Blue Team Mind Map - Investigating Host-based Attack

(Also, this part heavily replies on EDR tools now)

Common host-based attack tactics

• Initial Access
• Execution
• Evasion
• C2 Communication

Observing login activities

Remote logging activities: SSH, RDP, FTP...

• Examine security event log, monitoring password guessing activities, remote login activiites
  • Remote login failiure: event ID 4624(success),4625(failure)
  • Logon type: type2-interfactive, type 3-network, type 10-remote interactive (RDP) 

Reference:

• LogonType Reference
• Windows Security Log Encyclopedia (ultimatewindowssecurity.com)
• Appendix L - Events to Monitor | Microsoft Learn

Analyzing activities in event logging 

• Windows logs
• application and services logs)

(WIP)

Suspicious File Investigation

Characteristics

• Malicious exe/dll
• Maicious scripts: e.g. Javascript, pyhton, powershell...

example: GootLoader

Investigative mind map

• Indenty the fIle types: JS, ps1, pdf....
• Investigating the file
  • Static File analysis
    • Gathering strings and metadata
    • Code review
    • Decompilation/disassembly
    • keyword search
  • Dynamic file analysis
    • Observing the behaviors
    • network traffic analysis
    • memory analysis
• Analyzing events

Incident response mind map

• Malware analysis yields (malicious url, ip file hash, netowkr and host artifact)
• Detect and analyzing events
• Containment
  • Isolation
  • network segmentation
  • Access control and account disabling
• Eradication
  • Identify and remove malicious activities
  • Implement iP, url blocking
• Recovery
  • Data restoration
  • System reconfiguration

Suspicious powershell command execution

Analzing Windows Event ID: 

• 4103 (info): PS module loaded
• 4104 (info): a script block is executed
• 4105 (info): a PS script executed
• 4106 (info): a PS command executed
• 400 (info): starts or ends of a PS interactive session
• 4107 (warn): A script block executed with script block logging enabled, a script block policy violated
• 4108 (info): execution policy changed
• 600 (info): starts or ends transcript logging

Execution phase: running common tools e.g. linPEAS / winPEAS, Mimikatz, Bloodhound, Rubeus, Powerup, Impacket

Identifying execution:

• Characeristic based: file name, file hash
• Behavior based: working pattern, DDL call

Evasion

common used techniques:

• Obfuscation
• Encryption
• Encoding

Investigating obfuscation event

• PS source file examination, look for strings, use tools such as CyberChef to do converstion and examine the true values(might be IoC, codes or commands)
•  

EDR

Performing following functions and send data to endpoint monitoring server

• Static scanner -> scan result
• Kernel-mode driver -> kenerl telemetry
• Hook DLL  -> hooked API telemetry

Tools

• Online dynamic analysis tools: e.g. anyrun, hybrid analysis, virustotal
• EDR tools
• CyberChef
•  

(WIP)

---

• Investigating Web Attack
• Investigating Email Attack
• Investigating Network-based Attack