Preparation:

- Environment: Tools (ELK Stack, Wazuh, TheHive, MISP, Cortex) are properly
configured and integrated
- Training: Watching more than a video demo

Identification:
- Monitoring :
Wazuh for endpoint detection and response
ELK Stack Vizualizing log data
Zeek for network traffic analysis
-Alert Generation:
Rules:
Attack1: Web Server Scan
Web Scanner Activity - Nmap: event.dataset: "zeek.http" and user_agent.original:
*Nmap*
Excessive Web Traffic: event.dataset: "zeek.http" > source.ip and destination.ip
>=1000 in 5min

Attack2: Windows Defender Bypass and BAT File Execution

BAT FILE Observed in HTTP Traffic on Unusual Port: event.dataset:"zeek.http" and
url.extension:*bat* and not destination.port: 80
Powershell Invoke-WebRequest Downloading .BAT File:
event.dataset:"windows.sysmon_operational" and proccess.parent.name: powershell.exe
and proccess.parent.comand_line:*Invoke-WebRequest* and process.command_line:*.bat*
Potential MSF Powershell Payload Observed: event.dataset:"indows.sysmon_operatonal"
and process.command_line: *\"cmd.exe\"" and message:"*powershell -w hidden -nop -c
&a='*'"

Attack3: Keylogger and Data Exfiltration

Suspicious File Added to Registry
Suspicious File Written to TEMP Directory
Data Archive for Potential Exfil: event.dataset:"endpoint.events.file" and
event.action: (creation or overwrit) and process.name:"powershell.exe" and
file.path:*Windows\\temp* and file.name *.zip
Data Exfiltration Observed via FTP: event.dataset:"zeek.ftp" and event.action:STOR
and zeek.ftp.arg:*.zip

-Initial Triage:
Verify alerts triggered by the rules
Assess the serverity and potential impact of the incident

Containment
-Disable network access for the affected system;, isolate it.
Windows:
Open Command Prompt as Administrartor and run: netsh interface set interface
"Ethernet" admin=disable
Control Panel > Network and Sharing Center > Change adapter settings
Linux:
cmd: sudo ifconfig eth0 down
-Or Automating Isolation with Wazuh Active Response
Create script
Configure isolate-endpoint in /var/ossec/etc/ossec.conf

Eradication
-Identify Root Cause
Conduct a thorough Investigation
Use Cortex for analyzing observables (IP, email addresses, URLs, domain names..)
-Remove Malicious Components
Attack1: Verify no unauthorized access
 Checking Web Server Logs: Using PowerShell command to filter logs for suspicious
IP
Example: Select-String -Path "C:\path\to\server.log" -Pattern "Nmap"

Checking System Logs for Unauthorized Access:

Windows Logs > Security: Look for logon attempts, priviledge use..
Windows Logs > Application: Look for any errors or warnings related to python
server
Example: Get-EventLog -LogName Security | Where-Object { $_.EventID -eq 4625 -or
$_.EventID -eq 4672 } | Format-Table -AutoSize

Verify Integrity of Web Server Files:

Example: command to list recently modified files in the web server directory
Get-ChildItem -Path "C:\path\to\web\server" -Recurse | Where-Object
{ $_.LastWriteTime -gt (Get-Date).AddDays(-1) }
Compare Against a Known Good State:
Example: Compare the current state of the files with a known good backup
Compare-Object (Get-ChildItem -Path "C:\path\to\web\server") (Get-ChildItem -Path
"C:\backup\path\to\web\server")

Review Recent Changes: Review any changes made to the system that could indicate
unauthorized access or modifications.
Check Installed Programs: Look for any recently installed programs that you did
not authorize
Get-WmiObject -Class Win32_Product | Select-Object -Property Name, InstallDate |
Sort-Object -Property InstallDate
Check User Accounts: Ensure no unauthorized user accounts have been created.
Example command to list user accounts:
Get-LocalUser | Select-Object -Property Name, Enabled, LastLogon
Check for Scheduled Tasks: Look for any suspicious scheduled tasks.
Example command to list scheduled tasks:
Get-ScheduledTask | Where-Object { $_.State -eq "Ready" -or $_.State -eq
"Running" } | Select-Object -Property TaskName, State

Summary
Check Web Server Logs:

Review logs for any suspicious activity, such as unusual IP addresses or user
agents.
Check System Logs for Unauthorized Access:

Use Event Viewer to look for signs of unauthorized access in Security and
Application logs.
Verify Integrity of Web Server Files:

Use PowerShell to check for recently modified files and compare them against known
good backups.
Review Recent Changes:

Check for unauthorized installed programs, user accounts, and scheduled tasks.

