This is the last chapter of the book; it has been an exciting journey and you have learned some new things. In this chapter, you can put into practice your knowledge by working on a practical case of a security incident.
Unlike the previous chapters, you will do most of the work, and you will be able to follow incident response (IR) procedures, organize activities in the incident management (IM) platform, and use different tools for hunting and investigation.
In this chapter, you will learn about the following topics:
In case you haven't already, you need to download and install VMware Workstation Player from this link https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html.
You'll also need to download the following from the book's official GitHub repository https://github.com/PacktPublishing/Incident-Response-with-Threat-Intelligence:
Michael Scott, the chief executive officer (CEO) of a global energy company, traveled to Asia a couple of months ago to attend one of the industry's most notable events.
Recently, confidential and strategic information from the company that was in the hands of very few people—including the CEO—began to circulate publicly.
This leak of information has impacted different areas of the business and has affected some negotiations that were taking place with different companies around the world.
Some of the published information was on the CEO's computer, and now, there are suspicions that his computer could have been hacked on the last trip.
You were assigned as the lead investigator of the case, so now, you need to do first response procedures and get the necessary information from the CEO's computer to start the investigation.
According to this scenario, there are several elements that we need to consider. The initial point of our analysis is about the identification of places where information is stored, and which people have privileges to access that information.
In this case, within the circle of people who have that information in their possession is just the CEO, and there are suspicions that he may have been one of the targets of this security compromise.
On the basis of the circumstances and information we have, the first device to review is the CEO's computer, without ruling out that it may be necessary to review other devices.
As a first step, we must have a meeting with the CEO to get as many details as possible to allow us to have a clearer context and focus on the type of information we are looking to obtain.
Once we have the interview, we must request the CEO's computer to perform first-response procedures.
Considering the circumstances of the case, it would be very useful to perform procedures to obtain disk and memory forensic images from the CEO's computer. In this way, we would be able to review all the information and have evidence that the incident could have happened during the period between his trip abroad and the time when the information leak was discovered.
In addition, it would be very valuable to obtain specific artifacts of programs installed on the computer and the preprocessed information of timelines, executed applications, information about requests to domains or Internet Protocol (IP) addresses, and some other data that would allow us to speed up the investigation and enable us to use tools to obtain this information.
In this case, we are simulating that we got these logs directly from the suspicious computer, so we are going to start the investigation from an alert generated in the security operations center (SOC).
Before we start with the practical exercises of this chapter, we will need to prepare the work environment. First, we are going to start the SO-Platform and IR-Laptop VMs.
Note
The SO-Platform VM has a pre-installed version 2.3.100 of Security Onion. This distribution already includes its IM module, Cases, and replaces TheHive to escalate alerts.
First, start the IR-Laptop VM and sign in using the following credentials:
After that, start the SO-Platform VM. You do not need to sign in here for now.
Once you start both VMs, go to IR-Laptop and proceed as follows:
Note
We are opening Windows Terminal as an administrator because you may require elevated privileges to perform some exercises.
ssh-keygen -f "/home/investigator/.ssh/known_hosts" -R "192.168.8.5"
mkdir logfiles
mkdir pcapfiles
You can verify the created directories by running the ls -l command, as shown in the following screenshot:
Once all the container statuses are showing a status of OK (this could take some time, so you can use the up arrow to keep checking the status of Security Onion services), we can now connect to the Security Onion management console.
Note
You might get a privacy error, as follows:
Brave: Your connection is not private. Click on Advanced. Next, proceed to 192.168.8.5 (unsafe).
Firefox: Warning: Potential Security Risk Ahead. Click Advanced…. Next, click on Accept the Risk and Continue.
Microsoft Edge: Your connection isn not private. Click on Advanced. Next, continue to 192.168.8.5 (unsafe).
At this point, you can start working with Security Onion to import system logs and network capture files.
One of the features of Security Onion is the possibility to import system logs and network capture files for analysis from systems where you do not have Security Information and Event Management (SIEM) visibility or network monitoring. Here's how you can do this:
Repeat the same process to extract the Corp-Laptop_Logs.7z and Network_Captures.7z files.
