Suggestions on Handling Common Alerts

Abnormal System Behavior/High-risk Command Execution

• Data source

  HSS alert logs

• Alert Presentation

  [dangercmd] [HSS] Host: {{ipList}} Run dangercmd, {{__time}}

• Monitoring Scenario: HSS

  High-Risk command

• Alert Field

  To view corresponding high-risk command alerts in SecMaster, take the following steps:

  1. Go to the Security Orchestration page of the target workspace. Then, choose Objects > Classify&Mapping.
  2. Click the name of the HSS Alert Categorization and Re-Mapping to go to the details page.

     The high-risk command execution corresponds to msg.appendInfo.event_type=3015.

• Investigation Guideline and Handling Suggestion
  1. Go to the Threat Operations > Security Analysis page in SecMaster, expand the target data space, and click pipeline sec-hss-alarm. The query and analysis page for pipeline sec-hss-alarm is displayed on the right.
  2. Search for the log details for the current alert based on the values of the appendInfo.event_type, __time, and ipList fields to confirm the meaning and purpose of the command.
     • Use the appendInfo.process_info field to check whether the current high-risk command (process_cmdline) and its parent process command (parent_process_cmdline) are suspicious.
     • You can use sec-hss-log to query the host (ipList) behavior in a similar period of time, and use appendInfo.pid_link (sec-hss-log) and appendInfo.process_info.parent_process_pid(sec-hss-alarm) to sort the process sequence. Then, you can make informative decisions to find out suspicious processes and commands. For those processes and commands, you can scan for further hacking behavior, such as viewing sensitive data, viewing network environments, privilege escalation, network probing, and PoC execution.
     • If it is confirmed that the fault is triggered by attacks, contact the resource owner immediately.
• High-Risk Commands

  The high-risk commands involved in alerts are as follows:

  • strace: captures and records all system calls of a specified process and all received signals.
  • rz: used to upload files from a local computer to a remote server. It is usually used in SSH sessions.
  • sz: used to download files from a remote server to a local computer. This command is usually used in SSH sessions.
  • tcpdump: used to probe data packets and capture data packets flowing on network adapters.
  • nmap: used to scan and probe networks.
  • nc/ncat: or netcat, used to implement many network-related functions, such as listening and connecting ports.

Web Attacks (SQL Injection)

• Corresponding Alert Field

  To view corresponding SQL inject alerts in SecMaster, take the following steps:

  1. Go to the Security Orchestration page of the target workspace. Then, choose Objects > Classify&Mapping.
  2. Click the name of the WAF Alert Categorization and Re-Mapping to go to the details page.

     The msg.attack for SQL injection is sqli.

• Troubleshooting Methods and Handling Suggestions
  1. Go to the Threat Operations > Security Analysis page in SecMaster, expand the target data space, and click pipeline sec-waf-attack. The query and analysis page for pipeline sec-waf-attack is displayed on the right.
  2. Search for the log details for the current alert based on the values of the attack, __time, and sip fields. The key parameters are as follows:
     • hit_data: attack packet or link.
     • uri: request URL.
     • action: processing action
     • cookie: request cookie information.
  3. Check attack packets to see how the SQL injection is made and check whether there is any vulnerability in the application.

     If there is, rectify the fault in time by using parameterized query, input verification, and software update and patching.

Web Attacks/Vulnerability Exploits

• Corresponding Alert Field

  To view corresponding vulnerability exploit alerts in SecMaster, take the following steps:

  1. Go to the Security Orchestration page of the target workspace. Then, choose Objects > Classify&Mapping.
  2. Click the name of the WAF Alert Categorization and Re-Mapping to go to the details page.

     The msg.attack value for vulnerability exploits is vuln.

• Troubleshooting Methods and Handling Suggestions
  1. Go to the Threat Operations > Security Analysis page in SecMaster, expand the target data space, and click pipeline sec-waf-attack. The query and analysis page for pipeline sec-waf-attack is displayed on the right.
  2. Search for the log details for the current alert based on the values of the attack, __time, and sip fields. The key parameters are as follows:
     • hit_data: attack packet or link.
     • uri: request URL.
     • action: processing action
     • cookie: request cookie information.
     • header: request header information.
  3. Confirm the vulnerability exploit type based on the attack packet and detect vulnerabilities in attacked assets.

     If there is a vulnerability, fix it in a timely manner to prevent attackers from exploiting this vulnerability to attack the system or applications.

