The MSTIC research branch of it can forward events to Syslog, which can be collected and accessed on Azure Sentinel (see this link for more information on collecting Syslog in Sentinel), making it a great option for collecting command line data and parsing it for Base64 encodings. It may be helpful to run the notebook yourself as you read through it.ĪUOMS is a Microsoft audit collection tool that can collect events from kaudit or auditd/audisp. This blog will walk you through the setup and use of this notebook. It then walks you through an investigation and scoring process that will highlight the commands most likely to be malicious, which can focus your investigation down to individual hosts and lead to further exploration using the Linux Host Explorer Notebook or any other tools and methodologies you prefer. This notebook attempts to query for and analyze Base64-encoded commands found in execve logs in your Azure Sentinel workspace. A specific case of this is discussed and analyzed here. This is often seen in crypto mining attacks. This Guided Hunting: Base64-Encoded Linux Commands Notebook was created in response to an increasing number of attackers encoding their bash commands into Base64. Thus, we’ve been working on expanding coverage on Linux-specific investigations. Many of our Azure customers use Linux virtual machines, and we are always looking for ways to help our customers in their security investigations. Please note that all notebooks are live on Github and under revision so be aware that the notebooks you use might be slightly different from those described in blog posts. These notebooks are all built using Microsoft Threat Intelligence Center’s Python API MSTICpy. Other notebooks you can access now are available on the Azure Sentinel Notebook Github and cover Windows host exploration, IP Addresses, Domains & URLs, Linux hosts, and much more. Here are links to Part 1, Part 2, and Part 3. A blog series written last year covers the use of Jupyter notebooks in threat hunting in more detail.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |