Threat, Vulnerabilities and Mitigations: Indicators of Application attack

Question 1

Injection attack?

Answer 1

Injection attacks

These are common in web-application attacks. Remember to check the log files for your HTTPS server. Here’s an example of checking an Apache log file: + /var/log/apache2/error.log

Question 2

Buffer overflow attacks?

Answer 2

Buffer overflow attacks

Crashes are a common hallmark of buffer exploitations. - Accomplish a DDoS attack.

Question 3

Replay Attacks?

Answer 3

Replay attacks

These are typically malware attacks that: + Capture data such as: + Keyboard inputs. + Memory data. + Network traffic. + Modify captured data, such as network sources and destinations. + Exfils captured data such as: + Credentials + Session IDs/Tokens + Hashes, such as Pass-the-Hash.

Indicators of replay attacks include info in logs: + Failures, successes, and other transaction info such as:

Logins: odd times, locations, and systems.

Changes

Network traffic patterns

Duplicate requests

Antivirus/endpoint detection and response (AV/EDR)

Question 4

Privileged escalation attacks?

Answer 4

Indicators include:

Unauthorized administrative access: check logs for administrative access from unusual devices and accounts or from usual accounts but at unusual times and places.

Unusual administrative changes: these could include creation of new accounts or changes to configurations of:

Firewall rules

AV exceptions

Registry entries

Files and directories

Log Tampering

Use of administrative tools such as:

PowerShell

Windows Management Instrumentation command-line (WMIC) tool,

Microsoft Antimalware Scan Interface (AMSI) bypass.

Scheduled Tasks

Question 5

What is a Directory Traversal Attack?

Answer 5

Directory traversal attacks – If you are in a web application or search for files with, maybe I can move outside of the context of the confines that I’ve been set in.

Log checks:

../

..%2F

%2E%2E%2F

%252E%252E%252F