Report
1.System security incident
Event Details: This event dated at 2nd of October at time 15:47 hours a malicious activity has
been detected after running the give PowerShell testing script named script.ps1 by CyberNX
on Windows 10 home version which is running virtually on VMware workstation pro. This
event occurred when the remote Account name which used PowerShell script to connect to
the remote server/desktop. Basically this type of attack is known as a ransomware attack in
which Ransomware is a type of malicious software (malware) that threatens to publish or
blocks access to data or a computer system, usually by encrypting it, until the victim pays a
ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the
victim doesn’t pay in time, the data is gone forever or the ransom increases. This information
was known to user by accessing the files in the client desktop.
Regarding the SOC part, after gaining the admin permissions the script has intercepted the
credentials and by chance the hacker might have changed to the password and all the security
credentials as it has already gained access via PowerShell and will hold ransom. The read
operations denotes that the credentials have been read by some app or some software which
can be led to harmful circumstances such as pc been added to botnet, ransomware attacks,
trojan horse attacks and more advanced attacks. This type of incidents and events should be
taken as a first priority as they can lead to more harmful circumstances in the whole network
as well as organizations confidential data. The SOC analyst must check these types of events
as they can lead to more details about an attack or even provide them with information about
what type of attack has been done what permission or privilege has been escalated. Also these
event can be prevented by keeping up and setting the policies in PowerShell command to
restricted or Allsigned.
2.Appointing security privileges to the user connected to elastic cloud for protection
Details: this event helps us understand the different cloud level policies that are given to the
user when he/she integrates their local machine with elastic cloud. There are multiple types of
privileges such as security, backup, auditing, debugging, ownership, token assignment,
session privileges etc. These events are important to analyse as the SOC analyst can check
which privileges have been provided and which have been not provided so they can make
changes according to the company need or company regulations or according to their own
personalization.
These are in-depth explanation of the privileges that have been provided to local machine
after integrating
•
SeTcbPrivilege - Act as part of the operating system
•
SeBackupPrivilege - Back up files and directories
•
SeDebugPrivilege - Debug programs
•
SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for
delegation
•
SeAuditPrivilege - Generate security audits
•
SeImpersonatePrivilege - Impersonate a client after authentication
•
SeLoadDriverPrivilege - Load and unload device drivers
•
SeSecurityPrivilege - Manage auditing and security log
•
SeSystemEnvironmentPrivilege - Modify firmware environment values
•
SeAssignPrimaryTokenPrivilege - Replace a process-level token
•
SeRestorePrivilege - Restore files and directories,
•
SeTakeOwnershipPrivilege - Take ownership of files or other objects
These privilege policy must be checked by SOC analyst as they can cross verify as well as
make sure all the intended policies by the organization are present and if not they must be
added to the list.