Analyzing Application-related IOCs Flashcards
Symptoms of anomalous activity include strange log entries, excessive per-process ports
and resource consumption, and unusual user accounts
Anomalous Activity
Verify any outbound network connections understood and approved
Unexpected Outbound Communication
Unusual request patterns or responses can be indicative of an ongoing
or past attack
Unexpected Output
Occurs when an attacker gains control of a web server and alters the
website’s presentation
Service Defacement
Application services may fail to start or stop unexpectedly for any number of reasons
Service Interruptions
An application interruption caused by a service either failing to start or halting
abruptly
▪ Security services are prevented from running
▪ Process running the service is compromised
▪ Service is disabled by DDoS/DoS
▪ Excessive bandwidth usage is disrupting a service
Failed Application Services
Tools that can help identify suspicious service activity even when antimalware
scanners fail to identify it
Service Analysis Tools for Windows
You can view running services in Task Manager
Services.msc
net start displays all running services on a computer from the command
line
There are also Linux tools available for service analysis
cron
systemctl
The ps and top commands are used to monitor running processes
A task scheduler in Linux that can configure processes to run as
daemons (background processes or services) during the
machine’s startup
cron
Can list and monitor the startup processes using the
appropriate control for the init daemon
systemctl
Most applications can be configured to log events
Application Logs
Contains a log an event each time the DNS server handles a request to convert
between a domain name and an IP address
DNS Event Logs
A log containing HTTP traffic that encountered an error or traffic that matches
some
pre-defined rule set
HTTP Access Logs
Status Codes in the 400 Range
Some web server software logs HTTP header information for both the requests
and responses
Client-based Error Codes
Identifies the type of application making the request, such as the web browser
version or the client’s operating system
User-Agent Field
An unstandardized type of log that can provide basic client/server session
information
SSH Access Logs
An event/error log that records events with fields like date, time, and the action
taken, such as server startup, individual database startup, database cache
clearing, and databases not starting or shutting down unexpectedly
SQL Event Logs
Creating rogue accounts is a method for an adversary to maintain access
New Accounts
Windows tool that is used for the management of local accounts on a system
Local Users and Groups
Windows tool that is used for the management of accounts on a domain
controller (DC)
Active Directory Users and Computers
Linux command that shows what user accounts are logged in, what
terminal teletypes (TTYs) they have active for each running process, and
what date/time they logged in
who
Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more
w
Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more
w
Displays the same basic information as who, but runs on a client/server
architecture
rwho
Retrieves the log-on history from the /var/log/lastlog file and displays the account
name, the TTY, the remote host, and the last time the user was logged in
lastlog
Linux command that displays only authentication failures
faillog
Virtualization provides numerous security challenges that must be mitigated
o Process and memory analysis
o Persistent data acquisition
o File-carving-deleted VM disk images
o Lost system logs
Virtualization Forensics
Uses tools installed to the hypervisor to retrieve pages of memory for
analysis
VM Introspection (VMI)
Suspending VM memory files are loaded into a memory analysis tool
Saved State Files
Acquiring data from persistent devices, such as virtual hard drives and other
virtualized mass storage devices to an image-based format
Persistent Data Acquisition
▪ Virtual machine hosts utilize proprietary file systems, such as VMware’s
VMFS, which can make disk analysis difficult
▪ File carving can be used to reconstruct files that have been fragmented
across the host file system
File-carving-deleted VM Disk Images
Virtual machines are optimized to spin up when needed and be destroyed when
no longer required
Configure virtual machines to log events to a remote logging server to prevent
system logs from being lost during deprovisioning
Lost System Logs
Tools that facilitate imaging the mobile device’s system memory (RAM) and the
flash memory used for persistent storage
Data Collection
Analysis techniques for mobile devices is like that of Windows and Linux
workstations since most mobile devices rely on Unix-like operating systems
▪ Manual extraction
▪ Logical extraction
▪ File system extraction
▪ Call data extraction
Extraction and Analysis Methods
e
▪ Tool focused on evidence extraction from smartphones and other
mobile devices, including older feature phones, and from cloud data
and metadata using a universal forensic extraction device (UFED)
Cellebrite
A mobile device forensics tool created by AccessData, the developers of
FTK
Mobile Phone Examiner Plus (MPE+)
A mobile device forensics tool created by Guidance Software, the
developers of EnCase
EnCase Portable
Any records of device activity that can be acquired from the mobile device’s
service provider with the use of a warrant
Carrier Provider Logs
