TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

How Logging Strategies Can Affect Cyber Investigations w/ Kiersten & James

BHIS · 2024-09-23 · Read original ↗

ATT&CK techniques detected

20 predictions
T1059.001PowerShell
99%
“determine the extent of what ’ s happening here. in this particular circumstance, because we know that trusted installer shouldn ’ t be running on this host to spot a powershell process, we know that this is probably an incident where we need to get ir, involved if we were to, fo…”
T1059.001PowerShell
99%
“sketchy is going on, on this host and we should dig in a little further if we can. because that powershell exe, that trusted installer spawned, correct me if i ’ m wrong, kirsten, but that would have, the privileges associated with trusted installer, right? yep, yep. so you have …”
T1654Log Enumeration
97%
“how logging strategies can affect cyber investigations w / kiersten & james how logging strategies can affect cyber investigations w / kiersten & james this webcast was originally published on september 12, 2024. in this video, kirsten gross and james marrs discuss how logging st…”
T1654Log Enumeration
93%
“different command line was used, that could be an indication that somebody ’ s attempting to bypass edr and it will depend solely on how the logging resource is working on the backside on what specifically is logging to determine what command line was run. so even if that product…”
T1654Log Enumeration
90%
“for this particular webcast. kiersten gross but a lot of the same, let ’ s say investigative, strategies. a lot of the same principles associated with creating a logging strategy or determining if it ’ s sufficient for your organization applies across the board. but specifically,…”
T1654Log Enumeration
90%
“had more to do with the version of sysmon and what sysmons doing than, any of the surrounding context. i ’ m unsure if that necessarily answers your question or not. zach hill james, do you have anything to add to that? james marrs no, i was pretty much going to share, yeah. we c…”
T1654Log Enumeration
90%
“##s or attacks. but by the time that you ’ ve identified something or detected something using these logs, typically they ’ re helpful for context to know where to start or where to send ir to go pull those logs to go, pull ram to go pull all the other artifacts that would be nee…”
T1685.001Disable or Modify Windows Event Log
87%
“good by now. so it ’ s important to log more than just default windows or just your edr if you really want to get some good context into events. this is where we talk about how to maintain your audit strategy. as you can see here, you might ask why. i set it. i clicked the button…”
T1055.001Dynamic-link Library Injection
83%
“of ram for future investigations. when you ’ re performing ir, when you ’ re doing soc work, most of it is going to be metadata about what ’ s happening on the host. it ’ s not going to actually be a copy of the process that ’ s being ran. so if, for example, a process injection …”
T1110.003Password Spraying
83%
“sysmon config you ’ re running to make sure that all your endpoints are running the same, or if they ’ re running a specific one that you want. it just shows the health of sysmon as well. there have been many times where we ’ ve gone to an, investigate an alert and it ’ s like, w…”
T1654Log Enumeration
80%
“side of things for programming. kirsten is lobbying for getting me into rust and i think it ’ s working slowly but surely. i work on a bunch of ci cd automation for bhs as well. and yeah, i do enjoy some chess on the off side. but. kiersten gross anyway, for our discussion, we st…”
T1110.003Password Spraying
78%
“, few attempts we get the password. not a very good password, but you get the idea. it ’ s good enough for our purposes anyways. kiersten gross so reviewing the actual logs that were generated by this separated, out according to which audit policy we were using, the default windo…”
T1558.004AS-REP Roasting
70%
“a fair amount more of like executable stuff happening on host stuff that ’ s really quite valuable to an investigation. downloads. where did files come from? that one is huge because those file creation events you can see. exactly. all right, what host did we download it from? wh…”
T1685.001Disable or Modify Windows Event Log
58%
“logging compared to the timeline logging that you get in microsoft defender in a e five license? if i have that in defender, do i still need these others? that is a fantastic question. and i will be honest and say i don ’ t know. i have not, dug into the microsoft defender logs a…”
T1059.001PowerShell
56%
“system associated behaviors related to services and other windows behaviors. so the only reason we ’ re able to identify those two logs as associated with this attack is because we knew that that ’ s when we ran it. james marrs yeah, it ’ s default windows logging leaves a little…”
T1654Log Enumeration
52%
“logging compared to the timeline logging that you get in microsoft defender in a e five license? if i have that in defender, do i still need these others? that is a fantastic question. and i will be honest and say i don ’ t know. i have not, dug into the microsoft defender logs a…”
T1685.001Disable or Modify Windows Event Log
48%
“then we executed that binary, on m the left side of the screen. we ’ re hosting that file using python so that we can download it to the windows machine on the right, and then we ’ re going to execute it and it will open a new window. this new window was generated by that binary,…”
T1564.003Hidden Window
42%
“system associated behaviors related to services and other windows behaviors. so the only reason we ’ re able to identify those two logs as associated with this attack is because we knew that that ’ s when we ran it. james marrs yeah, it ’ s default windows logging leaves a little…”
T1685.001Disable or Modify Windows Event Log
39%
“yeah, mhm. just to piggyback off of that, i think as kirsten mentioned earlier, edr logs are great. they can tell you, all right, something happened, we know something bad might have happened, but what happened before that? what happened after that? what is going on in the contex…”
T1204.002Malicious File
31%
“to. and then in the eid 29 we can also see the hashes of that file. and that is super helpful to know. all right, is this actually a, like a wallpaper and just misnamed or is virustotal or something? recognizing this as mimikats with a different file name, you get the idea. these…”

Summary

This webcast was originally published on September 12, 2024.   In this video, Kirsten Gross and James Marrs discuss how logging strategies can affect cyber investigations, specifically focusing on Windows logs. […]

The post How Logging Strategies Can Affect Cyber Investigations w/ Kiersten & James  appeared first on Black Hills Information Security, Inc..