[prev in list] [next in list] [prev in thread] [next in thread]
List: loganalysis
Subject: [logs] RE: Windows Event Log Attack Signatures
From: "Woods, Craig M, GLPRO" <craigwoods () att ! com>
Date: 2003-03-06 15:26:16
[Download RAW message or body]
I like to look for things like:
o simultaneous logins using the same account, especially on machines in different \
buildings, etc. o Attempted interactive logins on servers using accounts where that \
has been turned off. o Attempted share or ftp logins on workstations using accounts \
that should be interactive only for the workstation. o If you have naming \
conventions, then look for systems put up that don't conform. Usually in the server \
logs and exchange logs. o Child processes started by parent processes that should not \
be starting that child. This is fun because you have to trace backwards using \
process handles or maintain a handle-and-image-name list for each system. o Turn on \
auditing for important files and watch for unauthorized processes accessing them. \
Another fun one. o If you have a distributed logging system with closely timed \
collections, then set up an 'at' job on each system to generate a heartbeat mark \
message at <1/2 your collection interval. If your collections are every 5 minutes, \
then generate mark messages every 2 minutes. Check for missing mark messages. You \
will know pretty quick if someone takes down an important server and didn't tell you. \
You will also know quickly if a hacker is trying to erase logs. They will likely be \
unable, unless they are an insider, to re-construct your mark messages fast enough to \
beat your collection interval if it is 3-5 minutes. Even more true if you use an \
obscure mark message with a hash fingerprint of the timestamp or something. o Set up \
a security policy that requires a "scheduled maintenance window" or "emgergency \
maintenance incident" to be declared before admins touch the systems. Then look for \
administrative activity outside the maintenance windows.
There is a whole raft of things one can think of. Let's get some input from the rest \
of the list!
-Craig.
--------- Original Message ------------
Date: Tue, 18 Feb 2003 18:57:19 +0100
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
To: <loganalysis@lists.shmoo.com>
Subject: [logs] Windows Event Log Attack Signatures
Hi all,
I am currently working on consolidating a set of windows event log
attack signatures. I would appreciate any links or information you might
have in this regard.
I am looking for anything that manifests in the event logs. What are you
looking for in the real world? ;-)
Many thanks,
Rainer Gerhards
Adiscon
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic