DOCSLIB.ORG

Facing the Challenge(S) of Windows Logs Collection to Leverage Valuable Iocs

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Facing the challenge(s) of Windows logs collection to leverage valuable IOCs . Michel de Crevoisier Security Analyst, Radar Cyber Security 15.10.2019, Berne © RadarServices // Classification: Public The five challenges © RadarServices // Classification: Public #1 High diversity of log sources Server Microsoft 3rd party Built-in roles software software Advanced Threat ADFS Application Analytics (ATA) Ivanti software Certification authority Exchange PowerShell Kaspersky DHCP server Skype Security DNS server SQL Server Veeam Backup System IIS web server SYSMON […] […] NPS Radius Defender © RadarServices // Classification: Public 3 #2 Different log extensions EVTX ETL TXT (standard Windows logs (analytical logs, like DNS (IIS, NPS, DHCP, in XML format) Server or PowerShell) PowerShell Transcript, former DNS logs) © RadarServices // Classification: Public 4 #3 Multiple architectural approaches Access method / Protocol (MS-EVEN6, RPC, WMI,…) Push vs Pull Agent vs Agentless Intermediate collector VS Direct sending to receiver Central file store vs Shared folder Managed agent VS Unmanaged agent © RadarServices // Classification: Public 5 #4 Disabled and restrictive event logs • Protected users (if configured, on DCs only) Valuable event • LSA (Local Security Authority) logs disabled • IIS web server • DNS client Event logs with • SMB server restrictive • SMB client access • IIS web server © RadarServices // Classification: Public 6 6 #5 Operational constraints Security Data exchange Performance Configuration Environment • Avoid usage of • Data • High • Easy • Cloud high privileges encryption availability deployment • Domain VS • Isolation • Secured • Compression • Minimize Workgroup between authentication configuration • OT customer and method changes (Operational security • Low impact on Technology) provider operating system © RadarServices // Classification: Public 7 Collecting standard Windows logs © RadarServices // Classification: Public WEF/WEC introduction Unified & built-in solution to collect standard Windows logs WEF (Windows Event Forwarding) WEC (Windows Event Collector) Authentication and encryption Collects and stores all requested through Kerberos in a domain or events from WEF clients according TLS certificates in a Workgroup XML subscriptions Data exchange over WinRM (push High availability capacities where or pull) clients send events to each WEC collector XML-based language to control event IDs to collect or to suppress Certain 3rd party software can also: noisy events Emulate a WEC server by spoofing a Settings control over GPO WinRM listener (e.g.: SYSLOG-NG Premium, NXLog Enterprise, AlienVault USM > actually uses NXLog) EPS control rate Manage multiple WEC servers with a central management console (e.g.: SuperCharger from Logbinder) © RadarServices // Classification: Public 9 Who is publishing about WEF/WEC? HP/ArcSight, Australian Cyber Security, … 2017 2015 2013 2017 & 2019 © RadarServices // Classification: Public 10 WEF/WEC performance Scaling out Technical characteristics Limitations Up to 4.000 source clients per All collected events are saved in collector (source: Microsoft) Forwarded Events log file Average logging is 5.000 EPS, can All events are mixed without any go up to 10.000 EPS (source: Microsoft) tagging possibilities Maximum recommended size per Only standard event logs (EVTX) event log file: 4GB can be forwarded Maximum recommended size for all Windows logs files: 16GB Compression possible with event log size reduction © RadarServices // Classification: Public 11 WEF/WEC advanced approach The Palantir approach to the rescue Multiple event channels • Different size and rotation strategy • Channel can be tagged for SIEM ingestion • Channel can be placed on different storage for better performance Preconfigured subscriptions • XML query to specify the events to collect • Specify the event channel destination © RadarServices // Classification: Public 12 WEF/WEC advanced approach A look in production on a WEC server Deployment is Requires several not automatized manual actions Potential source of incorrect configuration Event channels Subscriptions © RadarServices // Classification: Public 13 WEF/WEC deployment enhancement PowerShell at the rescue Automated Automated WEC server Palantir toolset role setup deployment Covers event Adjusts log file channel and size and subscriptions location Fixes SDDL Available on permissions on GitHub WinRM service https://github.com/rs-dev/windows-event-collector_auto-deploy © RadarServices // Classification: Public 14 WEF/WEC Injecting data with agent from the WEC server to your SIEM ArcSight agent NXLog agent Community RSYSLOG agent JSON Snare agent Source clients WEC collector SIEM CEF Splunk UF agent WinCollect agent Chosen agent