Web Attacks/Command Injection

• Corresponding Alert Field

  To view corresponding command injection alerts in SecMaster, take the following steps:

  In SecMaster, choose Security Orchestration > Objects > Classify&Mapping. Click WAF Alert Categorization and Re-Mapping to go to the details page. The msg.attack value for command injection attacks is cmdi.

• Troubleshooting Methods and Handling Suggestions
  1. Go to the Threat Operations > Security Analysis page in SecMaster, expand the target data space, and click pipeline sec-waf-attack. The query and analysis page for pipeline sec-waf-attack is displayed on the right.
  2. Search for the log details for the current alert based on the values of the attack, __time, and sip fields. The key parameters are as follows:
     • hit_data: attack packet or link.
     • uri: request URL.
     • action: processing action
     • cookie: request cookie information.
     • header: request header information.
  3. Check attack packets to see how the command injection is made and check whether there is any vulnerability in the application.
     • If there is any vulnerability, fix it as soon as possible and update the related software or database version.
     • Perform a comprehensive check on the system to see if there are other vulnerabilities or backdoors.
     • Restrict system access permissions. For example, you can disable the root account and restrict access from some IP addresses to reduce possible intrusion paths.

Abnormal System/Process Behavior

Locate the affected assets, services, and workloads based on the corresponding alerts.

• Corresponding Alert Field

  To view corresponding abnormal system or process behavior alerts in SecMaster, take the following steps:

  1. Go to the Security Orchestration page of the target workspace. Then, choose Objects > Classify&Mapping.
  2. Click the name of the HSS Alert Categorization and Re-Mapping to go to the details page.

     Abnormal process behavior: msg.appendInfo.event_type=3007

• Troubleshooting Methods and Handling Suggestions
  1. Go to the Threat Operations > Security Analysis page in SecMaster, expand the target data space, and click pipeline sec-hss-alarm. The query and analysis page for pipeline sec-hss-alarm is displayed on the right.
     1. Search for the log details for the current alert based on the values of the appendInfo.event_type, __time, and ipList fields.
  2. Check the information about the current process and parent process in appendInfo. process_info to determine whether the process is abnormal. If the process is abnormal, contact the corresponding resource owner.
     • Immediately stop affected processes or services to avoid further attacks or other damage.
     • Investigate the causes and sources of abnormal behavior by all means, for example, viewing logs, monitoring the system, and analyzing the process memory, to determine the specific symptoms and possible root causes of exceptions.
     • Based on the nature and severity of the abnormal behavior, take proper measures, such as restarting processes, rectifying software errors, rectifying system faults, and replacing hardware devices.
     • Comprehensively check the affected system to see if there are other vulnerabilities or backdoors.

Abnormal System Behavior/Key File Directory Modifications

Locate the affected assets, services, and workloads based on the corresponding alerts.

• Corresponding Alert Field

  To view corresponding key file directory modification alerts in SecMaster, take the following steps:

  1. Go to the Security Orchestration page of the target workspace. Then, choose Objects > Classify&Mapping.
  2. Click the name of the HSS Alert Categorization and Re-Mapping to go to the details page.

     Key file directory modification: msg.appendInfo.event_type=3005

• Troubleshooting Methods and Handling Suggestions
  1. Go to the Threat Operations > Security Analysis page in SecMaster, expand the target data space, and click pipeline sec-hss-alarm. The query and analysis page for pipeline sec-hss-alarm is displayed on the right.
  2. Search for the log details for the current alert based on the values of the appendInfo.event_type, __time, and ipList fields.

     In the preceding information, appendInfo.file_info indicates the file directory information. Check whether the file directory information is normal. If the file directory information is abnormal, contact the corresponding resource owner.

     • Determine the impact scope of the change. First, determine the files that are affected by the directory change and the impact of the files on services. If the impact scope is large, immediate measures must be taken to prevent further losses.
     • Restore key files: If directories or files are changed abnormally, restore them in a timely manner. If a file is deleted or damaged, you need to restore it from a backup. If the files are not backed up, stop related operations immediately and take data restoration measures to restore the files to the status before the change.
     • Update related configurations: For some programs and systems that require configuration file paths, update related configurations in a timely manner to ensure that these programs and systems can correctly access key files.
     • Review the change reason: Review and check the reason for the directory change. If the change was caused by human misoperations, correct the fault and strengthen management in a timely manner. If the change was made by the system, evaluate the necessity and impact of the change and ensure that the change is reasonable and secure.
     • Enhance security measures: For security management of key files, measures must be enhanced to ensure that files cannot be mistakenly deleted, maliciously tampered with, or disclosed. Measures such as encryption, backup, and access control can be taken to ensure file integrity and availability.