Transcript
so basically the point of this tool, it works like a more advanced type like SIEM almost. What you're doing is you have different integrations essentially, and you set up your platform to ingest the logs from these integrations, and integrations might be a Windows endpoint, it might be a Linux endpoint or a server. It could be your Cloud provider, so like your Azure and all the security that comes with that, and the Cloud trial logs, and of course Azure just like AWS, but also the whole intramess and all the Cloud-hosted everything, which is actually great because again, keep going back to the SharePoint thing because it's big. Anybody who was Cloud was okay, anybody who wasn't, wasn't okay. Admitting a SharePoint server is really hard, and I think everybody pretty much knows that by this point. Yeah, so what we're looking at here is that movement, so you get your data sources from anything that's security relevant. There's a way to ingest log files from IIS servers or think about ingesting all your syslog data from your network appliances and stuff. Hopefully, you get a full scope view of not just the endpoint, but your entire network and all your IT assets. They'll allow you to do like this tool, allows you to do things like search. Something I wanted to actually start off with showing you is when you're doing an investigation, even more so than a hunt, it's super important to be really diligent about saving the things that you find interesting, suspicious, or that you know are definite indicators of the attack or have to do with it. Because a lot of times when you're digging around and you're jumping through, things can start to look the same. You might see something and think like, oh, that's part of it, and then like six tabs later, you're like, oh, wait, where was I? You'll see this in Ad Blumen and other tools. We have VUIDs, universally unique identifiers that identify a piece of data. You can reference it and everybody can reference the same piece of data. This way, if you want to share a piece of information with an analyst, across all your logs and your data sources, you can just give them this specific log ID, and no matter what source it came from, you know they're going to be able to see it. Pretty cool. I know it helps. But part of that is like keeping sort of like your investigation organization, stuff like that. And hopefully your platform has things like a investigation. I want to blow this out, sorry. Has things like an investigation manager, where you can actually go ahead and like create new investigations. So like here you can see like we could start an investigation, investigation name, threat investigation. Ad Blumen webinar talking about. But it's like you mentioned in the beginning, when you're doing an investigation, there's a sequence you were trying to figure out. And so as you start a workflow here of create investigation, in the beginning of that workflow, and then you begin to add your findings. I jumped a step because like, first, you're going to figure out something to start your like, first, you're gonna have a reason to start the investigation. But like, I wanted to make it clear that like, when you're doing this, like, you should be documenting everything. When I'm doing an investigation or an IR, or even like an operation, right? Like I have a text file, I'm like timestamping everything, like every command I look at every directory, I'm looking at like, my thoughts, like in hypotheses, right? Like, it should be like a detective, right? You have to have case notes, right? Like, somebody should be able to come back to, to your investigation after the fact and reconstruct what you were doing and what you did so that they can say, yeah, he thoroughly checked like all of the angles that I would check, right? And that like, there's not something that's unexposed. And more importantly, they can also, you know, rebuild what happened for themselves and better understand like, how to protect the network then, right? Yeah, it's the first time I've heard someone say case notes, but it makes sense. I've heard investigative report, but case notes, I think like, you know, one of my favorites, Bosch, where he's doing an investigation. So that's basically what you're doing is you're creating the book to follow or for someone after the fact review it to maybe follow your footsteps of what you found. Yeah, no, I know actually like some really good threat, like, what do you call it, like incident response people, like the folks who are like, you know, out there doing the Fortune 500 responses when they happen, you know, like no time to spare, like billions of dollars of risk. They actually use like voice recorders, just like you would see like a medical examiner use. And like, literally as they're sitting there typing, going through it, like, yeah, they're keeping text notes, but they're also like talking out loud. And a lot of times you'll work in pairs, right? Or, you know, you'll work with somebody else. So like, you have everything sort of just like documented for reference. And again, like, that's because depending on like the scope of what's happening and your compliance requirements and just your business, and maybe you wanna find these guys and get them in court because they are in the US, right? Like you might actually need like that evidence preservation. You might, you know, it might come to trial, right? So you wanna make sure you got all that. You wanna do it right. Absolutely. All right, triaging alert number 223, create. Yeah, whatever. So we'll assume that we found the alert first, but sort of do that, create that. You saw something, now let's do something. Yeah, so this is where you would actually see it, right? So let's say you have a dashboard, whether it's in your EDR or your, you know, MDR product or something like that, you might get an alert that pops up. So here we have one that's like immediate action required. System enumeration detection detected. Okay, like that could be a false positive. I do see these