5-3 Lab Activity_ Common Locations of Windows Artifacts

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

18TW1

Subject

Information Systems

Date

Oct 30, 2023

Type

docx

Pages

Uploaded by ElderLightning8081

5-3 Lab Activity: Common Locations of Windows Artifacts 1 Ryan White 5-3 Lab Activity: Common Locations of Windows Artifacts Professor Donald Champion 10/22/2023 Southern New Hampshire University Unauthorized Activities: Courses of Action

5-3 Lab Activity: Common Locations of Windows Artifacts 2 Attack Step Attack Action Defensive Countermeasure Defensive Step (IR Process) Targeting Objective: Decide who to attack Identify suspicious external connections to a public-facing Microsoft Windows server Identification Action: Utilize the packet sniffer such as Wireshark to gain access to a user account with an easy stored password. This will then allow access to system logs and begin receiving access to stored personal data and company information. From there the attack can continue to spread into other parts of the system (Fortinet, 2023). Detection Point System files will show logged in IP addresses that are not part of the company or regular user access. Scanning of the IP address will assist in locating where, what, and who was behind the attack. Indicator(s) of Attack -IP address from an outside business party, country, etc. -Scanning and monitoring of the system and locating keylogging while a user is storing information indicating an attack. -Passwords may be changed once an attack has occurred causing company users to be locked out (Netwrix, 2022). Annotation: In order to find vulnerabilities in the system Wireshark will scan the system to gain easy access. In order to defend against this attack Scanning for vulnerabilities will find a change in the IP address and user information. Any unauthorized users would be kicked out of the system, confined, and eradicated according to the cybersecurity lifestyle (Cimcor, 2022).

5-3 Lab Activity: Common Locations of Windows Artifacts 3 Attack Step Attack Action Defensive Countermeasure Defensive Step (IR Process) Targeting Objective: Decide what to attack Gain remote administrative access to at least one vulnerable server in a potential target network Identify suspicious group membership changes for guest user account Identification Detection Point Examine event logs to determine if there have been any unauthorized user access, configuration, etc. (BeyondTrust, 2023). Indicator(s) of Attack The guest user account appears in a privileged user group without prior security team approval/coordination Annotation: In this example, in order to gain remote administrative access the attacker must find a vulnerability. In this case the vulnerability appears to be a suspicious group membership change for a guest user account. The attacker may be utilizing a guest user's access as they may have had an easel hacked password. In order to defend against this attack into the system the event logs into the system should be monitored and reviewed to find the unauthorized users IP address, date, time, and other clues.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

5-3 Lab Activity: Common Locations of Windows Artifacts 4 Attack Step Attack Action Defensive Countermeasure Defensive Step (IR Process) Access and Escalation Objective: Solidify your foothold ● Ensure flexible remote access to a compromised target system in the network you wish to attack ● Use the system task scheduler to establish periodic, remote “check-ins” between a compromised target system and your network -Utilize multi-factor authentication methods. -Use vulnerability scanning and system monitoring. -Scan for password cracking or hacking, update passwords every 30 days. -Lockout users after the second wrong attempt (Comodo, 2018). Identification Detection Point Monitor and scan the file Windows Log.txt in order to locate an unauthorized user (Infosec, 2023). Indicator(s) of Attack -Unauthorized users IP addresses will indicate an attack. -Task scheduler will indicate and pinpoint system compromises. -Third party vendors monitoring and scanning will alert any sniffer or spoofing tools (CISOMAG, 2021). Annotation: In this case, it is imperative to remove guest user access as the attacker will be looking for vulnerabilities. In order to defend against the attack; passwords should be updated every 30 days, should include rules such as length and special characters, and scanners should be used to defend from any potential attackers. Scanning for vulnerabilities 24/7 is the best way to defend against any outside attacks and third party vendors may be used in order to safeguard private information (National Center for Education Statistics, 2023).

5-3 Lab Activity: Common Locations of Windows Artifacts 5 Reference BeyondTrust. (2023, June 19). Privilege escalation attack and defense explained . https://www.beyondtrust.com/blog/entry/privilege- escalation-attack-defense-explained Cimcor. (2022, October 27). Reviewing the 5 stages of the cybersecurity lifecycle [+ examples] . Cimcor | File Integrity Monitoring. https://www.cimcor.com/blog/cybersecurity-lifecycle#:~:text= CISOMAG. (2021, December 2). Sniffing attacks and how to defend against them . CISO MAG | Cyber Security Magazine. https://cisomag.com/what-are-sniffing-attacks-and-how-to-defend-against-them/ Comodo. (2018, July 18). Remote access attacks | How to secure your PC from malware? Comodo One. https://one- us.comodo.com/remote-access-attacks.php?frmReg=US&showTxt=true Fortinet. (2023). What is hacking? Types of hacking & more . https://www.fortinet.com/resources/cyberglossary/what-is-hacking

5-3 Lab Activity: Common Locations of Windows Artifacts 6 National Center for Education Statistics. (2023). Chapter 6 -- Information security, from safeguarding your technology, NCES publication 98-297 (National center for education statistics) . National Center for Education Statistics (NCES), a part of the U.S. Department of Education. https://nces.ed.gov/pubs98/safetech/chapter6.asp Netwrix. (2022, September 6). Finding weak passwords in active directory . Netwrix Blog | Insights for Cybersecurity and IT Pros. https://blog.netwrix.com/2022/09/06/finding-weak-passwords-in-active-directory/

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version