Techniques Methods Log Types OS Type Business Understanding/ Description Key Features Device Type Entry Point Resourcetype

Key Features Device Type Entry Point Resourcetype Log Knowledge Reference Query Used to get the logs
> Targeted Entity - User's Web browser

> Goal - Exploit software on a client endpoint upon visiting a website and gain access to internal network instead of external systems in a DMZ
""{""""CacheCacheStatus"""":""""unknown"""",""""CacheResponseBytes"""":
> Ways of delivering exploit code to a browser:
0,""""CacheResponseStatus"""":0,""""ClientASN"""":14618,""""
- A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, cross-site
ClientCountry"""":""""us"""",""""ClientDeviceType"""":""""desktop"""",""""
scripting.
ClientIP"""":""""34.195.146.191"""",""""ClientIPClass"""":""""noRecord"""",""""
- Malicious ads are paid for and served through legitimate ad providers.
ClientRequestBytes"""":3803,""""ClientRequestHost"""":""""pro.homeadvisor.
- Built-in web application interfaces(e.g. forum posts, comments, and other user controllable web content)
com"""",""""ClientRequestMethod"""":""""GET"""",""""
ClientRequestProtocol"""":""""HTTP/1.1"""",""""
> STRATEGIC WEB COMPROMISE OR WATERING HOLE ATTACK
ClientRequestReferer"""":"""""""",""""ClientRequestURI"""":"""" Technique detail: https://attack.mitre.org/techniques/T1189/
- A kind of attaclk where the goal is to compromise a specific user or set of users based on a shared interest
/api/resource/sitelog/web.config/"""",""""ClientRequestUserAgent"""":"""" SSL/ TLS inspection: https://www.thesslstore.com/blog/ssl-inspection/
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21. DMZ networking: https://searchsecurity.techtarget.com/definition/DMZ
> Invasion strategy
1 - Resourcetype-(URLs with bad domain) 0/Veracode Security Scan/support@veracode.com"""",""""
- A user visits a infected website. Web proxy server
2 - Domain Name (age,use,associated users) ClientSSLCipher"""":""""ECDHE-RSA-AES128-GCM-SHA256"""","""" Log correlation: https://www.manageengine.com/products/eventlog/event-
- Scripts(js) execute with/without users interference to search for vulnerable version. SSL Stripping
HTML Injection/Cross-site 3 - IPaddress(Blacklisted IPAddress) ClientSSLProtocol"""":""""TLSv1.2"""",""""ClientSrcPort"""":34272,"""" correlation.html
- On the vulnerable version the exlpoit code is deployed HTML Injection/Cross-site scripting
scripting Network - CDN Windows 4 - Method(GET/POST) Browser URL EdgeColoID"""":16,""""EdgeEndTimestamp"""":1568010367916,"""" SSL/TLS MITM: Read more at: https://www.thesslstore.com/blog/man-in-the- select message from logs where vendor='Cloudflare' and
- Adversary gains the power of code execution on the user's machine. Malvertising
Drive-by Compromise Malvertising Access Linux Malicious Ads EdgePathingOp"""":""""wl"""",""""EdgePathingSrc"""":""""macro"""","""" middle-attack/ servicetype='CDN' and message like '%CVE%' and date='2019-09-
Adobe Flash
Adobe Flash Player Audit macOS 5 - File Inclusion - No field incorporates this as of Application Interfaces EdgePathingStatus"""":""""nr"""",""""EdgeRateLimitAction"""":"""""""","""" Syslog: https://www.networkmanagementsoftware.com/what-is-syslog/ 09' limit 10;
> Mitigations Adobe Reader
now[Found is raw message]. WIP EdgeRateLimitID"""":0,""""EdgeResponseBytes"""":1634,"""" CVE Details: https://www.mozilla.org/en-US/security/advisories/mfsa2019-
- Application Isolation and Sandboxing - Testing using sandbox to avoid the impact of exploitation Exploit kits
EdgeResponseCompressionRatio"""":3.47,""""EdgeResponseStatus"""": 26/#CVE-2019-11751
- Exploit Protection - Using security applications (Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit
6 - statuscode(the status identifier of the operation) 403,""""EdgeStartTimestamp"""":1568010367910.0002,"""" Use Case: https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-
(EMET))
OriginIP"""":"""""""",""""OriginResponseBytes"""":0,"""" web-application-attack/
- Restrict Web Based Content -Script blocking extensions can help prevent the execution of JavaScript.
OriginResponseHTTPExpires"""":"""""""","""" Adobe Flash Player CVE's: https://www.cvedetails.com/vulnerability-
- Update Software - Usng updated softwares
OriginResponseHTTPLastModified"""":"""""""",""""OriginResponseStatus"""": list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html
0,""""OriginResponseTime"""":0,""""RayID"""":""""513716bf791ccefc"""",""""
> Detection
SecurityLevel"""":""""med"""",""""WAFAction"""":""""drop"""",""""
- Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters.
WAFFlags"""":""""0"""",""""WAFMatchedVar"""":""""REQUEST_URI"""",""""
- reputation-based analytics on websites ( age,use,associated users)
WAFProfile"""":""""low"""",""""WAFRuleID"""":""""100005"""",""""
- Network intrusion detection systems, sometimes with SSL/TLS MITM inspection to identify the bad scripts
WAFRuleMessage"""":""""DotNetNuke - File Inclusion - CVE:CVE-2018-9126,
- Blacklisted IP addresses: Activity initiated towards/from these blacklisted IP
CVE:CVE-2011-1892"""",""""ZoneID"""":9795250}"""
- Corelating malicious activity the other network events: Botnets trying out login credentials.
- Abnormal behavior of browser processes include suspicious files written to disk, evidence of Process Injection for attempts to hide
execution, evidence of Discovery,
or other unusual network traffic that may indicate additional tools transferred to the system