Xboarder56 / SYNOLOGY-DSM--DSM

Custom QRadar DSM for parsing Synology DSM events
2 stars 2 forks source link

Use Cases ? #3

Open ralphdt opened 5 years ago

ralphdt commented 5 years ago

I'm thinking what the QR Rules (Use Cases) are available for Synology NAS security events. These could either be default QR rules or maybe need creating in QR to utilise the Synology events.

I'm able to invoke these two;

Credential Abuse - multiple failed user logins (DSM thankfully provides a control for this with auto-blocked IP and send email to admin). QR also has a rule for 10 failed logins within 5 mins.

Initial Access - SSH on non-standard port. QR picked this up as an Offense from the "Network Activity" tab, not using syslog.

These are others that would be neat QR rules if possible;

Lateral Movement - switching accounts (with admin privileges) and/or outbound RDP/SSH/SFTP ? to BadIP/BadURL.

Malware - infection? Ransomware, cryptomining. I'm not aware of any (snort) IDS package for the Synology NAS. I think this is available on the Synology Router, maybe that's the answer. Does "AV Essential" syslog security events for Found Malware or Quarantined EXE ?

Exfiltration - The log events for usb, cifs, create file, etc. Is it possible these alerts would fire a QR rule? If so, which one.

Credential Abuse - failed logins for other packages such as Radarr with Basic Auth configured and exposed on a Reverse Proxy ?

Xboarder56 commented 5 years ago

I know it does have events for USB drives, file creation, and new user account creation. Which would make for some interesting rules!

Hopefully this week I will make a couple of the requested rules and upload them to the rules repo.

Xboarder56 commented 5 years ago

So testing the AV Essentials I found it does not send any results to syslog killing the idea for malware detections. Not sure if there is a way to force packages to go to the syslog? For the ransomware, one solution would be to look for multiple file creation events with non common file extensions and/or ransom in the file name?

I did map 9 additional events today that might be useful for rules (user password changes, user deletions, creations, group memberships, etc).

Xboarder56 commented 5 years ago

After searching around the file system for the AntiVirus Essential logs I found that the logs are actually stored in a flat file (/volume1/@AntiVirus/.report). Also, trying to edit the calmd.conf to log to syslog did not work. I think the only possibility for some type of ransomware detection is based on file name/extension (Kinda sucks doing this).

I did create additional rules with the changed regex/event mappings to alert on cleared syslog events on the system and possible USB data exfiltration. They are in the QRCE-Rules repo.