Event Detection

Intro

Event detection is the bread and butter of the security analyst. Whether you are a blue teamer building automated alerting or a threat hunter looking deeper at the data, it is essential to understand what you are looking for, how to look for it, and what tools can make it easier to find it. One of the best new resources for starting your detection strategy is https://d3fend.mitre.org/. This is a fantastic resource that allows you to create a per task approach to creating detection use cases.

For proper event detection, we usually need 3 elements: A device/application that can generate a log relevant to what we are looking for, the log itself, and a collection tool. The device/application that generates the log does not have to be a security device in order to give us security relevant logs. One thing you will find however, is that security relevant devices send us significantly less volume of data, as they are only sending alerts and the information surrounding a detection. When we are looking at logs from non-security related devices, we must develop our own detection logic to pull out what events we deem suspicious from those logs.

For parsing through logs and organizing them into an easy format, there is a wonderful set of tools called the SIEM: Security Incident and Event Management. With many tools you can look at their data and events directly, but a SIEM allows you to gather all of your logs in one place and parse through them. With them all in one place, you can even correlate activities across your logs. One other big thing that SIEMs can do is help normalize your data. Every type of log is different even if it is the same type if device/application. Example: McAfee AV logs are in a completely different format that MS Defender logs. Well what if your environment has both? Is there an easy way to look at them both at the same time? Yes! Many SIEMs have plugins or apps that can normalize the data into CIM: Common Information Model format. This makes them parsable by your SIEM tools, and much easier to create detection rules around.

SIEM and Enrichment

pageSIEM and Enrichment

IDS/IPS

pageIDS/IPS

NSM: Network Security Monitoring

For Netflow logs and Packet Capture, please see the following:

pageLogging - Network ServicespagePacket Analysis

• ZEEK - A departure from traditional signature based detection, ZEEK is a network traffic analysis engine that allows network security monitoring at the application layer event in large networks. This tool was formerly called BRO.

  • Anomalous DNS - A set of ZEEK scripts providing a module for tracking and correlating abnormal DNS behavior.

  • Mitre ATT&CK's BZAR - A set of ZEEKk scripts to detect ATT&CK techniques.

  • GQUIC_Protocol_Analyzer: GQUIC Protocol Analyzer for ZEEK (Bro) Network Security Monitor

  • ZEEK-agent - An endpoint monitoring agent that provides host activity to ZEEK

  • RDFP - Zeek Remote desktop fingerprinting script based on FATT (Fingerprint All The Things)

  • https://www.pluralsight.com/courses/writing-zeek-rules

  • https://github.com/JustinAzoff/bro-pdns

  • PTFM: Zeek Commands - pg. 168

  • Bro - Applied Network Security Monitoring - pg.255fc

• Corelight - The premium, Enterprise grade, Zeek Alternative.

• arpwatch - Arpwatch maintains a database of Ethernet MAC addresses seen on the network, with their associated IP pairs. Alerts the system administrator via e-mail if any change happens, such as new station/activity, flip-flops, changed and re-used old addresses.

• maltrail - Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. hXXp://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).

Endpoint

Open Source EDR: Endpoint Detection and Response

• OSSEC - a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS)

• Wazuh - Starting as a fork of OSSEC, it was built with more reliability and scalability in mind . It differs from OSSEC in its ability to be integrated with Elastic Stack, a better rule set, and it can use a restful API. File integrity Monitoring, Vulnerability Management, Config Management, Enhances Incident Response, and even an easy to use UI. Wazuh has it all.

• BlueSpawn - EDR + Active Defense tool. Has the ability to interact with OS APIs to actively respond to certain detections in the platform.

• OpenEDR - Comodo security's open source EDR platform. Great community and solid product.

• Aurora - Sigma-based EDR agent

  • https://www.nextron-systems.com/2021/11/13/aurora-sigma-based-edr-agent-preview/

• whids - Open Source EDR for Windows

OSQuery

• One of the most advanced endpoint visibility tools on the market. Can be used for File Integrity monitoring, change management, even security endpoint detection.

  • Awesome Lists Collection: OSQuery Resources

  • OSQuery-extension - OSQuery extensions by Trail of Bits

  • OSQuery-attck - Mapping the MITRE ATT&CK Matrix with Osquery

  • OSQuery-configuration: A repository for using osquery for incident detection and response

  • Introduction to osquery for Threat Detection and DFIR

  • Using osquery for remote forensics

  • OSQuery: Incident Response Across the Enterprise.

  • OSQuery for Security by Chris Long - Part 1, Part 2

  • osquery-defense-kit - Production-ready detection & response queries for osquery

Other Tools

• Sysdig: Linux system exploration and visibility tool

• ZEEK-agent - An endpoint monitoring agent that provides host activity to ZEEK

• Veliciraptor - a tool for collecting host based state information.

