Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Threat Detection using SLS Alibaba Cloud: Defense Evasion Case Study

Threat Detection using SLS Alibaba Cloud: Defense Evasion Case Study

This article describes how to detect a threat using Alibaba Cloud SLS.

Threat detection is an essential part of security operations. Threat detection allows us to quickly detect anomalies that occur in our environment. This article will describe how to detect a threat using Alibaba Cloud SLS. The technique that will be used in this article is included in the defense evasion tactic by MITRE, namely indicator removal by deleting events or logs on server (T1070.001).

Case Study

The image below shows the flow of the case study that will be carried out. The threat actor will delete logs on the windows server, later the event will be recorded by Sysmon and will be sent to the SLS logstore via logtail. After that, SLS will detect the incident with the alert rule that has been created and will send an alert to the SOC team for follow-up.

1
Picture 1. Threat Detection Flow

Here is an outline of what we will do:

• Create Project & Logstore SLS

• Installing sysmon on Windows Server

• Data collection via Logtail

• Install Invoke-AtomicRedTeam

• Create Alert Rule & Notification Template

• Detection Validation

Create Project & Logstore SLS

First, we need to create a project in SLS dashboard. To create a project, click create project and choose the region that you want then fill in the project name and click OK. There are other configurations that you can set, like the resource group and log collection options.

2
Picture 2. Create Project

After the project is created, the next step is to create a logstore. To create a logstore, you can click create logstore (will be shown after create the project) and then choose the logstore type, billing mode, and fill the logstore name. We can set the data retention on logstore from minimum 1 day to maximum 3650 days. Logstore also offer automatic sharding with maximum shards is 256. Each shard supports a write speed of 5 MB/s and a read speed of 10 MB/s.

3
Picture 3. Create Logstore

Installing Sysmon on Windows Server

After we create the project and logstore, we will install Sysmon to capture the process event on windows server. Sysmon is a powerful monitoring tool for Windows systems. It's designed to provide detailed information about system activities, making it invaluable for security investigations, incident response, and general system monitoring. To install Sysmon, first we need to download the installer on Microsoft’s official website. Extract the downloaded installer and run this command to install the Sysmon:

Sysmon64.exe -accepteula -i

4
Picture 4. Install Sysmon

We can verify if the event has been successfully captured by Sysmon via event viewer.

5
Picture 5. Sysmon Data

Data Collection via Logtail

Back to SLS dashboard, now we need to collect Sysmon data to be stored in logstore via logtail. To collect the data, click + icon on data collection tab, choose windows event logs and click integrate now.

6
Picture 6. Add Data Collection

7
Picture 7. Windows Event Logs Plug-in

We need to install logtail in order to forward the Sysmon logs into logstore. Select the ECS that we want to install the logtail and then click create. It will automatically install the logtail agent.

8
Picture 8. Install logtail

After the installation is completed, we have to create a machine group. A machine group is a virtual group of multiple servers. Simple Log Service uses machine groups to manage the servers whose logs need to be collected by using Logtail. Simple Log Service allows you to collect data from multiple servers by using the same Logtail configuration. The servers can belong to a single machine group or multiple machine groups.

9
Picture 9. Machine Group

Click next until the plug-in configuration. In this step, use this configuration to add Sysmon channel:

{
  "inputs": [
    {
      "type": "service_wineventlog",
      "detail": {
        "Name": "Application",
        "IgnoreOlder": 259200
      }
      },
      {
          "type": "service_wineventlog",
          "detail": {
              "Name": "System",
              "IgnoreOlder": 259200
          }
      },
      {
          "type": "service_wineventlog",
          "detail": {
              "Name": "Microsoft-Windows-Sysmon/Operational",
              "IgnoreOlder": 259200
          }
      }
  ]
}

Click next, then preview your data. If the data exists, we have successfully add the data collection.

10
Picture 10. Preview Data Collection

Install Invoke-AtomicRedTeam

We are using Invoke-AtomicRedTeam to perform the attack technique. Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. The "atomics folder" contains a folder for each Technique defined by the MITRE ATT&CK™ Framework.

To install the execution framework and atomic folder, open powershell as administrator and run this prompt.

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

11
Picture 11. Install Invoke-AtomicRedTeam

Run the invoke command to execute the clear logs activity, and then verify if the events is detected by SLS.

12
Picture 12. Clear Logs

13
Picture 13. Clear-EventLog in SLS

Create Alert Rule & Notification Template

The event has been detected, now we need to create the alert rule so we can get alerted if the same activity has been conducted by the threat actor. To create the alert rule, we need to fill the rule name, set the check frequency, create query statistics, set the trigger condition, and enable the Simple Log Service Notification.

We can use this query to detect the clear log events.

* and Clear-EventLog

14
Picture 14. Create Alert

Next we need to enable the Simple Log Service notification by clicking the enable button. Change the alert policy to simple mode and set the notification method to email. We can set multiple recipients. And make sure you already created the recipient and alert template by clicking add button.

15
Picture 15. Action Group

You can use my alert template in case you need a reference.

Dear SOC Team,

We have identified a potential security incident that requires immediate investigation and response. Please find the details below:

Alert Name: {{ alert.alert_name }}
Date & Time Detected: {{ alert.alert_time }}
Incident Severity: {{ alert.severity }}

For further investigation, please access the alert dashboard.

Please ensure that appropriate action is taken as soon as possible.

Thank you,
Automated Security Monitoring System

Detection Validation

Run the Invoke-AtomicRedTeam again, and then wait for the alert rule detecting the events. You can also monitor the alert from dashboard.

16
Picture 16. Alert Dashboard

17
Picture 17. Notification Email

It’s done. You can leverage the query to add your threat detection capabilities using Simple Log Service in Alibaba Cloud. You can also add more data collection to give more visibility on your assets. Thank you!

Cloud Security Storage Service Tutorials Logtail Threat detection SLS Case Study Logstore
0 1 0
Share on

Read previous post:

Integrasi MikroTik sebagai NAT Gateway untuk ECS Alibaba Cloud

Yudhistira Heriansyah

4 posts | 0 followers

You may also like

Comments

Yudhistira Heriansyah

4 posts | 0 followers

Related Products

More Posts by Yudhistira Heriansyah

See All