11 Dec 2023
Log analysis ‘Tis the season for log choppingTook a break because my heart wasn’t in it, but need to force myself to get at least one back in.
Proxy servers allow monitoring sites users access, when, and how much bandwidth is used, and allow enforcing policies and blocking of specific websites or content categories. Samples of malicious activity that can be seen in proxy server logs:
| Attack Technique | Potential Indicator |
|---|---|
| Download attempt of malicious binary | Connection to known malicious URL binary |
| Data exlfiltration | High count of outbound bandwidth due to file upload |
| Continuous C2 connection | High count of outbound connections to a single domain in regular intervals |
less - shows contents of a file one page at a time instead of dumping the whole thing to screen like cat.
head - view contents at the top of the file. Can specify number of lines shown with -n # where # is number of lines.
tail - view contents at the end of a file. Can specify number of lines shown the saem way as head.
wc - counts number of lines, words, and charcters in file. Can use flags to display only certain things.
nl - displays contents of file in numbered line format.
cut - can extract specific sections of lines from delimited files. -d '' specifices delimiter used. -fx,y,z specifies which columns to show.
sort - sorts lines of text files or input streams in ascending or descending order.
uniq - filters out and display lines from a sorted file or input stream. Command only compares adjacent lines so the source needs to be sorted.
Rework and string together commands to extract data from log and get the flag.
Flag gotten.
Log Analysis in SOC Level 2 Path.