EventID Field Hunter (EFH) – Looking for malicious activities in your Windows events

Tech 2 (801A) October 18, 2016 3:55 pm - 4:55 pm Feedback

Bookmark and Share

Rodrigo Montoro

There are thousands of possible Windows event IDs, split into 9 categories and 50+ subcategories. The Windows Event Logs provide a historical record of a wide range of actions such as login/logoff, process creation, files/keys modifications, and packet filtering. These logs provide investigators with a wealth of information that can be analyzed in many different ways.

Looking into millions of EventID’s in our daily work we figured out another way to point for malicious activities: by splitting analysis in each field of an EventID alert we have proven that you can create a deep analysis of the event itself. By correlating these alerts with your network and business requirements, you can make detection more accurate and generate less “noise” thereby helping your staff to prioritize which events to handle first. As Proof of Concept (PoC) we analyzed and scored 3 events that we mapped as key point for malicious activities:

  • 4663 – An attempt was made to access an object (File/Registry)
  • 4688 – A new process has been created
  • 5156 – The Windows Filtering Platform has allowed a connection

In this talk we will discuss how we analyzed and scored each field from those events, ideas for implementation, projects, and results based on our deployment. We will illustrate how you can use EventID as a more powerful detection vector to identify specific user behaviors and activity patterns.