Denied, Deleted, Dangerous. The Gold in your SIEM logs.
Tell me the last time you ran a report on the top 20 hosts in your environment creating outbound firewall denies? When did you last check your antivirus logs for files / applications which were deleted or blocked? Have you looked into users who are regularly having outbound connections blocked by your proxy?
Pose the above questions to a lot of security teams and their answer will be urm… but the traffic was denied by the Firewall/Proxy, the file was deleted by the AV, why do we need to do this? This is true, but it also doesn’t matter. End users, servers and random devices on your network are making connections which your security devices deem to be malicious or against policy, and therefore you should investigate further.
There are a number of benefits to doing this:
- Identify malicious entities easily within your environment from just checking logs already created by your security devices.
- Figure out how these connections were able to take place, then fix security gaps and provide security awareness training.
- Find configuration issues on devices and network equipment , which you can then fix.
- Understand why hosts and users are creating denied / blocked activity on your network and clearing it up, will make investigating future security investigations easier.
Before I move on, this also applies to SIEM alerts. Just because something is blocked, denied etc; doesn’t mean you should ignore it. Right, rant over; lets get into this.
Log Sources and Methodologies
I am usually a big proponent of live SIEM alerts, however in this case I recommend running threat hunts and periodic reporting instead. This is due to the fact that checking for blocked / denied / deleted events will unearth a lot of “noise”, and will just cause too much work if created in the form of SIEM alerts.
For the things I am going to mention below, I recommend dealing with them in two forms.
- Firstly, I recommend running threat hunts as regularly as possible to look for the below items. Also, don’t use this as a complete list, I recommend creating your own searches based on your own environment as well; these are just ideas to provide inspiration.
- On top of this, I also recommend setting up daily, weekly and monthly reports for any searches you create. It is useful to review reports and look for patterns (Is the same host still displaying strange behavior a months afterwords?) Reports are also useful as analysts can cross check them, in case someone has missed something.
Here is an unstructured list of things I recommend you look for. Try to do this on a daily, weekly and monthly basis if possible.
For all of the below, you can split things up based on Critical vs Non Critical Assets and Inside vs Outside Work Hours. This is to make search sizes more manageable, and to identify serious issues faster.
- Top 20 IP’s with the most internal to external denies.
- Top 20 IP’s with the most internal to internal denies.
- Top 20 IP’s with the most denies to different destination IP’s.
- Top 20 IP’s with the most denies to different destination ports.
- Denied attempted connections to known malicious IP addresses. Free feeds available https://www.misp-project.org/ which is easily integrated with all mainstream SIEM’s.
- Any outbound connections being blocked due to the proxy classifying the URL category as Malicious / Bad Reputation, Hacking, Newly Created or Similar. These will differ between Proxies.
- Search for all denies and group by User Agent. Look for any which appear to be suspicious, such as those listed here https://github.com/Neo23x0/sigma/tree/master/rules/proxy.
- Top 20 Users with the most proxy denies.
- Top 20 IPs with the most proxy denies.
- Any user with proxy denies who is not a standard user (Admin, Service Account).
- Any time a scan has failed due to password protected file.
- Any time something gets marked as Remediated / Fixed. Sort by highest counts from a User / IP if a large volume.
- Any time a file has to be deleted. Sort by highest counts from a User / IP if a large volume.
- Any time something is prevented or blocked from running. Sort by highest counts from a User / IP if a large volume.
- Top 20 User’s with any of the above.
- Top 20 IP’s with any of the above.
AntiVirus is harder to specify due to differences between applications, but you should get the idea.
The above log sources are not the only ones these methods can be applied to, just the most common that I am aware of. Apply this method of reporting and threat hunting to all of your Deleted / Denied / Blocked events and you will find evil.
I hope you found this article helpful. If I missed anything useful, please tell me at my Twitter. I also really appreciate feedback there.
If you enjoy the content on this site and want to support me, please see https://www.buymeacoffee.com/blueteamblog