Understanding data

Detection is about understanding the relationships behaviors represent

Pivoting

What could be interesting point to start?

• Process Name

  • non-descriptive name, random characters name, uncommon, looks like legitimate one

• HTTP Request

• URL

• IP

• Domain

• Port

How to spot anomalies

Are there some outstanding data?

It is common to use functions like

• count, distinct count

To spot outstanding data.

Look for:

• Rare occurrence

• Most occurrence

• Uncommon occurence

  • Eg. Notepad communicating to the Internet,...

Resources

Windows EVTX Logs

GitHub - sbousseaden/EVTX-ATTACK-SAMPLES: Windows Events Attack SamplesGitHub