Are you looking for specific wireshark filters? Or for example check http/https sites visited from inside your network in the phishtank database or check urls in email in that database.
Or is that too specific?
Maybe you can provide some examples?
Hello Dear!
I am very sorry that I do not supply the necessary information to tackle this problem.
Meanwhile this threat happen in a school server where student records as well as the staffs information are kept.
Before the threat, we had installation of firewalls and intrusion detection system, I belief the attack is within( insider).
The attacker was able to steal the administrator credentials and access the server through remote log in and was able to update and delete some information and then sends mails to the staffs requesting them to update their personal records.
My task is obtain a forensics evident of the threat/attack, since it occur in the network(network forensics)
Ok just to give you some thoughts where to find evidence
- school server with student records; make a memorydump and forensic image of the server
- firewall and IDS, save your logfiles
- where are your IDS and firewall located (at the internetconnection side or within your lan)?
- send mails is this done on the same server or another mailserver; if other server memorydump and forensic image
- you're talking about packetcaptures; are the captures running all the time? where on the network are they running?
Just start filling in questions you have. You know when the staff gots the email and probably when the data was changed, thats the starting point, work backwards.
You know (or assume) admin credentials are used by remote login, you can verify that in logfiles. Where did the login come from (inside lan or outside)?
Much, much questions. Gather as much sources of evidence.
Hi,
First of all, we need to understand that what exactly this term phishing or identity theft is.
In a manner, both are entirely different terms. On one hand, the attack of phishing deals with creation of fake pages, generally that of social networking sites. Identity theft on the other hand is an act of brute forcing and entering into the account of an individual.
Though the outcomes of both the attacks are almost similar and discouraging,the approach of performing and understanding the attacks are entirely different.
So, please be specific about what you need to know. This would allow me to help you in a better way.
———–
Thanks and Regards
First of all, we need to understand that what exactly this term phishing or identity theft is.
Yes, even because, judging from the OP latest post there was no phishing at all and no identity theft, but a simpler "unauthorized access" from remote through "compromised credentials".
It is not clear to me the meaning of these added info
Before the threat, we had installation of firewalls and intrusion detection system, I belief the attack is within( insider).
The attacker was able to steal the administrator credentials and access the server through remote log in and was able to update and delete some information and then sends mails to the staffs requesting them to update their personal records.
My task is obtain a forensics evident of the threat/attack, since it occur in the network(network forensics)
If the administrator credentials were stolen by an "insider" through (say) reading them from the post-it note in the left hand drawer of the administrator desk, or (still say) by observing him/her typing those credentials, there is not actually *any* attack.
If I get right the meaning of the above info, all that can be found in the logs is a normal, plain, remote access with valid (though stolen) credentials from a remote location.
The "source" IP may be eventually traced (and if it can, it will likely result belonging to an Internet Cafè or similar).
On the other hand, if there was an attack and the attacker managed to bypass the newly installed firewalls and intrusion detection system and steal the administrator credentials through this attack, I would be curious to know which software or hardware was in use. 😯
I mean, one thing is getting access to (part of ) a system, another thing is to find the administrator credentials, unless they were of course in a plain text file called password.txt in an unprotected folder in \Admin\Credentials\PleaseServeYourself\ wink
jaclaz