The LogRhythm blog is an abundance of content and insight from our LogRhythm Labs team, security tips and tricks, threat research, infosec news, use cases from our customers, and more to help you stay at the top of your game as a security analyst. With hundreds of posts, it can be easy to lose yourself in a rabbit hole of security information. If you’re new to the LogRhythm blog — or if you haven’t explored lately — we rounded up our top five most popular posts over the last few years to give you a taste of what our readers keep coming back to time and time again.
Detecting and Preventing Auto Forwarding and Phishing Attacks in Office 365
According to CSO Online, phishing attacks make up more than 80 percent of reported security incidents. What’s more, email delivers a whopping 94 percent of malware. When you are working in a SOC, it can be difficult to keep users from clicking on a phishing email. Even employees who have taken a fair amount of security awareness training on the indicators of a phishing email can fall victim to taking the bait. So, the next best step is to be aware of when that does happen — and to have a plan in place to detect the next step of the attacker: lateral movement.
Auto forwarding is often the stepping stone to executing lateral movement because it allows a threat actor to establish a foothold inside an account — even if they lose direct access. Once the threat actor has access to a user’s email account, he or she can enable the auto-forwarding feature to an external account. But the good news is this is also a great indicator of a potential phish, and it’s easy to set up rules in your LogRhythm deployment so it can alert you when this action occurs.
A Technical Analysis of WannaCry Ransomware
Even though the large WannaCry ransomware attack of 2017 — in which hundreds of thousands of computers were encrypted in more than 150 countries and hospitals and other critical infrastructure networks were knocked offline — happened several years ago now, it remains a risk. In fact, TechCrunch reports that as many as 1.7 million endpoints are still vulnerable. And while WannaCry may be old news, threat actors often reuse exploits, as seen in the NotPetya attack, which used the same EternalBlue exploit.
In this technical deep dive on WannaCry, the LogRhythm Labs threat research team analyzed the malware samples and the tactics, techniques, and procedures (TTPs) of the WannaCry attack. The Labs team also provided downloadable NetMon query rules and AI Engine rules for your LogRhythm deployment to make it easy to detect WannaCry or WannaCry-like exploits in the future.
How to Build a Miniature Network Monitor Device
With the rise in smart home IoT devices — thermostats, doorbells, solar panels, light bulbs, and more — have you ever been curious about what may be happening on your home network? In this post, we explored just how easy it is to build a miniature NetMon device by deploying NetMon Freemium on a compact system that’s ideal for home networks, branch offices, forensic go-kits, penetration testing drop boxes, and more.
Follow along step-by-step to see just how easy it is to build a free miniature NetMon device.
PowerShell Command Line Logging
PowerShell is one of the best and more commonly used post-exploitation tools out there. For one, it’s already on every modern Windows system. And two, it’s powerful and versatile — a threat actor can use PowerShell to gather data, steal system information, dump credentials, pivot between systems, create backdoors, and much more.
But PowerShell also can pose a problem to the analyst. This is because Windows only logs when PowerShell launches — it doesn’t preserve any additional details about what happened after launch. But don’t despair. There is a way to gather additional details on PowerShell sessions (and the command line in general). Read this post for detailed instructions on how to gather PowerShell details in the LogRhythm NextGen SIEM Platform.
Take a Deep Dive into PlugX Malware
PlugX, a full-featured remote access tool/Trojan (RAT), malware has been around since 2008 and has persisted over the years. Its capabilities include file upload, download, modification, keystroke logging, webcam control, and access to a remote cmd.exe shell.
In this post, dig into the history of PlugX malware, how its core functionality has evolved over the years, and a timeline of its many variants.
To stay on top of new research and ideas from the blog, subscribe to get updates when new posts are published. Have questions, feedback, or your own tips to add to the conversation? Join in the discussion at the bottom of the post. And if you have questions or suggestions on topics or research you’d love us to explore in the future, comment on this post and let us know.