Attack 2: Windows Defender Disabled, Malicious Script Execution

Remove Malicious Files and Scripts:

Identify and delete malicious files, such as .bat scripts.

Example PowerShell command to find and delete malicious files
Get-ChildItem -Path C:\ -Filter *.bat -Recurse | Remove-Item -Force

Restore System Integrity

Re-enable Windows Defender and ensure it is fully operational.
Example PowerShell command to re-enable Windows Defender:
Set-MpPreference -DisableRealtimeMonitoring $false

Apply Necessary Patches:

Ensure the system is updated with the latest security patches.

Example command to check for updates
Install-Module PSWindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot

Attack 3: Keylogger and Data Exfiltration

Steps:

Remove Keylogger and Related Scripts:

Identify and remove the keylogger and any associated malicious scripts.
Example command to identify running processes and remove malicious ones:
Get-Process | Where-Object { $_.Path -like "*keylogger*" } | Stop-Process -Force

Clean the Registry:

Remove malicious registry entries that ensure persistence.

Example PowerShell command to clean the registry
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -
Name "MaliciousScript"

Ensure No Further Data Exfiltration:

Check for any ongoing data exfiltration processes and terminate them.
Example command to monitor and terminate FTP connections:
Get-NetTCPConnection -RemotePort 21 | Stop-Process -Force

Verify System Integrity:

Scan the system with updated antivirus/antimalware tools to ensure no remnants of

the attack remain.
Review and Harden Security Configurations:

Ensure all security configurations are reviewed and hardened to prevent similar
attacks.
Example actions include:
Enabling two-factor authentication.
Regularly updating software and operating systems.
Conducting regular security audits and vulnerability assessments.
Summary
Identify Root Cause:

Conduct thorough investigations using Cortex and other tools.

Correlate data to determine how each attack occurred.
Remove Malicious Components:

Attack 1: Verify no unauthorized access or changes to the web server, restore from
backups, apply patches.
Attack 2: Remove malicious files/scripts, restore system integrity, re-enable
Windows Defender, apply patches.
Attack 3: Remove keylogger and related scripts, clean registry, ensure no data
exfiltration, verify system integrity.
Document All Steps:
Ensure all actions taken are documented for compliance, review, and future
learning.

Recovery
Restore Systems
Objective: Restore systems from clean backups, ensuring all patches and updates are
applied.

Restore Systems from Clean Backups:

Identify the most recent clean backup that is free from any signs of compromise.
Use built-in Windows backup utilities or third-party tools to restore the system.

Using Windows Backup and Restore:

Open Control Panel and go to System and Security > Backup and Restore (Windows 7).
Click Restore my files and follow the wizard to restore from a backup.
Using PowerShell to Restore Files from a Backup:
# Copy files from backup directory to original location
Copy-Item -Path "C:\Backup\WebServer\*" -Destination "C:\Path\To\Web\Server" -
Recurse -Force

Ensure All Patches and Updates are Applied:

After restoring from backup, ensure that the operating system and all installed
software are up-to-date.
Example:

Using Windows Update:

Open Settings and go to Update & Security > Windows Update.

Click Check for updates and install all available updates.
Using PowerShell to Apply Updates:
# Install Windows Update module
Install-Module -Name PSWindowsUpdate -Force -SkipPublisherCheck

# Check for updates

Get-WindowsUpdate

# Install updates
Install-WindowsUpdate -AcceptAll -AutoReboot

2. Monitor Systems
Objective: Increase monitoring on restored systems to detect any signs of recurring
issues and validate the integrity of restored systems before returning to
production.

Steps:

Increase Monitoring on Restored Systems:

Configure enhanced logging and monitoring on the restored systems to detect any
unusual activity.
Example:

Enable Advanced Security Audit Policies:

Open the Local Group Policy Editor (gpedit.msc).

Navigate to Computer Configuration > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Audit Policies.
Enable auditing for key events such as logon attempts, process creation, and file
access.

Lessons Learned and Post-Incident Activities

1. Post-Incident Review
Objective: Conduct a thorough review of the incident to understand what happened,
how it was handled, and what can be improved.

Steps:

Assemble the Incident Response Team:

Include all relevant stakeholders: SOC team, IT staff, management, and any affected
business units.
Conduct a Detailed Review:

Review timelines, actions taken, communication processes, and the effectiveness of

response strategies.
Example:

Incident Timeline Review:

Document the incident from detection to resolution.
Example template:
plaintext
Copy code
Incident Timeline:
- Date/Time: Initial detection of the attack.
- Date/Time: Incident reported to the SOC.
- Date/Time: Initial investigation and identification of the root cause.
- Date/Time: Containment measures implemented.
- Date/Time: Eradication steps taken.
- Date/Time: Systems restored from backups.
- Date/Time: Monitoring and validation completed.
Document Findings and Lessons Learned:
Identify what went well and what could be improved.
Note any gaps in detection, response, or communication.
Example:

Findings and Recommendations:

Findings:
plaintext
Copy code
- The initial attack was detected by the web server logs indicating an Nmap scan.
- The containment was delayed due to unclear escalation procedures.
- Some malicious files were missed in the initial eradication phase.
Recommendations:
plaintext
Copy code
- Improve log monitoring and alerting for suspicious activities.
- Clarify and streamline escalation procedures for faster response.
- Enhance the eradication process to ensure thorough removal of threats.
2. Update Policies and Procedures
Objective: Update incident response policies and procedures based on lessons
learned from the incident review.

Steps:

Review and Update Incident Response Policies:

Update the incident response plan to address identified gaps and improve
effectiveness.
Example:

Updated Incident Handling Policy:

plaintext
Copy code
Incident Handling Policy:
- Define incidents and their severity levels.
- Establish clear roles and responsibilities for incident response.
- Include detailed steps for detection, containment, eradication, recovery, and
post-incident review.
Implement Improvements:
Implement changes to prevent similar incidents in the future.
Example:

Improved Escalation Procedures:

plaintext
Copy code
Escalation Procedures:
- Define criteria for escalating incidents based on severity.
- Establish a clear communication plan for notifying stakeholders.
- Include contact information for key personnel and external partners.
3. Training and Awareness
Objective: Conduct training sessions and increase awareness about new threats and
preventive measures based on lessons learned.

Steps:

Conduct Training Sessions:

Train SOC team members on updated policies and procedures.
Provide practical exercises to reinforce learning.
Example:

SOC Team Training Agenda:

plaintext
Copy code
Training Agenda:
- Overview of the recent incident and lessons learned.
- Updated incident response procedures and best practices.
- Hands-on exercises for detecting and responding to similar attacks.
Increase Awareness Among Employees:
Educate employees about new threats and preventive measures.
Conduct regular security awareness sessions and share updates on emerging threats.
Example:

Security Awareness Program:

plaintext
Copy code
Security Awareness Program:
- Monthly newsletters with updates on new threats and security tips.
- Quarterly training sessions covering common attack vectors and preventive
measures.
- Phishing simulations to test and improve employee response to suspicious emails.
Summary
Post-Incident Review:

Conduct a detailed review with the incident response team.

Document findings and lessons learned to understand what happened and how to
improve.
Update Policies and Procedures:

Update incident response policies and procedures based on the incident review.
Implement improvements to address identified gaps and enhance response
effectiveness.
Training and Awareness:

Conduct training sessions for the SOC team on updated procedures and best
practices.
Increase awareness among employees about new threats and preventive measures
through regular training and communication.
By following these steps, you can ensure that your organization continuously
improves its incident response capabilities and reduces the likelihood of future
incidents.

Final Notes
Documentation: Ensure every step of the incident response process is documented for
compliance and review purposes.
Continuous Improvement: Regularly update your incident response plan based on the
evolving threat landscape and past incident reviews.
Integration: Ensure that all tools (ELK, Wazuh, TheHive, MISP, Cortex) are well
integrated to provide a cohesive security monitoring and incident response
capability.