Sysmon

pageSysmon

Fingerprinting

• Fingerprint Databases

  • SSL Fingerprint JA3

  • TLSfingerprint.io

  • https://sslbl.abuse.ch/ja3-fingerprints/

  • https://github.com/trisulnsm/ja3prints

• JA3 - A method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.

  • Sales Force Guide: * READ FIRST* - TLS Fingerprinting with JA3 and JA3S

  • Open Sourcing JA3. SSL/TLS Client Fingerprinting

  • RDP Fingerprinting. Profiling RDP Clients with JA3 and RDFP

  • Effective TLS Fingerprinting Beyond JA3

• HASSH - A network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a small MD5 fingerprint.

• FATT: Fingerprint All The Things -A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic

• RDFP - Zeek Remote desktop fingerprinting script based on FATT (Fingerprint All The Things)

• Recog - A framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes. Recog makes it simple to extract useful information from web server banners, snmp system description fields, and a whole lot more.

Attack Surface Monitoring and Asset Discovery

• Awesome Lists Collection: Asset Discovery

• https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html

Amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

• Hakluke's Amass Guide - https://medium.com/@hakluke/haklukes-guide-to-amass-how-to-use-amass-more-effectively-for-bug-bounties-7c37570b83f7

• Dionach's Amass Guide - https://www.dionach.com/blog/how-to-use-owasp-amass-an-extensive-tutorial/

• https://www.youtube.com/watch?v=mEQnVkSG19M

projectdiscovery.io

Collection of open source tools for attack surface management or Bug Bounties.

• nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.

  • https://github.com/projectdiscovery/nuclei-templates

  • https://github.com/projectdiscovery/nuclei-docs

• subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

• naabu - A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

• httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

• proxify - Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go.

• dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

Other tools

• Intrigue - Intrigue Core is a framework for discovering attack surface. It discovers security-relevant assets and exposures within the context of projects and can be used with a human-in-the-loop running individual tasks, and/or automated through the use of workflows.

• Odin - ODIN is Python tool for automating intelligence gathering, asset discovery, and reporting.

• AttackSurfaceMapper - AttackSurfaceMapper (ASM) is a reconnaissance tool that uses a mixture of open source intelligence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets.

• Goby - Goby is a new generation network security assessment tool. It can efficiently and practically scan vulnerabilities while sorting out the most complete attack surface information for a target enterprise.

  • https://gobies.org/

• Asnip - Asnip retrieves all IPs of a target organization—used for attack surface mapping in reconnaissance phases.

• Microsoft Attack Surface Analyzer - Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.

• https://securitytrails.com/ - Powerful tools for third-party risk, attack surface management, and total intel

• https://www.whoisxmlapi.com/ - Domain & IP Data Intelligence for Greater Enterprise Security

• https://www.riskiq.com/ - RiskIQ Digital Footprint gives complete visibility beyond the firewall. Unlike scanners and IP-dependent data vendors, RiskIQ Digital Footprint is the only solution with composite intelligence, code-level discovery and automated threat detection and exposure monitoring—security intelligence mapped to your attack surface.

• https://dehashed.com/ - Scan domain for indicators found in breaches

Network Diffing

A simple but effective monitoring method, where regular port scans are run and then compared to previous scan results. This can be handy for detecting newly open ports on scanned devices. This action can be easily and quickly performed by Masscan.

• The Hacker Playbook 3: Monitoring an Environment - pg.24

User Behavior Analytics

• OpenUBA - A robust, and flexible open source User & Entity Behavior Analytics (UEBA) framework used for Security Analytics. Developed with luv by Data Scientists & Security Analysts from the Cyber Security Industry.

  • https://openuba.org/

File Integrity Monitoring

The actions needed to setup persistence typically require the attacker to interact with the target machine like creating or modifying a file. This gives defenders the opportunity to catch them if we are able to lookout for file creation or modification related to special files of directories.

• AuditBeat's FIM

• auditd

• Wazuh's FIM

Misc Tools

• SAGAN - An open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that can be used with popular IDS tools and rules sets like Surricata and SNORT.

• RITA - A tool that scans ZEEK logs for beaconing detection and DNS tunneling.

• Flare - Not to be confused with the malware reverse engineering VM, This Flare is a network analysis tool by Austin Taylor that can take logs from Elastic stack and Surricate and perform various types of nework analysis and detection, including beaconing detection.

• Revoke-Obfuscation - Powershell obfuscation detection tool

• dnstwist - Tool for creation of potential typo-squatting domains by use of multi-character permutation and checking for registration of those domains.

  • https://dnstwister.report/ - Online Version and DNS monitoring service

Detection Use Cases

pageDetection Use Cases