We should hunt for threats in our network – i.e. find possible attacks in our network to see what is being attacked and whether we can start to counter the attacker’s moves.

In case you don’t know below is the ATT&CK MITRE framework green highlights are the items you may want to pay attention to.

Olaf Hartong has a few scripts developed that will help find the potential Sysmon Indicators of Compromise(IOC). He uses sysmon (Microsoft events created by Sysmon) that will help us find the IOC’s.

Focus on events that

Process creation (with full command line and hashes)

Process termination

Network connections

Various file events

Driver/image loading

Create remote threads

Raw disk access

Process memory access

Registry access (create, modify, delete)

Named pipes

WMI events

Olaf’s sysmon-modular github repository

The idea is to use a ruleset that works in your environment that is not noisy(has too many log events which are not useful)

I found Olaf’s page from a youtube presentation on my Security news Analyzed page from IronGeek’s Bsides Cleveland Videos Specifically “Operationalizing MITRE ATT&CK Framework”

Here is the relevant screenshot:

So we can use sysmon to see specific events on the MITRE framework which will help us understand whether we have an attacker in our network.

This will further enhance our ability to make adjustments to our network as we see attacks move from system to system. Each network is different and thus requires unique methods. But it is good for some automation as the number of log events can be staggering. We do not want to drink from a firehose. We will just get wet.

Contact us to help you evaluate this for your environment.

Like this: Like Loading...