software solution Winlogbeat agent Other targetOther / Externaltarget / provider /External Archiving provider solution © RadarServices // Classification: Public 15 WEF/WEC Injecting data without agent from the WEC server to your SIEM NXLog agent Enterprise SYSLOG-NG Premium Source clients SIEM Certificates are required Certificates pushed on hosts on each source client ! Chosen software for WinRM server listener emulation © RadarServices // Classification: Public 16 Collecting Windows DNS transaction logs © RadarServices // Classification: Public Collecting DNS transaction logs Technical possibilities overview DNS transactions logs Linux/Unix Windows OS Passive DNS OS Bind, DNS server DNS client Firewall or 3rd NIDS solution Unbound, logs logs party solution Dnsmasq, … Mirrored traffic 1 2 3 DNS DNS Event SYSMON ETW ETL debugging log (ID 22) Server 2012 R2 Disabled © RadarServices // Classification: Public 18 1 Collecting DNS transaction logs Old school approach with Debugging DNS logs Very simple High impact on access performance Only for Not supported debugging by MS for purpose production Does not Timestamp include DNS structure may answer change Delay before data is written No event ID (>1min) © RadarServices // Classification: Public 19 2 About ETW Event Tracing for Windows Efficient kernel-level tracing facility that allows to save kernel or application-defined events Allows to dynamically enable or disable logging in real time without any restart of the system Great open source projects available: KrabsETW (Microsoft) Performant C++ library to interact with ETW (https://github.com/Microsoft/krabsetw) PowerKrabsEtw PowerShell module built around the KrabsETW APIs (https://github.com/zacbrown/PowerKrabsEtw) TA-DNSETW Splunk plugin to collect DNS events from ETW using "KrabsETW" (https://github.com/secops4thewin/TA-DNSETW) SilkETW (FireEye) Flexible C# ETW wrapper running as a service - Blackhat 19 (https://github.com/fireeye/SilkETW) NXLog Community Windows agent provided with a native ETW module (im_etw). Logs can be saved in a file and/or sent to a remote target © RadarServices // Classification: Public 20 2 Collecting DNS transaction logs Advanced approach with native ETW Solutions for production System tools: Low impact on Event ID •Built-in: Logman, Perfmon, Netsh •Installable: Xperf, Tracelog, NetMon, performance provided Microsoft MMA, Tracelogging DNS answer Not Splunk •App “TA-DNSETW”: read ETW using is provided compatible the KrabsETW library from Microsoft (but encoded) with WEC Requires NXLog Community agent or script No cache file •Built-in module to read and forward installation ETW logs © RadarServices // Classification: Public 21 3 About ETL Event Tracing Logs ETW trace session are saved into ETL log files ETL files can be placed on a shared folder on each DNS server to be read remotely Great open source tools available: ETL-to-EVTX PowerShell script that reads ETL logs and writes them into Windows Event Viewer (https://github.com/acalarch/ETL-to-EVTX) ETLParser (GCPartners) Executable which can decodes several types of ETL files (https://github.com/gcpartners/ETLParser) DNSplice Python script that parses DNS ETL files (https://github.com/nerdiosity/DNSplice) DNS Analytical App PowerShell script for Splunk UF that reads ETL logs (Splunk) (https://splunkbase.splunk.com/app/2937) NXLog Community Windows agent provided with a native ETL module. Logs can be saved in a file and/or sent to a remote target ETW2JSON (Microsoft) Read ETL file and convert it to JSON (https://github.com/microsoft/ETW2JSON) © RadarServices // Classification: Public 22 3 Collecting DNS transaction logs Advanced approach with ETL Solutions for production System tools: Low impact on Event ID •Built-in: Tracerpt performance provided •Installable: Microsoft Message Analyzer (MMA) ETL file can be DNS answer is Splunk placed in a provided (but •App “DNS analytical”: PowerShell shared folder encoded) script that extracts ETL logs and send it to a remote listener Not compatible NXLog Community with WEC per •Built-in module to read and forward default (*) ETL logs (**) *ETL-to-EVTX script can convert ETL logs to EVTX log file **Currently in preview. Will be fully released in NXLog agent v5 © RadarServices // Classification: Public according NXLog support 23 Steps and solutions overview © RadarServices // Classification: Public Overview of collecting methods 1: requires PowerShell script that extracts ETL content into EVTX log files 4: not recommended, requires to query SCCM SQL Server database 2: requires agent or plugin with ETL or ETW capacities 5: requires SQL Server advanced configuration 3: data in event log has no structure 6: pulling requires dealing with firewall, credentials and double NAT issues 7: only a limited set of logs are available.
Recommended publications
  • Implementation of Centralized Logging and Log Analysis in Cloud Transition

