutil.exe)

Phase Four Alert Detection