The process is illustrated in the following screenshot:
Now that we have extracted the needed files for the exercises, we will import these files into the SO-Platform VM.
logout
cd AD-SRV_Logs
ls -l
scp -r AD-SRV_Logs [email protected]:/home/analyst/logfiles/
This is shown in the following screenshot:
scp -r Corp_Laptop_Logs [email protected]:/home/analyst/logfiles/
scp -r Network_Captures [email protected]:/home/analyst/pcapfiles/
The last command can be seen in action in the following screenshot:
Now that you have the files on the server, you can start importing them into Security Onion.
cd pcapfiles/Network_Captures/
sudo so-import-pcap NetCapture_01.pcap NetCapture_02.pcap
The command and its output are shown in the following screenshot:
Once the process has been completed, you will see a unique identifier (UID) assigned to this import and a specific link to access directly information regarding the processed files. You can save this specific information in a text file for further revisions.
This could be a good point to start an investigation because you can focus on this information directly.
sudo so-import-evtx Application.evtx Security.evtx System.evtx 'Windows PowerShell.evtx'
Note
Linux is a case-sensitive operating system (OS); please ensure that you enter filenames, including directories, in the correct case.
sudo so-import-evtx Application.evtx Security.evtx System.evtx Microsoft-Windows-Sysmon%4Operational.evtx "Windows PowerShell.evtx"
As I mentioned before at the beginning of this chapter, the point at which we will start this IR case is from an alert generated in the SOC, so we will prepare our scenario to start the investigation.
After we have imported the logs and network files into our SO-Platform VM simulating the capture of traffic and log collection from the organization, we need to define a date range related to the incident. Here's how to do this:
You will do the same for all hunting and investigation processes. The following screenshot provides an overview of the preceding steps:
When you apply this filter, you will see several alerts with the severity level classified as high and other alerts with severity classified as medium; for now, we will focus on the following alerts:
The first alert that catches our attention is related to an apparent detection of possible malware related to a Metasploit payload.
You will see an Events list related to this alert, as illustrated in the following screenshot. You can take a different approach here; for instance, you can start looking for information by reviewing events by the most recent date or by the date closest to the start of the incident. In this case, we are interested in initiating an investigation by the date closest to the beginning of the incident:
When you identify and want to analyze a particular event, it is very useful to correlate with other activities carried out around that event. Security Onion takes several components of information such as IP addresses, among other things, to generate a single hash and thus correlate different pieces of information.
Select Actions and then the Correlate option, as illustrated in the following screenshot:
As a result, you will see a timeline of correlated events; in the first event, there is a connection from the victim's computer to port 9000, and after that, interaction with a Python SimpleHTTPServer to download several files, and finally, a Metasploit payload, as shown in the following screenshot.
Click on the first event under the destination.port field, and then click on Actions and PCAP to view the network traffic, as shown in the following screenshot:
You will see all the traffic between the victim's computer—172.16.245.130 —and the potential attacker's computer—172.16.245.128.
Once you modify the view, you will see the contents of the packages clearly and identify some interesting elements, such as the following:
These findings are indicated in the following screenshot:
As the server is within the same network segment of the hotel and as suggested by the characteristics of the communication, it could be an initial attack vector and a potential target.
Although this panel is very useful to start an analysis, you can use tools that have more advanced functionalities—for example, to deobfuscate or decrypt content.
As this is a Windows executable file, we can send these packages to CyberChef to try to get the malicious file for further analysis.
Note
CyberChef is a very powerful tool that we can use to create recipes to simplify the removal of these two HyperText Transfer Protocol (HTTP) headers, giving us a clear visualization of the information that we need to save.
In the same way, you can also download the PCAP file to be analyzed in other network packet analysis applications such as Wireshark or NetworkMiner (you can learn how to use both tools in the Code in Action video).
To filter packages, you need to remove the HTTP content to leave only binary content in CyberChef:
The process is illustrated in the following screenshot:
We now have the sample of potential malware, and we can review it to identify its functionality.
