Impact (TA0040) Techniques
Introduction
Forensically investigating the impact of a compromise on workstations and server systems is an essential step in understanding the extent of damage, the data affected, and what steps are necessary for recovery and future prevention. This process involves a thorough examination of affected systems to identify the scope of the attack, assess the damage, and uncover the methods used by the attackers.
Understanding Possible Impacts
Data Exfiltration: Determining if sensitive data was accessed or stolen.
Data Destruction: Assessing if any data was deleted or corrupted.
System Compromise: Evaluating the integrity of the operating system and critical software.
Service Disruption: Identifying if key services were disrupted or disabled.
Persistence: Checking for any signs that the attacker has established ongoing access.
Lateral Movement: Investigating whether the compromise spread to other systems in the network.
Data Collection and Preservation
Forensic Imaging: Use tools like FTK Imager or dd to create exact copies of affected systems' hard drives.
Memory Capture: Use tools like Magnet RAM Capture or WinPmem to capture volatile memory.
Log Collection: Secure all relevant logs, including system logs, application logs, security logs, and network logs.
Assessing Data Exfiltration
Network Traffic Analysis: Use tools like Wireshark or Tcpdump to analyse network traffic for signs of data being sent to external locations.
Log Analysis: Check firewall, web proxy, and server logs for unusual outbound traffic.
Evaluating Data Integrity
File System Analysis: Examine the file system for signs of deletion, alteration, or encryption of files.
Data Recovery Techniques: Use data recovery tools to attempt to restore deleted or corrupted files.
System Compromise Assessment
Malware Analysis: Look for and analyse any malware that may have been used in the attack.
Rootkit Detection: Employ rootkit detection tools to uncover any stealthy malware or tools used by the attackers.
Integrity Checks: Run integrity checks on critical system files and configurations.
Service Disruption Analysis
System and Application Logs: Review these logs for service stop events, crashes, or configuration changes that could indicate sabotage.
Dependency Checks: Ensure that critical services and applications are functioning properly and depend on uncompromised components.
Investigating Persistence Mechanisms
Startup Items: Check for unauthorised scripts or programs in startup locations.
Scheduled Tasks and Cron Jobs: Look for any tasks that may provide ongoing access or trigger malicious activities.
Registry (Windows): Examine registry keys commonly used for persistence.
Lateral Movement Investigation
Active Directory and Network Logs: Analyse these logs for signs of credential use on multiple systems.
Endpoint Detection and Response (EDR) Data: Review EDR data for patterns that suggest movement across the network.
Documentation and Reporting
Detailed Documentation: Record all findings, methodologies, and evidence paths.
Impact Report: Prepare a detailed report summarising the impact, including data loss, system integrity issues, and business disruption.
Post-Investigation Actions
Remediation and Mitigation: Implement necessary measures to recover data, restore services, and secure the network.
Incident Review and Policy Update: Conduct a thorough review of the incident to improve future security posture and incident response capabilities.
Key Considerations
Legal and Compliance Factors: Ensure the investigation complies with legal and regulatory requirements.
Chain of Custody: Maintain an accurate chain of custody for all forensic evidence.
Confidentiality: Handle all data securely, maintaining confidentiality and integrity throughout the process.
Forensic investigations into the impact of a compromise require a multi-faceted approach, combining technical analysis with an understanding of business operations and data sensitivity. Tailoring the investigation to the specifics of the incident and the environment is essential for a comprehensive assessment.
Using KQL to Investigate Impact Activities in an Environment Using Defender/Sentinel
Impact techniques are used by adversaries to disrupt availability or compromise the integrity of systems and data. These techniques often result in data destruction, system corruption, or operational disruption.
1. T1485 - Data Destruction
Objective: Detect and investigate attempts to destroy data on compromised systems.
Detect Use of File Deletion Commands
Purpose: Identify commands that delete files, potentially indicating data destruction.
Monitor for Use of Disk Wiping Tools
Purpose: Detect the use of tools designed to wipe disk data securely.
Identify File Deletions in Critical Directories
Purpose: Monitor for file deletions in critical system directories.
Detect Use of
vssadminto Delete Shadow Copies
Purpose: Identify attempts to delete Volume Shadow Copies, which are often used to recover deleted files.
Monitor for Use of
formatCommand
Purpose: Detect the use of the format command, which can be used to destroy data on a disk.
Identify Deletion of Log Files
Purpose: Monitor for the deletion of log files, which could indicate an attempt to cover tracks after data destruction.
