Sunday, October 2, 2016

SANS 504 Notes - Identification (Azure VM analysis)


In this section I'll detail out my notes on the identification part of SANS 504.  I'll also have a look at a brand-new Azure VM and have a look at what is running.

Notes
  • Identification is everyone's job
    • Consider all the sources you can use to identify / detect an incident
      • help desk
      • firewalls
      • IDS/IPS
      • log alerting software
      • anti-virus
      • end users
    • Consider the identification areas
      • network perimeter
      • host perimeter
      • system-level
      • application-level
  • Incident handlers job to investigate an incident
    • ensure all information provided is as current as possible
    • send two handlers if possible (one to run the incident and one to maintain communications)
    • set expectations up front around documentation and communication schedules
      • ensure out-of-band communication channels are open (fax/phone/etc)
    • enforce a need-to-know policy, keep rumours at bay
  • Handlers need to have an understanding of a baseline of a system to look for differences
    • SANS has published windows/linux cheat sheets that give some basic commands for initial investigation
    • Things to look for
      • Unusual process/services
      • Unusual files
      • Network usage
      • Scheduled tasks
      • Accounts
      • Log entries
      • Other unusual items
  • Handler has to know when to declare an incident
    • Don't fear to report early, worst case incident becomes a training event
    • Need to do proper investigation on an event
      • check for simple mistakes
      • "what other possibilities are there"?
    • Determine how much damage has been caused
      • risk of the systems affected (and the reach)
      • complexity of the attack (script kiddie vs real hacker)
      • remote exploit?
    • See https://zeltser.com/security-incident-questionnaire-cheat-sheet/ for more info
    • Remember to maintain chain of custody and take good notes

Looking at a new Azure VM based on template

In this section I'm going to use some commands from the windows cheat sheet to have a look at a net new Azure VM.

The first is a look at the running services in an Azure VM.

Azure VM - Running Services
A couple of interesting things to note:
  • Hyper-V services are installed, dead give away of the hypervisor technology in use
  • Azure services (Guest/Telemetry) are enabled by default
Now let's have a look at which features are installed by default.

Azure VM - Installed Features

A pretty small set of features is installed.  Most are required because I am running a GUI and not a nano/core install.  It has been a long time since I've installed/used a windows server not on Azure, so I'm not sure what the base feature set is.  There are some interesting ones such as "Enhanced Storage".

Next, let's have a look at network connections.

Azure VM - Network Services

Looks like by default my Azure VM is talking out to the internet.  Curious, wonder what that could be.

Process ID - 1972 = WindowsAzureGuestAgent
Process ID - 2844 = WaAppAgent


The second address appears to be a link to the storage stamp associated with this VM.  The first, based on the waappagent logs, appears to be the fabric address. 

Azure VM - WaAppAgent Logs

Okay, cool cool.  Good to know that I need those connections and, further, that they are persistent even after initial setup.  This is obviously only true if you have installed the guest agent.  You can choose to opt out of this install.

Lastly, lets have a look at the scheduled tasks that have triggers and are not disabled.

Azure VM - Scheduled Tasks
There are probably a few other things we could check.  According to the cheat sheet, we should also have a look at large files in the system, registry keys, and local user/group memberships.  I'll leave that as an exercise to the reader :)