πŸ’» Hu Bowen

04 - TTPs & Log Management

Nov 04, 20242 min read

TTP

Stands for:

  • Tactics - High level description of the attack strategy (i.e.: reconaissance)
  • Techniques - Technical description of the attack (i..e: brute-forcing, SQL injection)
  • Procedures - The approach followed by the threat actor (i.e.: cyber kill chain)
TTPDetails
DNS PoisoningInfects a DNS server to serve malicious DNS replies
DNS Cache PoisoningInfects the cache of a DNS server to serve malicious DNS replies
ARP PoisoningInfects the ARP cache to serve malicious MAC addresses
DHCP StarvationFlood the DHCP server with spoofed requests to starve its IP pool
DHCP SpoofingMasquerades as a DHCP server to respond with malicious network configurations for MITM / other malicious activities
Network SniffingWireshark / tcpdump to sniff the network packets

Password Attacks

AttackDescription
DictionaryUses a predefined wordlist to match and crack hashes
Brute ForcePermutates characters around to match and crack hashes
HybridCombines a dictionary and brute force approach (i.e. permutates the characters in a wordlist)
BirthdayUses mathematical weaknesses to create hash collisions
Rainbow TableUses predefined plaintext to hash mappings to crack the hash

Application Level TTPs

TTPDetails
SQL InjectionModifies the SQL query to manipulate a database directly
XSS- Stored: XSS is stored on the server, infects any client that comes across it
- Reflected: XSS is reflected off the URL sent to a server
- DOM-based: XSS happens locally, the server does not get involved
Parameter TamperingInjecting malicious payloads into the URL parameter
Directory TraversalMalformed file paths that allows for unauthorised access
CSRFMalicious JS code performs unwanted actions on a user’s behalf
Cookie PoisioningMisnomer. Act of stealing / modifing cookies & the information within them

Log Management

Windows Logs

LogDescription
SystemSystem and service related logs
SecurityAudit logs & authentication events
SetupConfiguration logs
ApplicationLogs from user-installed applications
ForwardedEvents forwarded from another computer

Linux Logs

  • The lower the value, the higher the severity (inversely proportional)

Firewall Logs

  • Contain timestamp, source & destination IP and action taken (i.e.: DROP, FORWARD)
  • Windows logs:
    • Windows Firewall
    • IIS Logs
  • Linux
    • Iptables

Centralised Logging

Process

  1. Collection – Gather the logs
  2. Transmisssion – Send to a centralised server
  3. Storage – Store on the server
  4. Normalisation – Normalise the data
  5. Correlation – Identify trends / actions in the data
  6. Analysis – Look for outliers
  7. Alerting & Reporting – Wee woo

Log Analysis Best Practices

  • Sync time with NTP for accurate ordering

Misc Stuff

Privilege Escalation

  • Non-admin takes advantage of bugs / misconfigurations to gain admin access

Advanced Persistent Threats

  • Sophisticated threats that steals sensitive data / causes disruption
  • Follows 3 stages of attack: infiltration β†’ escalation / lateral movement β†’ exfiltration

Graph View

Backlinks

  • No backlinks found