I like to look for things like: o simultaneous logins using the same account, especially on machines in different buildings, etc. o Attempted interactive logins on servers using accounts where that has been turned off. o Attempted share or ftp logins on workstations using accounts that should be interactive only for the workstation. o If you have naming conventions, then look for systems put up that don't conform. Usually in the server logs and exchange logs. o Child processes started by parent processes that should not be starting that child. This is fun because you have to trace backwards using process handles or maintain a handle-and-image-name list for each system. o Turn on auditing for important files and watch for unauthorized processes accessing them. Another fun one. o If you have a distributed logging system with closely timed collections, then set up an 'at' job on each system to generate a heartbeat mark message at <1/2 your collection interval. If your collections are every 5 minutes, then generate mark messages every 2 minutes. Check for missing mark messages. You will know pretty quick if someone takes down an important server and didn't tell you. You will also know quickly if a hacker is trying to erase logs. They will likely be unable, unless they are an insider, to re-construct your mark messages fast enough to beat your collection interval if it is 3-5 minutes. Even more true if you use an obscure mark message with a hash fingerprint of the timestamp or something. o Set up a security policy that requires a "scheduled maintenance window" or "emgergency maintenance incident" to be declared before admins touch the systems. Then look for administrative activity outside the maintenance windows. There is a whole raft of things one can think of. Let's get some input from the rest of the list! -Craig. --------- Original Message ------------ Date: Tue, 18 Feb 2003 18:57:19 +0100 From: "Rainer Gerhards" <rgerhardsat_private> To: <loganalysisat_private> Subject: [logs] Windows Event Log Attack Signatures Hi all, I am currently working on consolidating a set of windows event log attack signatures. I would appreciate any links or information you might have in this regard. I am looking for anything that manifests in the event logs. What are you looking for in the real world? ;-) Many thanks, Rainer Gerhards Adiscon _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 07:09:00 PST