https://gbhackers.com/socsiem-indicator-of-attackioas-a-detailed-explanation/
Use of IoAs - shift from reactive cleanup/recovery to a proactive mode
- attackers are disrupted and blocked before they achieve their goal.
- AV signatures
1) Internal hosts with bad destinations
- communicating with known bad destinations or to a foreign country where you don’t conduct business
2) Internal hosts with non-standard ports
- communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port
3) Public Servers/DMZ to Internal hosts
- Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts.
- allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.
- investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)
4) Off-hour Malware Detection
- Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.
5) Network scans by internal hosts
- communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network
6) Multiple alarm events from a single host
- “User Login Failures” from Single Hosts
Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when the password of a user account is expired but they have not change the new password on their devices.
8. Multiple Login from different regions
- user account trying to login to multiple resources within a few minutes from/to different region. This is a sign that user’s credentials have been stolen or that a user is up to mischief.
9. Internal hosts use much SMTP
- EMail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.
(Infected client that use SMTP(TCP/25))
10. Internal hosts many query to External/Internal DNS
- Many organization has Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is defined Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan malware on that clients.
- Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour)
No comments:
Post a Comment