Post

Current status

Posted
By Oscar Llerena
2 min read
Current status

Current network

alt text

Target infrastructure

  • Windows 10 workstation (Target)
  • Windows Exchange Server
  • SQL Data Base Server
  • Domain Controller
  • Elasticsearch

Attacker infrastructure

  • Kali Linux (Attacker)
  • Email/FTP Server

Event classes and Elasticsearch indices

We are interested in the following event classes:

  • Network events
  • Audit events
  • Performance/Metric events
  • System events

Elasticsearch indices for Network events

  • ds_logs-network_traffic.dns*
  • ds_logs-network_traffic.icmp*
  • ds_logs-network_traffic.http*
  • ds_logs-network_traffic.tls*
  • ds_logs-network_traffic.flow*

Elasticsearch indices for Performance/Metric events

  • ds_metrics-system.cpu*
  • ds_metrics-system.filesystem*
  • ds_metrics-system.process*
  • ds_metrics-system.socket*
  • ds_metrics-system.memory*
  • ds_metrics-system.network*
  • ds_metrics-system.load*
  • ds_metrics-system.fsstat*
  • ds_metrics-system.diskio*
  • ds_metrics-system.process.summary*

Elasticsearch indices for Audit events

  • ds_logs-windows.audit*
  • ds_logs-windows.sysmon_operational*

Elasticsearch indices for System events

  • ds_logs-windows.sysmon_operational*

How do we label the data?

Pull of data-streams from elasticsearch

alt text

How do we identify malicious events

alt text

Example: System Events

alt text

Procmon

alt text

  • Windows10-based vm with procmon.
  • We execute notepad application and collect all the caused events.

Procmon columns

Application Details:

  • Process Name: name of executable associated with the process performing the operation.
  • Image Path: The full file system path to the executable associated with the process.
  • Command Line: The full command line used to start the process, including parameters.

Event Details:

  • Sequence Number: unique, incrementing number assigned to each event as it is logged.
  • Event Class: The type of system event being recorded: (File System, Registry, Process, Network).
  • Operation: the type of action or event being performed by the process (CreateFile, RegQueryValue, Process Start).
  • Date & Time: the absolute date and time when the event occurred.
  • Category: a more specific classification of the operation within the Event Class (Under File System, categories might include Read or Write).
  • Path: The specific file, registry key, or other resource targeted by the operation.
  • Detail: additional information.
  • Result: The outcome of the operation (SUCCESS, ACCESS DENIED, NAME NOT FOUND)
  • Relative Time: the time elapsed (in seconds) since procmon started logging.
  • Duration: the amount of time (in seconds) taken to complete the operation.
  • Completion Time: the exact timestamp when the operation finished.

Process Management

  • User Name: the username of the account under which the process is running.
  • Session ID: the windows session ID associated with the process.
  • Process ID: a unique identifier assigned to the process by the operating system.
  • Thread ID: the unique identifier of the thread within the process that performed the operation.
  • Parent PID: The PID of the process that spawned the current process.

Procmon Operation type (unique values)

alt text

Sysmon Event names

alt text

Filter in Sysmon

alt text

Sysmon, Procmon, Python, Elastic
research big data
This post is licensed under CC BY 4.0 by the author.