2. T1490 - Inhibit System Recovery
Objective: Detect and investigate attempts to inhibit system recovery, such as disabling backups or deleting system restore points.
Detect Use of
vssadminto Delete Shadow Copies
Purpose: Identify attempts to delete Volume Shadow Copies to prevent recovery.
Monitor for Disabling of Windows Backup
Purpose: Detect commands that disable Windows Backup functionality.
Identify Deletion of Backup Files
Purpose: Monitor for the deletion of backup files that could be used for recovery.
Detect Disabling of System Restore
Purpose: Identify changes to the registry that disable System Restore.
Monitor for Use of
bcdeditto Modify Boot Configuration
Purpose: Detect use of bcdedit to modify the boot configuration, which could inhibit system recovery.
Identify Deactivation of System Protection
Purpose: Monitor for the deactivation of system protection features.
3. T1486 - Data Encrypted for Impact
Objective: Detect and investigate attempts to encrypt data to prevent access, often as part of a ransomware attack.
Detect Execution of Known Ransomware Processes
Purpose: Identify the execution of known ransomware processes.
Monitor for Unusual File Renaming Activities
Purpose: Detect files being renamed with typical ransomware file extensions.
Identify Bulk File Modifications
Purpose: Monitor for bulk file modifications that may indicate encryption.
Detect Use of
vssadminto Delete Shadow Copies
Purpose: Identify attempts to delete Volume Shadow Copies before encryption.
Monitor for Creation of New Encrypted Files
Purpose: Detect the creation of files with extensions typically associated with encrypted files.
Identify Use of Encryption Tools
Purpose: Monitor for the execution of known encryption tools that could be used maliciously.
4. T1499 - Endpoint Denial of Service
Objective: Detect and investigate attempts to deny service on a single host or device, rendering it unusable.
Detect High CPU Usage by a Single Process
Purpose: Identify processes causing high CPU usage that may indicate a DoS attack on the endpoint.
Monitor for Excessive Memory Usage
Purpose: Detect processes using excessive memory, potentially causing a denial of service on the endpoint.
Identify Disk I/O Overload
Purpose: Monitor for processes causing excessive disk I/O, which could indicate a DoS attack.
Detect Network Saturation by a Single Process
Purpose: Identify processes consuming large amounts of network bandwidth, potentially causing a DoS on the endpoint.
Monitor for Forced Shutdowns or Reboots
Purpose: Detect unauthorized shutdowns or reboots that may be part of a DoS attack.
Identify Disabling of Network Interfaces
Purpose: Monitor for network interfaces being disabled, which could render the device unreachable.
5. T1529 - System Shutdown/Reboot
Objective: Detect and investigate unauthorized attempts to shut down or reboot a system, potentially causing disruption.
Detect Use of Shutdown or Reboot Commands
Purpose: Identify commands that initiate a system shutdown or reboot.
Monitor for Forced Reboots
Purpose: Detect forced reboots that could indicate malicious intent.
Identify Unauthorized System Shutdowns
Purpose: Monitor for shutdown events initiated by non-admin users.
Detect System Shutdowns After Malicious Activity
Purpose: Identify shutdowns following suspicious or malicious activity.
Monitor for Reboots Following File Modifications
Purpose: Detect reboots that occur shortly after file modifications, which may indicate tampering.
Identify Attempts to Disable or Reboot Critical Services
Purpose: Monitor for commands that attempt to stop critical services before shutting down or rebooting the system.
6. T1491.001 - Defacement: Internal Defacement
Objective: Detect and investigate attempts to deface or alter internal systems, such as web pages or internal documentation.
Detect Modifications to Internal Web Pages
Purpose: Identify changes to files in the web server directory, which could indicate defacement.
Monitor for Unauthorized Changes to Internal Documentation
Purpose: Detect modifications to internal documentation files that could indicate defacement.
Identify Use of Web Editing Tools
Purpose: Monitor for the use of text editors on web server directories, which could indicate an attempt to deface web pages.
Detect Upload of New Web Content via FTP
Purpose: Identify file uploads to a web server via FTP, which could be used to deface the site.
Monitor for Changes to Internal Signage or Displays
Purpose: Detect modifications to files used for internal digital signage, which could indicate defacement.
Identify Unusual Activity on Intranet Servers
Purpose: Monitor for unusual activity on intranet servers that could be related to defacement attempts.
Last updated