💪
YJ's Internship/Visualise "Normal" Use-Cases/5. Perform Email use-case in Goal #1 and look at sequence generated'/
Comments & Hints
Comments & Hints

Comments & Hints

  • What you did is really good because you overcame obstacle after getting a single Wiki link related to .env modification for FRONTEND_IP.
  • By choosing webmail, you actually hit 2 birds with 1 stone because you will realise after you complete your "browser-download-run" use-case, it is very similar.
  • You observation is organised in a coherent manner.

What types of sequence exist within OpenEDR?

Hint: There's a difference between A > B > C vs the next line that comes along in your ODB console.
To make this clearer, take a look at https://github.com/jymcheong/OpenEDR/wiki/1.-Concepts-&-Operations#process-lineage-sequences what is lineage? When a user interacts with a foreground app, is it always the case that a new process created (due to some interaction or even no interaction) would be the child of that foreground app-process?
If it is still unclear, consider your effort with the browser-email session, let's say you run this even longer, such that Explorer.exe has EVEN MORE child processes, such that when you visualise with your graph interface, there's a huge fan out. What are you really looking at? Is it Lineage? Or Temporal Sequence?
notion image
Lineage → direct descendant of a process e.g. if A > B, means that A is parent of B i.e. process A created process B
Looking at the graph, looks to me that every child process was created by explorer.exe

What else can processes do?

Why does it matter? https://coggle.it/diagram/WvvSk9Ze3m6uVsDJ/t/processcreate-id1-utctime-parentcommandline
Hint: when you drive, what kind of tools we use to have situational awareness? Are all these events more like direct-vision or mirrors?
  • See if the process created a network connection → could mean an external C2 used by attacker to maintain connection
  • See if the process created a file/loaded an image → could be the installation of payload

What is really the difference when we run (the same program) as Admin?

W.r.t to what you can see in an EDR.

How to measure our coverage for "usual" or "benign" observation?

Meaning is it enough to just see these few use-cases? Where to get more ideas, scenarios...?

What is the relevance of knowing "normal" boot-up sequence?

Hint: w.r.t to Attack Life Cycle Tactical map or https://attack.mitre.org

What happens when software updates?

Hint: look at lineage, Fore/background? In managed IT scenario vs home or small office.