Exam 2 Flashcards
Incident Response
The planned response process for dealing with network intrusions and misuse of computer systems.
Also known as Incident Handling.
Generally, the intrusion is still active when IR is deployed.
Incident Response: Event
An observable change to normal behavior on a system or network.
Not necessarily negative.
Incident Response: Vulnerability
A documented security flaw in system software or hardware.
Incident Response: Exploit
A security attack using a vulnerability.
Incident Response: Threat
The potential for an attacker to exploit a vulnerability.
Weighted by consequences of vulnerability and likelihood of exploit taking advantage of the vulnerability.
Incident Response: Alert
A notification of an event to responsible parties.
Requires further investigation.
Incident Response: Incident
A malicious event caused by an attacker exploiting a vulnerability.
Incident Response: Cycle
Preparation. Identification. Containment. Eradication. Recovery. Follow-Up / Lessons Learned.
Process
An instance of a running application/executable.
Windows Task Manager
GUI to view processes.
Ctrl-Alt-Del or ‘taskmgr.exe’ to access system’s task manager.
‘tasklist’ command line also works.
Should we necessarily trust the Task Manager on an infected system to tell us the truth?
We can use our OWN copy of tasklist.exe.
We can also use our own copy of Process Explorer (SysInternals) or Process Hacker (available on SourceForge).
Services
A background process that requires no user interaction.
Windows Task Manager.
tasklist /svc’ gives us services with corresponding processes.
Windows Service Control Manager GUI ‘services.msc’.
Scheduled Task
A scheduled task is a process/service that runs when a specific condition is met. Usually timestamp(s).
Windows Task Scheduler
Provides GUI to scheduled tasks.
Persistence
Keeps coming back!
Autoruns
Most often used tricks involve using Windows Registry database.
Sysinternals includes a tool called Autoruns that
looks at ALL of the known methods for persistence.
ipconfig
Network configuration details can be seen using ipconfig.
Use ‘ipconfig /all’ to display all the NIC configurations
Includes IP address(es), MAC address, default gateway router, DNS/DHCP servers.
Can also see the DNS cache with ‘ipconfig /dns’.
Listening
App is bound to a port and waiting for connections.
Established
There is an established communication stream.
netstat
Use netstat to view network connections on an end system.
‘netstat’ by default does DNS and known port lookups
Time consuming and sometimes wrong!
‘netstat -na’ to turn off this feature.
User Accounts
Once a malicious actor compromises a system, they commonly create an administrator account to access later.
Bank on people not monitoring the accounts on a system.
Sysinternals Suite
A suite of network troubleshooting utilities provided for free by Windows. Autoruns was previously discussed TCPView (think a GUI of netstat info) TCPView Console (command line view) Process Explorer (better Task Manager)
Sysinternals Ps Tools
Sysinternals Suite includes a set of tools for management of remote connections.
Begin with “Ps”.
PsFile
Shows files being accessed remotely.
PsLoggedOn
Shows users logged onto system (local or remote).
PsExec
Allows the execution of processes remotely on system
Requires username and password for user account
BEWARE!!!
Attackers commonly install PsExec on a system they compromise to execute commands on it including a backdoor setup.
PCAPS
A “full packet capture” is generally stored in a PCAP file
.pcap extension most common.
Contains a bit for bit copy of what traversed the wire.
Windows uses WinPcap.
Note that while we use the term packets for captures we are actually capturing Layer 2 FRAMES.
As previously discussed what traverses the wire is a frame.
Network Sniffer
A tool that places a target NIC into promiscuous mode.
TCPDUMP and tshark offer command line sniffer tools.
Wireshark in a network sniffer with GUI.
Promiscuous Mode
Will accept any packet that it receives on the wire for processing.
The sniffer will record all packets that traverse the NIC in a PCAP.
Sniffers generally must be run with administrator privileges.
Wireshark
GUI.
Both a network/packet sniffer and protocol analyzer.
Includes dissectors.
Capture Filters
Can be applied to limit the traffic we capture.
Limit the scope (minimize data loss).
Make it easier to find what we are looking for later.
Once we apply a Capture Filter:
Traffic that matches -> Copied to PCAP.
Traffic that doesn’t -> dropped by sniffer.
We will NEVER be able to see those packets again.
This is the opposite of Display Filters.
Software Shortcoming: Network Sniffer
Remember that a hub sends traffic to everyone attached.
A promiscuous NIC on a hub-based LAN would see ALL traffic on the network.
Most modern LANs are not using hubs…using switches!
If our promiscuous NIC is on a device connected to a switch, will only see our own traffic?