5D. Analyse Application-related IoCs obj 4.3, 4.4

Question 1

understanding typical application behaviour requires a combination of…

Answer 1

• Documentation of the application’s normal behaviour
• Logging, to provide a view of normal operations
• Heuristic analysis tools to flag when behaviours deviate from the norm

Question 2

Application Logs IoCs

Answer 2

• DNS (queries, destinations)
• HTTP (client 4xx, server 5xx, cookies, user-agent)
• FTP (log everything)
• SSH (auth issues, failed attempts)
• SQL (access attempts, query logs)

Question 3

Application IoCs

Answer 3

1) Anomalous activity - typical behaviour deviation. Detected with log analysis, behaviour baselines, and file integrity checking.
2) New accounts - e.g., admin accounts. Can be monitored with w, lastlog, faillog commands, or by checking auth.log (linux)
3) Unexpected outputs - scanning for vulns may produce errors, signs of code injection, directory traversal etc attacks will show in app logs
4) Network connections - suspicious open ports (net stat, nmap), outbound connections
5) Unexpected outbound comms - beaconing, file transfer etc. Network monitoring software + IDSs/IPSs
6) Service interruption - DoS or compromised application. Monitor application service status + user experience.
7) Memory overflows - OS system errors and crashes. Check crash dumps. Log reboots and service restarts.
8) Service defacement - site may be defaced

Question 4

Service analysis tools (windows)

Answer 4

• net start (running services)
• get-service (running services)

Question 5

Service analysis tools (linux)

Answer 5

• systemctl (startup processes)
• ps (running processes)
• top (running processes)

Question 6

Account and Session Management Tools (windows)

Answer 6

• Local Users and Groups (local account management)
• AD User and Computers (config/monitor accounts from DCs)
• net

Question 7

Account and Session Management Tools (Linux)

Answer 7

• who (user accounts logged in)
• w (same as who, also returns more information)
• rwho (active account info for all hosts on local network)
• lastlog (log on history)
• faillog (authentication fails)

Question 8

VM Introspection (VMI)

Answer 8

uses tools installed to the hypervisor to retrieve pages of memory for analysis

Question 9

Saved State files (VMs)

Answer 9

Suspending the hypervisor causes it to write its contents of memory to a file, which can then be analysed using a tool such as Volatility.

Question 10

persistent data acquisition (Virtualisation Forensics)

Answer 10

• Acquiring data from persistent devices, such as virtual hard drives and other virtualised mass storage devices to an image-based format

Question 11

File-carving-deleted VM disk images (Virtualisation Forensics)

Answer 11

• host may use proprietary file system which can limit support for recovery tools
• image may be widely fragmented, File carving can be used to reconstruct these files

Question 12

Lost system logs (virtualisation forensics)

Answer 12

• Virtual machines are optimised to spin up when needed and be destroyed when no longer required
• Configure virtual machines to log events to a remote logging server to prevent system logs from being lost during deprovisioning