    Implementation of Centralized Logging and Log Analysis in Cloud Transition

    Implementation of Centralized Logging and Log Analysis in Cloud Transition Antti Vainio School of Science Thesis submitted for examination for the degree of Master of Science in Technology. Espoo 3.7.2018 Supervisor Prof. Jukka Suomela Advisor MSc Cyril de Vaumas Copyright ⃝c 2018 Antti Vainio Aalto University, P.O. BOX 11000, 00076 AALTO www.aalto.fi Abstract of the master’s thesis Author Antti Vainio Title Implementation of Centralized Logging and Log Analysis in Cloud Transition Degree programme Computer, Communication and Information Sciences Major Computer Science Code of major SCI3042 Supervisor Prof. Jukka Suomela Advisor MSc Cyril de Vaumas Date 3.7.2018 Number of pages 84 Language English Abstract Centralized logging can be used to collect log data from multiple log files on multiple separate server machines and transmit the data to a single centralized location. Log analysis on top of that can automatically process large amounts of logs for various different purposes including problem detection, troubleshooting, monitoring system performance, identifying security incidents, and understanding user behavior. As the volume of log data is growing when software systems, networks, and services grow in size, the log data located on multiple separate server machines can be difficult to manage. The traditional way of manually inspecting logs hasalso become too labor-intensive and error-prone when large amounts of log data need to be analyzed. Setting up centralized logging and automatic log analysis systems can be used to solve this problem. This thesis explains the concepts of log data, centralized logging, and log analysis, and also takes a look at existing software solutions to implement such a system.
  • IBM Cognos Analytics - Reporting Version 11.1

    IBM Cognos Analytics - Reporting Version 11.1

    IBM Cognos Analytics - Reporting Version 11.1 User Guide IBM © Product Information This document applies to IBM Cognos Analytics version 11.1.0 and may also apply to subsequent releases. Copyright Licensed Materials - Property of IBM © Copyright IBM Corp. 2005, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at " Copyright and trademark information " at www.ibm.com/legal/copytrade.shtml. The following terms are trademarks or registered trademarks of other companies: • Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. • Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. • Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. • Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. • UNIX is a registered trademark of The Open Group in the United States and other countries. • Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
  • A Dll Required for This Install Could Not Be Run

