Reflected DDoS Attack

(in reflected attacks a lotof external benign src’s send a lotof packets toward our servers, because our server’s IP spoofed before in request packets and were sent by attacker toward trusted servers and those trusted servers replied us instead of attacker !  ) index=firewall dest=(your company IP range, for example: 184.192.0.0/16) (transport=”udp” AND src_port IN(123,1900,0,53,5353,27015,19,20800,161,389,111,137,27005,520,6881,751,11211,1434,27960,17) AND […]

Continue Reading →

Linux Deletion of SSL Certificate (mitre : T1485 , T1070.004 , T1070)

| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = “/etc/ssl/certs/*” Filesystem.file_path IN (“*.pem”, “*.crt”) by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid |join proc_guid, _time [ | tstats `summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid […]

Continue Reading →

DLL Serach Oreder Hijacking (mitre : T1574.001)

index=* ((((EventCode=”4688″ OR EventCode=”1″) AND  ((CommandLine=”*reg*” CommandLine=”*add*” CommandLine=”*/d*”) OR (CommandLine=”*Set-ItemProperty*” CommandLine=”*-value*”)) AND (CommandLine=”*00000000*” OR CommandLine=”*0*”) AND CommandLine=”*SafeDllSearchMode*”) OR ((EventCode=”4657″) ObjectValueName=”SafeDllSearchMode” value=”0″)) OR ((EventCode=”13″) EventType=”SetValue” TargetObject=”*SafeDllSearchMode” Details=”DWORD (0x00000000)”)) | fields EventCode,EventType,TargetObject,Details,CommandLine,ObjectValueName,value

Continue Reading →