Applied incident response / Steve Anson.

TABLE OF CONTENTS
Part I Prepare 1

Chapter 1 The Threat Landscape 3

Attacker Motivations 3

Intellectual Property Theft 4

Supply Chain Attack 4

Financial Fraud 4

Extortion 5

Espionage 5

Power 5

Hacktivism 6

Revenge 6

Attack Methods 6

DoS and DDoS 7

Worms 8

Ransomware 8

Phishing 9

Spear Phishing 9

Watering Hole Attacks 10

Web Attacks 10

Wireless Attacks 11

Sniffing and MitM 11

Crypto Mining 12

Password Attacks 12

Anatomy of an Attack 13

Reconnaissance 13

Exploitation 14

Expansion/Entrenchment 15

Exfiltration/Damage 16

Clean Up 16

The Modern Adversary 16

Credentials, the Keys to the Kingdom 17

Conclusion 20

Chapter 2 Incident Readiness 21

Preparing Your Process 21

Preparing Your People 27

Preparing Your Technology 30

Ensuring Adequate Visibility 33

Arming Your Responders 37

Business Continuity and Disaster Recovery 38

Deception Techniques 40

Conclusion 43

Part II Respond 45

Chapter 3 Remote Triage 47

Finding Evil 48

Rogue Connections 49

Unusual Processes 52

Unusual Ports 55

Unusual Services 56

Rogue Accounts 56

Unusual Files 58

Autostart Locations 59

Guarding Your Credentials 61

Understanding Interactive Logons 61

Incident Handling Precautions 63

RDP Restricted Admin Mode and Remote Credential Guard 64

Conclusion 65

Chapter 4 Remote Triage Tools 67

Windows Management Instrumentation Command-Line Utility 67

Understanding WMI and the WMIC Syntax 68

Forensically Sound Approaches 71

WMIC and WQL Elements 72

Example WMIC Commands 79

PowerShell 84

Basic PowerShell Cmdlets 87

PowerShell Remoting 91

Accessing WMI/MI/CIM with PowerShell 95

Incident Response Frameworks 98

Conclusion 100

Chapter 5 Acquiring Memory 103

Order of Volatility 103

Local Memory Collection 105

Preparing Storage Media 107

The Collection Process 109

Remote Memory Collection 117

WMIC for Remote Collection 119

PowerShell Remoting for Remote Collection 122

Agents for Remote Collection 125

Live Memory Analysis 128

Local Live Memory Analysis 129

Remote Live Memory Analysis 129

Conclusion 131

Chapter 6 Disk Imaging 133

Protecting the Integrity of Evidence 133

Dead-Box Imaging 137

Using a Hardware Write Blocker 139

Using a Bootable Linux Distribution 143

Live Imaging 149

Live Imaging Locally 149

Collecting a Live Image Remotely 154

Imaging Virtual Machines 155

Conclusion 160

Chapter 7 Network Security Monitoring 161

Security Onion 161

Architecture 162

Tools 165

Snort, Sguil, and Squert 166

Zeek (Formerly Bro) 172

Elastic Stack 182

Text-Based Log Analysis 194

Conclusion 197

Chapter 8 Event Log Analysis 199

Understanding Event Logs 199

Account-Related Events 207

Object Access 218

Auditing System Configuration Changes 221

Process Auditing 224

Auditing PowerShell Use 229

Using PowerShell to Query Event Logs 231

Conclusion 233

Chapter 9 Memory Analysis 235

The Importance of Baselines 236

Sources of Memory Data 242

Using Volatility and Rekall 244

Examining Processes 249

The pslist Plug-in 249

The pstree Plug-in 252

The dlllist Plug-in 255

The psxview Plug-in 256

The handles Plug-in 256

The malfi nd Plug-in 257

Examining Windows Services 259

Examining Network Activity 261

Detecting Anomalies 264

Practice Makes Perfect 273

Conclusion 274

Chapter 10 Malware Analysis 277

Online Analysis Services 277

Static Analysis 280

Dynamic Analysis 286

Manual Dynamic Analysis 287

Automated Malware Analysis 299

Evading Sandbox Detection 305

Reverse Engineering 306

Conclusion 309

Chapter 11 Disk Forensics 311

Forensics Tools 312

Time Stamp Analysis 314

Link Files and Jump Lists 319

Prefetch 321

System Resource Usage Monitor 322

Registry Analysis 324

Browser Activity 333

USN Journal 337

Volume Shadow Copies 338

Automated Triage 340

Linux/UNIX System Artifacts 342

Conclusion 344

Chapter 12 Lateral Movement Analysis 345

Server Message Block 345

Pass-the-Hash Attacks 351

Kerberos Attacks 353

Pass-the-Ticket and Overpass-the-Hash Attacks 354

Golden and Silver Tickets 361

Kerberoasting 363

PsExec 365

Scheduled Tasks 368

Service Controller 369

Remote Desktop Protocol 370

Windows Management Instrumentation 372

Windows Remote Management 373

PowerShell Remoting 374

SSH Tunnels and Other Pivots 376

Conclusion 378

Part III Refine 379

Chapter 13 Continuous Improvement 381

Document, Document, Document 381

Validating Mitigation Efforts 383

Building On Your Successes, and Learning from Your Mistakes 384

Improving Your Defenses 388

Privileged Accounts 389

Execution Controls 392

PowerShell 394

Segmentation and Isolation 396

Conclusion 397

Chapter 14 Proactive Activities 399

Threat Hunting 399

Adversary Emulation 409

Atomic Red Team 410

Caldera 415

Conclusion 416

Index 419

ABOUT THE AUTHOR
Steve Anson, CISSP, EnCE, CCME, GIAC, GPEN, is a Director with Forward Defense, an IT security firm with a select clientele of government agencies and multinational companies with extreme IT security and digital investigation requirements. Steve has worked as a special agent with the US Department of Defense Criminal Investigation Service investigating computer crimes with national security implications. Steve has also worked as an instructor training hundreds of FBI agents in computer crime investigation, as an FBI task force agent, as an instructor for the US State Department training law enforcement in many other countries to help them establisher cyber investigation capabilities, and as an police officer founding and supervising the departments computer crimes investigations and forensics. Steve is a frequent speaker and trainer for SANS and other respected cybersecurity organizations.