Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Tue, Aug 30th):CA WoSign Lax Validation Policy;

Latest Diaries

Recommended Reading: Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs

Published: 2016-08-29
Last Updated: 2016-08-29 18:42:46 UTC
by Russ McRee (Version: 1)
1 comment(s)

My Twitter feed brought a good paper to my attention, courtesy of Andrew Case @attrc, that is appropriate for your consideration, Storm Center readers.

@Cyber_IR_UK stated that it's the "best paper I've ever read for Intrusion detection with Windows Events!" That might be a bit strong, but it is good, and well worth reading and consideration.

Here's the abstract:

"Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows® operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR."

You can grab the paper from ThinkMind here: http://www.thinkmind.org/index.php?view=article&articleid=icimp_2016_2_20_30032

Using IOC Editor and Splunk, the authors asserted a reasonable approach to IOC development with logical operators connecting Event IDs based on kill chain concepts.

I plan to test this approach further, and will advise readers regarding success. Additionally, if you've deployed similar methods with some success, please let us know here via comments. Thanks and cheers.

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Spam with Obfuscated Javascript
1 day ago by Guy (0 comments)

Another Day - Another Ransomware Sample
3 days ago by Dr. J. (2 comments)

Out-of-Band iOS Patch Fixes 0-Day Vulnerabilities
4 days ago by Xme (0 comments)

Example of Targeted Attack Through a Proxy PAC File
5 days ago by Xme (6 comments)

New VMware Patches VMSA-2016-0009.4 VMSA-2016-0013 http://www.vmware.com/security/advisories.html
5 days ago by Tom (0 comments)

Stay on Track During IR
5 days ago by Tom (2 comments)

Voice Message Notifications Deliver Ransomware
6 days ago by Xme (5 comments)

View All Diaries →

Latest Discussions

New telnet attack? command injection against telnet...
created 5 days ago by EricWedaa (2 replies)

SWIFT frauds
created 6 days ago by RAJASEKHARAN (0 replies)

IS Audit of DC and DR
created 6 days ago by RAJASEKHARAN (0 replies)

Unix/Linux servers
created 6 days ago by RAJASEKHARAN (0 replies)

AliExpress being used as C&C for DoS?
created 1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
6 months ago by Dr. J. (25 comments)

Data Classification For the Masses
1 week ago by Xme (14 comments)

An Approach to Vulnerability Management
2 months ago by Russell (13 comments)

Using File Entropy to Identify "Ransomwared" Files
3 weeks ago by Rob VandenBrink (2 comments)

Voice Message Notifications Deliver Ransomware
6 days ago by Xme (5 comments)