On Thu, 21 Oct 2010 10:37:59 -0600, "Jefferson, Shawn" <shawn.jeffer...@bcferries.com> wrote: > My experience has been: > > Servers: > - vulnerability exploited > - processes created > - listening ports changed > - users created > - software installed > - changes to administrators group > - backdoors created > - new connections to Internet (ie. reverse shells, C&C, etc)
-Usually, there is some kind of scan or enumeration before the exploit. We should look for that. -The new process created is a good one. I think this is a great candidate for a fts rule. How about first time vnc seen? -Yes, listening ports sometimes change. That's also a good way to stay on top of admins installing new stuff that isn't secured. -Users are sometimes created, but more importantly (as you note) it becomes an admin. Also, new processes run by a privileged account such as SYSTEM or a system account such as apache are highly suspect. -Reverse shells are an interesting one. I wonder how to make a rule like that work without too many false-positives.. > Desktops: > - drive-by downloads > - application crashes > - new processes > - new listening ports > - new connections to Internet (ie. reverse shells, C&C, etc) Here's some thoughts I have based on some 0-days I have responded to (obviously Windows-centric): -default windows-named file placed in %windir% when it usually is in the system dir -stopping/deleting services of av vendors -changing hosts file (and for a great correlation rule, multiple hosts files changed in a short time) -autorun in shared drives -web url accessing strange extension, such as .scr -Multiple run keys changes -shell replaced ([HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell =) -debugger injected into app (particularly av app names)? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe] Debugger = "csrss.exe" -double extension where first part is an executable Basically, the research I have been doing is how can we detect malware/attacks without a constant signature-type of update. I think system profiling has lots of potential. So maybe there are six admins who normally use the system. Now one of them is logged on and accessing IPs in China or something (unless you are already in China :) ), when that doesn't normally happen. > A lot of this is covered/caught by other systems in my environment (and > sometimes multiple security systems). Do you feel some of it should be caught by OSSEC? -- [I] Immutable Security Information Security, Privacy and Personal Liberty http://www.immutablesecurity.com
