using System;
namespace ConsoleApp1
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Hello World!");
}
}
}
Save file as helloworld.cs
“Hello, World!” in Ruby
#!/usr/local/bin/ruby -w
puts "Hello World"
Save file as helloworld.rb
“Hello, World!” in Perl
#!/usr/bin/perl
use strict;
use warnings;
my $hello = "Hello, World!\n";
print $hello;
Save file as helloworld.pl
“Hello, World!” in C
#include <iostream>
using namespace std;
int main()
{
cout << "Hello world!" << endl;
return 0;
}
Save file as helloworld.c
“Hello, World!” in Python
#!/usr/bin/python
print("Hello, World!")
Save file as helloworld.py
Basic Snort admin
Run Snort
sudo snort
Run Snort with preprocessors configured
sudo snort -v -c /etc/snort/snort.conf
Location of Snort.conf file
/etc/snort/snort.conf
Location of alert log file
/var/log/snort/alert
Location of snort log file
/var/log/snort/snort.log
Check Snort version
sudo snort -V
Edit local rules
sudo nano /etc/snort/rules/local.rules
Common malware registry keys
Malware developers commonly program the code behind malware to perform malicious actions on targeted systems for nefarious purposes. One particular activity used by malware developers and their malware programs is to modify the contents of the targets host such as the registry in a Windows system architecture. The reason behind this is to protect the malware’s execution during the system reboot process to ensure persistence access on the host.
The registry on Windows systems is used as a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the registry.
Some common registry keys used my malware can be found below:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
“Whatever”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”
Example of Indicators of Compromises (IOCs)
Indicators of Compromises (IOCs) are pieces of forensic information used in cyber security to identify patterns, or for identifying common links across disparate patterns to understand if a breach of cyber security has occurred. Some examples of IOCs can be found below:
- Unusual Outbound Network Traffic
- Anomalies in Privileged User Account Activity
- Geographical Irregularities
- Log-In Red Flags
- Increases in Database Read Volume
- HTML Response Sizes
- Large Numbers of Requests for the Same File
- Mismatched Port-Application Traffic
- Suspicious Registry or System File Changes
- Unusual DNS Requests
- Unexpected Patching of Systems
- Mobile Device Profile Changes
- Bundles of Data in the Wrong Place
- Web Traffic with Unhuman Behavior
- Signs of DDoS Activity
Check your network logs for traffic which may show outbound connections from source addresses, connecting to unknown destination addresses for which shouldn’t be taking place, e.g. a local UK pnly business and its application server connecting to destination addresses outside the UK.
Privileged user accounts should be tightly controlled, monitored and audited. Typically these user accounts are used for special purposes, e.g. root access to a system to check log files. In this example, if the same privileged user account was exporting customer PCI data logs used by the system, this could be a indication.
See example for Unusual Outbound Network Traffic above.
Are there failed login events involving non-existent user accounts over consecutive login attempts.
Is there a surge in the database read volumes in comparison to normal or typical database reads. Monitoring significant increases in the amount of database reads, could indicate that database information is being modified by a threat.
Normal HTTP response sizes are relatively small depending on the use case. However if the HTML response size is significant, this could be a result of a SQL injection attack, e.g. testing for blind SQL vulnerabilities.
Particular files can be accessed frequently over a finite amount of time such as log files, however sensitive backup log files containing securely stored customer data with significant access requests could be an indicator.
Typically DNS traffic is transmitted over port 53 (TCP/UDP), however if there is activity showing DNS traffic through common open ports such as TCP port 80, this usually is an anomaly (unless the network has been configured this way, although this approach should not be recommended).
The registry is used by the system for storing registry keys (settings for system files, applications, etc.) and typically the registry only changes when called upon for system changes such as software installs, etc. However malware has known behavior in changing the registry by adding registry keys to maintain persistent configuration during system reboots.
See Mismatched Port-Application Traffic above.
Patching systems is and should be an encouraged activity to secure weaknesses in software, applications and systems against against vulnerabilities. Patching is typical within a change management process, however are there cases in which a system could be undergoing excessive patching activities, such as being configured to be more restricted and hardened by a hacker with privileged user account access.
Enterprises commonly use BYOD and manages this accordingly with policies and management platforms to install mobile profiles to control mobile activity. However is there indication that profiles are being installed to mobiles with relaxed profile settings.
Data-at-rest and data-in-transit should be controlled and monitored appropriately. Data should be used for its intended purpose and should not be used in unexpected ways, e.g. is there sensitive customer data being copied to non-approved cloud storage environments or removable drives.
A typical behavior witnessed by users is accessing single or multiple web pages over time. Sometimes there can be a large number of web pages requested by the user. However is there activity showing excessive or continious access requests to web resources across short periods of time, e.g. company intranet portal with significant Get requests over a couple of minutes.
Are network traffic logs showing multiple connections from disparate source IP addresses targeting critical assets over a consecutive and short period of time. In some cases, DDoS activity can be sustained for long periods of time depending on the attack methodology.