EventID Field Hunter (EFH) – Looking for malicious activities in your Windows events

SecTor 2016

Presented by: Rodrigo Montoro (Sp0oKeR)
Date: Tuesday October 18, 2016
Time: 15:55 - 16:55
Location: 801A
Track: Tech

There are thousands of possible Windows event IDs, split into 9 categories and 50+ subcategories. The Windows Event Logs provide a historical record of a wide range of actions such as login/logoff, process creation, files/keys modifications, and packet filtering. These logs provide investigators with a wealth of information that can be analyzed in many different ways.

Looking into millions of EventID’s in our daily work we figured out another way to point for malicious activities: by splitting analysis in each field of an EventID alert we have proven that you can create a deep analysis of the event itself. By correlating these alerts with your network and business requirements, you can make detection more accurate and generate less “noise” thereby helping your staff to prioritize which events to handle first. As Proof of Concept (PoC) we analyzed and scored 3 events that we mapped as key point for malicious activities:

In this talk we will discuss how we analyzed and scored each field from those events, ideas for implementation, projects, and results based on our deployment. We will illustrate how you can use EventID as a more powerful detection vector to identify specific user behaviors and activity patterns.

Links

Rodrigo Montoro

Rodrigo “Sp0oKeR” Montoro has 15 years of experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Security Researcher/ SOC at Clavis. Prior to joining Clavis he worked as a Senior Security administrator at Sucuri, and was a researcher at Spiderlabs where he focused on IDS/IPS Signatures, Modsecurity rules, and new detection researches. Rodrigo is the author of two patented technologies involving discovery of malicious digital documents and analyzing malicious HTTP traffic. He is also a coordinator and Snort evangelist for the Brazilian Snort Community. Rodrigo has spoken at a number of open source and security conferences including OWASP AppSec, Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE (Boston and Seattle), ZonCon (Amazon Internal Conference), BSides (Las Vegas and São Paulo), and Black Hat (Brazil).


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats