We should hunt for threats in our network – i.e. find possible attacks in our network to see what is being attacked and whether we can start to counter the attacker’s moves.
In case you don’t know below is the ATT&CK MITRE framework green highlights are the items you may want to pay attention to.
Olaf Hartong has a few scripts developed that will help find the potential Sysmon Indicators of Compromise(IOC). He uses sysmon (Microsoft events created by Sysmon) that will help us find the IOC’s.
Focus on events that
- Process creation (with full command line and hashes)
- Process termination
- Network connections
- Various file events
- Driver/image loading
- Create remote threads
- Raw disk access
- Process memory access
- Registry access (create, modify, delete)
- Named pipes
- WMI events
Olaf’s sysmon-modular github repository
The idea is to use a ruleset that works in your environment that is not noisy(has too many log events which are not useful)
I found Olaf’s page from a youtube presentation on my Security news Analyzed page from IronGeek’s Bsides Cleveland Videos Specifically “Operationalizing MITRE ATT&CK Framework”
Here is the relevant screenshot:
So we can use sysmon to see specific events on the MITRE framework which will help us understand whether we have an attacker in our network.
This will further enhance our ability to make adjustments to our network as we see attacks move from system to system. Each network is different and thus requires unique methods. But it is good for some automation as the number of log events can be staggering. We do not want to drink from a firehose. We will just get wet.
Contact us to help you evaluate this for your environment.