    A Dll Required for This Install Could Not Be Run

    A Dll Required For This Install Could Not Be Run Foldable Hannibal saunter anticipatorily and respectably, she reseat her wentletrap overlaid retractively. Which Arne igniting butso cheap berrying that her Dickie instruments triturated flying. her tanists? Analyzed Giovanne still encyst: salt and Circassian Whitby outface quite fervently This product was an option, microsoft distributed dll required dll for could not a install the problem for fixing the table doe Will not a install could be run this dll required for what is solved by multiple rows into boot. How to resolve my case, code and performance cookies and this dll for install a could not be run in. Any solution is required actions, hardware failure and be. If he're running Windows installation as the repair source or sale you're using Windows from a. Thank you for safe prompt response. A DLL required for this installation to complete could not be run. Does this solution from your pc scan with windows installer on target system is this tool in any proposed solutions to use windows updates about how did run a this dll required for could not install be. Reddit on the respective owners in this dll for a required. Set properties are you hate cookies may not a install be run this dll required for instant savings! Could not initialized handler. Your pc and framework, dll could not be able to customize it? Qgis also for this issue, dll required for could not a install it is a time i run. Fix problems installing Chrome Google Chrome Help.
  • View the Slides (Smith)

    View the Slides (Smith)

    Network Shells Michael Smith Image: https://commons.wikimedia.org/wiki/File:Network-connections.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png Management at a distance (netsh) Netsh: Configure DHCP servers with netsh -r RemoteMachine -u domain\username [RemoteMachine] netsh>interface [RemoteMachine] netsh interface>ipv6 [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (netsh) Netsh: Configure DHCP servers with netsh Location-r RemoteMachine -u domain\username Hierarchical [RemoteMachine] netsh>interfacecontext Simpler [RemoteMachine] netsh interface>ipv6 commands [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (WSMan) WSMan (in Powershell): Manage Windows remotely with Set-Location -Path WSMan:\SERVER01 Get-ChildItem -Path . Set-Item Client\TrustedHosts *.domain2.com -Concatenate Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/about/about_wsman_provider
  • Netsh Commands William John Holden 2014­04­11 (Version 2) Interface Configuration Configure an Ipv4 Address with Subnet Mask and Default Gateway

    Netsh Commands William John Holden 2014­04­11 (Version 2) Interface Configuration Configure an Ipv4 Address with Subnet Mask and Default Gateway

    Netsh Commands William John Holden 2014­04­11 (version 2) Interface Configuration Configure an IPv4 address with subnet mask and default gateway. Omitted netmask implies classful addressing. netsh int ipv4 set address "Local Area Connection" static 192.168.1.3 255.255.255.0 192.168.1.1 Remove an IPv4 address and default gateway from an interface. netsh int ipv4 del address "Local Area Connection" 192.168.1.3 192.168.1.1 You can add more than one IP address to an interface. Additional addresses don't show up in ipconfig without /all. netsh int ipv4 add address "Local Area Connection" 192.168.1.4 Add a global unicast IP with prefix. Prefix is optional and defaults to /64. netsh int ipv6 set address "Local Area Connection" 2001:beef::1/64 Add a link­local IP to an interface. See the similarity to above? netsh int ipv6 add address "Local Area Connection" fe80::6 Delete the IP. Remove a link­local IP the same way. netsh int ipv6 del address "Local Area Connection" 2001:beef::1 Set an IPv6 default route. netsh int ipv6 add route ::/0 "Local Area Connection" fe80::3 Delete the default route. netsh int ipv6 delete route ::/0 "Local Area Connection" fe80::3 Reset Configuration Reset interface configuration completely (requires restart): netsh int ipv6 reset all netsh int ipv4 reset all shutdown ­r ­t 0 Verification (“show commands”) netsh has several commands that are very similar to ipconfig, route print (netstat ­r), netstat ­a, and getmac. Poke around netsh int ipv4 show ? and you’ll find lots of interesting stuff.
  • NXLOG Community Edition Reference Manual for V2.9.1716 I

