Project in Network Security lecture.
Reference NS_final_project.md for detailed explanation.
- weak credentials
- the attacker may try to brute-force the weak credentials and gain access to the victim machine. As a result, we might see some failed to login messages in the logs.
- unrestricted port access
- some known ports, such as RDP (3389), SMB (445), mDNS (5353)
- the attacker may do port scanning to find the open ports.
- Port-scanning
- RDP brute-forcing
- Ransomware execution
- IoC and the method to discover this attack
- Timestamps of each technique used
- Detection method
- ElasticSearch (9200 port)
database
- Logstash (5044 port)
filter
- Kibana (5601 port)
visualization tool
- winlogbeat with sysmon: security or any application messages
- zeek: network traffic