Note
You may need to disable Windows Defender beforehand because it could catch this malware sample.
You will see the content of the binary file, as shown in the following screenshot:
Here, you will find interesting things; for instance, on indicators, you will see section contents tagged as blacklisted or suspicious. You will also see a Uniform Resource Locator (URL) where this file could connect once executed.
You will see a suspicious and anomalous section called .ggiz. It is not common to find these types of sections in normal executable files.
Note
Sometimes, malware can be packaged in such a way that the number of strings that can be identified is very small and may not provide much information.
Some strings displayed show indicators related to programs generated in Metasploit. Additionally, you can see the URL to which this malicious file would try to connect.
At this point, it would be a good idea to create a YARA rule from this file to search on other devices on your network to see whether this file is present and ascertain the number of devices compromised with this implant. This is an important step in the first two phases of IR: identify and contain.
Try to do this yourself with what you've learned. Here's how:
Now that we have verified malicious activity on at least one of the systems, we will open a new case on the IR platform built into Security Onion to formally initiate the investigation process.
Once we validate that this malicious file is related to the incident, we will open a new case from the alert, using the new Cases tool integrated into Security Onion. Here's how to do this:
You will see the case management interface where you can start assigning tasks—including evidence and observables—and documenting the investigation, as shown in the following screenshot:
As this incident is about an information leak, not just malware, you need to modify the default incident's name.
You can also add a description of the incident by just clicking on the Click here to update this description section.
You can see an illustration of the process in the following screenshot:
We are going to add the first observable of the case. This will be the Message Digest 5 (MD5) and Secure Hash Algorithm 256 (SHA256) hashes of the malicious file.
You can see an overview of the process in the following screenshot:
Now, try for yourself by adding a new file-type observable and uploading the malicious file; this is important because you may need to share it with other teams for further analysis.
I recommend that you compress the malicious file in 7-Zip (.7z) format with a password of infected (without quotes) to prevent it from being accidentally executed or deleted by antivirus software.
Now that we have the vector of compromise, we can continue our investigation by looking for evidence about what happened after the initial compromise. Proceed as follows:
You will see a list of events associated with this alert again; because we already analyzed traffic related to port 9000 communication, we can now try to investigate traffic related to port 445.
You will see unwrapped network packages, identifying some interesting strings. As in the previous section, we will use CyberChef to have a better visualization.
This will open CyberChef in a new tab of your browser with the information obtained from Security Onion.
At first glance, we can identify some interesting strings.
To get more context about the incident, you request information from the Information Technology (IT) department about the domain the admin01 user found previously in the network traffic strings. They mentioned that this is not a known user of the system.
It is possible that this account was created by threat actors to maintain persistence, and it could also mean that there is a possible previous compromise of some accounts with administrator privileges, so it is a good idea to look for information related to this account and all activities that were performed with it.
We will start our hunting by using a Sigma rule from the Playbook platform on Security Onion. On the left menu of Security Onion, under Tools, select the Playbook option, as shown in the following screenshot:
We can create a new Sigma rule from scratch, as you learned in the previous chapter, you can use a Sigma rule from the Detection Playbooks platform in Security Onion, or you can search for Sigma rules externally.
In this case, we can assume that a user may not have been created using Active Directory Users and Computers (ADUC) Microsoft Management Console, so we will use a Sigma rule that detects the creation of local user accounts on this system that are not in Active Directory (AD), published in the following blog: https://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/.
In this blog, you will find a Sigma rule that detects Event 4720 on a non-domain controller computer, so it is perfect to use in this case.
On the Detection Playbooks platform, proceed as follows:
On the right side of the dashboard, you will now see the converted rule.
The preceding interface is shown in the following screenshot:
From the menu on the left side of Security Onion, select the Hunt option, as shown in the following screenshot:
As you will notice, the event code corresponds to the creation of a new user, and this account was created by the MINWINPC$ user, so we are verifying that that account was compromised.
If you check the UserPrincipalName field, it is blank, which indicates that this account was created without following the company's user creation standards. You can use this information to search more deeply for activities carried out with this account.
At this point, we can focus on search information from the device's activity in the period when we believe that the incident occurred, as follows:
We are particularly going to focus on devices that had some activity out of the ordinary—in this case, those that connected to HTTP ports 9000 and 4444, as shown in the following screenshot:
As you can see, this communication was made between the 172.16.245.130 and 172.16.245.128 IP addresses. Investigating a little more, you will verify that the first IP address (172.16.245.130) was assigned to the Corp-Laptop VM by the Dynamic Host Configuration Protocol (DHCP) of Michael Scott's hotel.
You will see all communication established by these computers in the defined period. In this case, all the communications were under the http protocol and the following destination ports:
You can see confirmation of this in the following screenshot:
You will be redirected to the PCAP analysis console; apply only the Raw Packages option and you will see the content of the package. Now, let's analyze the content of communications between these two computers using port 80.
In the Hunt console, apply the following filter in the Queries section: "172.16.245.128" AND destination.ip:"172.16.245.128" | groupby source.ip destination.ip network.protocol destination.port. You will again see communications filtered by the destination port, as in the previous search, as illustrated in the following screenshot:
Now that you've filtered the traffic of port 80, let's analyze the PCAP packets.
You can now analyze the content of the packages. In this case, you can see the download of the procdump.zip file using the GET command from the same URL previously identified.
Again, a binary file appears in the content of the package, so we will perform the same procedure we did earlier, as follows:
Open a new instance of pestudio and drag the procdump.dat file to the center of the program.
In this case, you can see that the virustotal section appears in green, and no antivirus apparently detects it as malicious. This is because this is a legitimate program abused by threat actors:
Now, let's go back to the Hunt console to analyze the second packet filtered by port 80, as shown in the following screenshot:
In this case, you will find what seems to be the download of the Mimikatz program, which is used to dump passwords and can be used in conjunction with the ProcDump tool:
To review the file, as on previous occasions, we will send it to CyberChef, save it on our VM, and analyze it with pestudio.
Unlike the previous file, you can see in the virustotal section that this file is detected and identified by almost all antiviruses, as you can see in the following screenshot:
With this, we confirm that one of the intentions of the threat actor was to obtain the user's credentials.
Both files, procdump.dat and mimikatz.dat, are .zip files, so if you want to analyze the binaries in their content, you just need to change the extension and decompress them. Just remember that this must be done in a controlled environment to avoid accidents.
Up to this point, you have obtained very valuable information to help you understand some of the techniques used by threat actors, some indicators of compromise (IoCs), as well as some samples of implants and programs used by attackers.
It is very important that you begin to document all these findings on TheHive and include indicators of attack (IoAs) and IoCs.
Now, you will begin to use your instinct, apply the knowledge acquired with this book, and research different sources to find as much evidence as possible, using this information to identify the dimension of attacks and develop the best strategy to contain them.
Try to find evidence that will help you answer the following questions:
I am sure that you will do an excellent job if you take the time to work on this security incident investigation. Feel free to analyze the evidence further to discover additional artifacts to figure out what could happen, the attacker's possible objective and motivation, and how far they went in this attack.
In this last chapter, you had the opportunity to apply some of the IR concepts learned in this book.
From a security breach incident, you opened and managed a case and started an investigation by analyzing events and behaviors detected from network traffic monitoring and the centralization of logs from different systems in the corporate network.
Additionally, you learned to perform network traffic and file analysis to get valuable artifacts for your investigation.
I sincerely hope that this book will be helpful for you, whether it is for your professional development as reference material or simply for you to learn something new.
Knowledge evolves quickly, and environments and tools change frequently, so I invite you to visit the repository of this book (https://github.com/PacktPublishing/Incident-Response-with-Threat-Intelligence), where you will find updated versions of the tools mentioned in the book and additional tools that will help complement your knowledge.
You will also find guides, short videos, and complementary support material.
Thank you for joining me on this journey; it has been an honor to share some knowledge with you.
I wish you success in your career as a professional incident responder, and I hope we can meet at some place or event in the industry.
3.141.103.61