    NXLOG Community Edition Reference Manual for V2.9.1716 I

    Ed. v2.9.1716 NXLOG Community Edition Reference Manual for v2.9.1716 i NXLOG Community Edition Reference Manual for v2.9.1716 Ed. v2.9.1716 Ed. v2.9.1716 NXLOG Community Edition Reference Manual for v2.9.1716 ii Copyright © 2009-2014 NXLog Ltd. Ed. v2.9.1716 NXLOG Community Edition Reference Manual for v2.9.1716 iii Contents 1 Introduction 1 1.1 Overview . .1 1.2 Features . .1 1.2.1 Multiplatform . .1 1.2.2 Modular architecture . .1 1.2.3 Client-server mode . .2 1.2.4 Log message sources and destinations . .2 1.2.5 Importance of security . .2 1.2.6 Scalable multi-threaded architecture . .2 1.2.7 High performance I/O . .2 1.2.8 Message buffering . .2 1.2.9 Prioritized processing . .3 1.2.10 Avoiding lost messages . .3 1.2.11 Apache-style configuration syntax . .3 1.2.12 Built-in config language . .3 1.2.13 Scheduled tasks . .3 1.2.14 Log rotation . .3 1.2.15 Different log message formats . .4 1.2.16 Advanced message processing capabilites . .4 1.2.17 Offline processing mode . .4 1.2.18 Character set and i18n support . .4 2 Installation and quickstart 5 2.1 Microsoft Windows . .5 2.2 GNU/Linux . .6 2.2.1 Installing from DEB packages (Debian, Ubuntu) . .6 2.2.2 Installing from RPM packages (CentOS, RedHat) . .6 2.2.3 Configuring nxlog on GNU/Linux . .6 Ed. v2.9.1716 NXLOG Community Edition Reference Manual for v2.9.1716 iv 3 Architecture and concepts 7 3.1 History .
  • How to Cheat at Windows System Administration Using Command Line Scripts

    How to Cheat at Windows System Administration Using Command Line Scripts

    www.dbebooks.com - Free Books & magazines 405_Script_FM.qxd 9/5/06 11:37 AM Page i How to Cheat at Windows System Administration Using Command Line Scripts Pawan K. Bhardwaj 405_Script_FM.qxd 9/5/06 11:37 AM Page ii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
  • How Will You Troubleshoot the Issue? What Are the Steps to Followed? A

    How Will You Troubleshoot the Issue? What Are the Steps to Followed? A

    1. A user in a corporate network contacts service desk saying he/she has lost network connectivity: How will you troubleshoot the issue? What are the steps to followed? A. First I will check the network cable is plugged in or not. Then check the network connections and the ip address is assigned or not. Then check connecting to website or not. IP conflict. 2. A User calls in and complains that her computer and network is running very slow. How would go about troubleshooting it? A. 3. How would you create an email account for a user already in AD? A. Open Microsoft Outlook if you are using office 2000, and click on "Tools" tab. Go to "Email Accounts". There you can find two option like Email and Directory. Click on "Add a new Account" and click next. If you are using Exchange Server then click over there, this depends on that particular Organization. According to the their setup you have to choose. And if you are using POP3 server then next popup will come along with your name, email address POP3 and SMTP IP address, Password etc. and after that click on Next and finish it..... 4. A PC did not receive an update from SMS. What steps would we take to resolve this? A. If SMS not updated in client system. 1. Need to check system getting IPaddress or not. 2. Need to check system in domain or not 3.Ensure that windows firewall should be off. 5. How do you set the IP address by using the command prompt A.
  • Nxlog Community Edition Reference Manual