sometimes and a lot of times. Yeah, so that's usually, so we'll look at the specific one to make sure we know exactly what this one's triggering on. But like in general, like system enumeration is when somebody's scanning the network to figure out like what services like an individual system might have or seeing what systems might be available to access. So that's your reconnaissance stage, it sounds like. It can be. I actually, so that's a mistake a lot of analysts make. So they think that could be, cause yes, right? They think that this could be considered, yeah. They think that this could be considered a portion of the reconnaissance stage. And like, that may be the case if this was a public facing asset, right? But like, we know our network. We don't see a source IP here indicating that it's a public machine. Like we know how to read these logs. Like this is an internal machine. So like, if somebody's already scanning it, they've already breached some defense layer. So something's already going else, somewhere in our network that like was alerted on and resolved before and like wasn't completed and like something's still going on or like there's something that hasn't been detected that's going on. Maybe we don't have the antivirus installed on the Linux server that, you know, somebody used old creds to SSH to. And they're, you know, just doing Nmap across the entire network. This one, like you could already kind of just tell off the bat because like summarization, right? Like it's got a specific destination. So here we're probably talking about like service enumeration against a specific host. In this case, like host name, Windows, you know, blah, blah, blah. Like, oh, let me guess. It's a Windows box probably. But maybe our customer is called WinCentral. So who knows? But we'll just go to like our alert. So evidence of system enumeration has occurred. Review the account associated with the activity. Testing two. So it's interesting. There's a specific account, right? And you can look and see the evidence, like the activity involved in the execution of ipconfig.exe from the administrator account. So like we know that like the administrator account was running ipconfig.exe, which is associated with like, you know, enumeration. That's not something that I guess people are probably typically doing, but the issue is that like, high integrity level. So it was executed from the user's administrative directory. So they were interactively locked on. Files authenticity. So we know that this was actually the legitimate Microsoft CMD.exe. And what do you call it? IP config binary that was launched, right? It's like when you run a command in like the command prompt, like let's say you run, what is it? Well, ipconfig, right? That's actually ipconfig.exe in the background, right? So there's an actual executable binary that's located in like, you know, C colon Windows system 32 slash ipconfig.exe. A lot of times you'll see people using the same sort of like, you know, file names and stuff like that, but you'll see like the hashes are different or you'll see like, it's not signed. So like today, most binaries should be signed. Like even if you have like a small publisher that's providing an application or service, like most of the times these things should be signed these days. So, but this gives us some sort of guarantee that like this was like a legitimate binary. So maybe we're talking about like a living off the land situation, right? Because we're seeing like command.exe, ipconfig, which is again, just like enumeration, trying to figure out what the system is, probably its IP address. And we can also see the raw message here. So like, we definitely want to say this log because there's good stuff here. We're going to see like the log on ID, the terminal session ID, and then we can use these values to pivot, right? And see, were there any other activities taken in this same log on or, you know, in the same session? So what I'll do here is, so this is already in progress and everything like that. So we're going to go ahead and just click view. Again, just takes us to the raw log. Here we can see the exact detection query they've hit. So we can see like process name, cmd.exe, these common things that we see, right? Like this could be something that maybe people don't really use it as much anymore, but like Metasploit might use, right? As part of its like initial access. Once you access the system using the interpreter, right? It runs these commands so that it can like tell you what host you're on. So from here, we have like the values, all that. What you can start doing in your investigation and like one way you can do it, and I actually don't often recommend it, is to just look at the events that surround the specific event that happened. We'll see here that this is like a Windows server. So like servers typically have a lot of file activity or just like a lot of logs being generated in general. So like looking at plus or minus five minutes, like might give you 20,000 logs. So you want to be like hyper-specific in terms of time if you're doing that. So depending upon the system, what you're wanting when an alert flag, you may want to get, okay, what happened before that alert was triggered? Or in this case, there was a detection that we have that we rolled out for all of our customers. That detection flags an alert. The alert is what you looked at when you saw the enumeration. Now you're saying, okay, let me get into the detail. And as a time window of investigation, let me look at five minutes plus or minus an hour plus or minus one day or three days. But your point was on servers where there's a lot of activity, be very careful of just how much data you're gonna be bringing in. Yeah, and like, even if you're talking about like an endpoint, right, plus or minus three days, like you're gonna be seeing a lot of activity. When you're doing things like that, you're gonna be doing a query against like a specific data source itself and not like a user or an endpoint a lot of times.
