My experience has been: Servers: - vulnerability exploited - processes created - listening ports changed - users created - software installed - changes to administrators group - backdoors created - new connections to Internet (ie. reverse shells, C&C, etc)
Desktops: - drive-by downloads - application crashes - new processes - new listening ports - new connections to Internet (ie. reverse shells, C&C, etc) A lot of this is covered/caught by other systems in my environment (and sometimes multiple security systems). -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Michael Starks Sent: Thursday, October 21, 2010 5:35 AM To: ossec-list@googlegroups.com Subject: [ossec-list] 2WoO Day 5: Shared intelligence: what does an attack look like? Let's think about the actual attack vectors and hallmarks of an attack. What happens when a host is attacked? What are the usual sequence of events that take place? How can OSSEC effectively detect these while keeping the noise down? -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com