    Nxlog Community Edition Reference Manual

    NXLog Community Edition Reference Manual NXLog Ltd. Version 2.10.2150, November 2018 Table of Contents 1. Man Pages. 1 1.1. nxlog(8) . 1 1.2. nxlog-processor(8) . 3 2. Configuration . 5 2.1. General Directives . 5 2.2. Global Directives . 6 2.3. Common Module Directives. 7 2.4. Route Directives. 12 3. Language. 15 3.1. Types . 15 3.2. Expressions. 15 3.3. Statements . 24 3.4. Variables . 26 3.5. Statistical Counters . 26 3.6. Functions. 28 3.7. Procedures . 31 4. Extension Modules . 34 4.1. Character Set Conversion (xm_charconv) . 34 4.2. Delimiter-Separated Values (xm_csv) . 35 4.3. External Programs (xm_exec) . 39 4.4. File Operations (xm_fileop) . 41 4.5. GELF (xm_gelf) . 44 4.6. JSON (xm_json). 48 4.7. Key-Value Pairs (xm_kvp) . 51 4.8. Multi-Line Parser (xm_multiline) . 60 4.9. Perl (xm_perl) . 68 4.10. Syslog (xm_syslog) . 71 4.11. WTMP (xm_wtmp) . 83 4.12. XML (xm_xml). 84 5. Input Modules . 88 5.1. Fields . 88 5.2. DBI (im_dbi) . 88 5.3. External Programs (im_exec) . 89 5.4. Files (im_file) . 90 5.5. Internal (im_internal). 93 5.6. Kernel (im_kernel) . 95 5.7. Mark (im_mark) . 96 5.8. EventLog for Windows XP/2000/2003 (im_mseventlog). 97 5.9. EventLog for Windows 2008/Vista and Later (im_msvistalog) . 100 5.10. Null (im_null) . 105 5.11. TLS/SSL (im_ssl) . 105 5.12. TCP (im_tcp) . 107 5.13. UDP (im_udp) . 108 5.14. Unix Domain Sockets (im_uds) . 109 6. Processor Modules . 111 6.1. Blocker (pm_blocker) . ..
  • Threat Advisory: Eternalrocks

    Threat Advisory: Eternalrocks

    McAfee Labs Threat Advisory EternalRocks June 6, 2017 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent A malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to n mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. d To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html. Summary EternalRocks is a network worm which uses the SMB exploits ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread. McAfee products detect this threat under the following detection names: • Trojan-EtrnlRock • Trojan.EternalRocks • Trojan-Bluedoom • HackTool-Shadowbrokers • RDN/Generic.grp • RDN/Generic.dx • RDN/Trojan-EtrnlRock • RDN/Generic Downloader.x Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections: • Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • Restart Mechanism • Remediation • McAfee Foundstone Services Infection and Propagation Vectors Even though this has not been confirmed, the malware’s initial vector is expected to be spam email. The malware spreads by exploiting shares and uses the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. The authors have used publicly available exploit code and embedded it as a part of their dropper. On execution, the malware connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it.
  • Command-Line IP Utilities This Document Lists Windows Command-Line Utilities That You Can Use to Obtain TCP/IP Configuration Information and Test IP Connectivity

    Command-Line IP Utilities This Document Lists Windows Command-Line Utilities That You Can Use to Obtain TCP/IP Configuration Information and Test IP Connectivity

    Guide to TCP/IP: IPv6 and IPv4, 5th Edition, ISBN 978-13059-4695-8 Command-Line IP Utilities This document lists Windows command-line utilities that you can use to obtain TCP/IP configuration information and test IP connectivity. Command parameters and uses are listed for the following utilities in Tables 1 through 9: ■ Arp ■ Ipconfig ■ Netsh ■ Netstat ■ Pathping ■ Ping ■ Route ■ Tracert ARP The Arp utility reads and manipulates local ARP tables (data link address-to-IP address tables). Syntax arp -s inet_addr eth_addr [if_addr] arp -d inet_addr [if_addr] arp -a [inet_address] [-N if_addr] [-v] Table 1 ARP command parameters and uses Parameter Description -a or -g Displays current entries in the ARP cache. If inet_addr is specified, the IP and data link address of the specified computer appear. If more than one network interface uses ARP, entries for each ARP table appear. inet_addr Specifies an Internet address. -N if_addr Displays the ARP entries for the network interface specified by if_addr. -v Displays the ARP entries in verbose mode. -d Deletes the host specified by inet_addr. -s Adds the host and associates the Internet address inet_addr with the data link address eth_addr. The physical address is given as six hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies physical address. if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Pyles, Carrell, and Tittel 1 Guide to TCP/IP: IPv6 and IPv4, 5th Edition, ISBN 978-13059-4695-8 IPCONFIG The Ipconfig utility displays and modifies IP address configuration information.
  • System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1

    System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1

    SUSE Linux Enterprise Server 15 SP1 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1 An administrator's guide for problem detection, resolution and optimization. Find how to inspect and optimize your system by means of monitoring tools and how to eciently manage resources. Also contains an overview of common problems and solutions and of additional help and documentation resources. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xiii