I came across this post from Florian Roth who has created an “Antivirus Event Analysis Cheat Sheet“ that lists Attributes and Relevancy of the types of AV items. You can find the PDF here:

• https://www.nextron-systems.com/wp-content/uploads/2024/11/Antivirus_Event_Analysis_CheatSheet_1.14.0.pdf

These types of things are a good place to see if your Security Tooling can detect and/or an Alert/Query can be created to see if ‘bad fu’ is happening in your environment.

You can use this data to create lookup lists or execution locations for a SIEM, or add folders to be monitored with auditing rules that the “Windows File/Folder Auditing Cheat Sheet” contains to watch for creations and/or deletes of new files in folders you want to monitor.

Happy Hunting!

The EDR Telemetry Project aims to provide a comprehensive comparison of various Endpoint Detection and Response (EDR) solutions based on their telemetry capabilities. By analyzing the data collected from different EDR tools, the project helps organizations make informed decisions when selecting an EDR solution that best fits their security needs.

Project Goals

• Compare the telemetry data collected by different EDR solutions.

• Identify strengths and weaknesses of each EDR in terms of data visibility.

• Provide a resource for security professionals to evaluate EDR tools.

You can find the project and Kostas here:

• https://www.edr-telemetry.com/windows.html

• @Kostastsale

• /in/kostastsale

My thoughts:

Features for EDR are far more then the telemetry it collects. In fact the telemetry is much lower down the list of what I look for when evaluating security products such as EDR. If an EDR does not collect a type of telemetry I would like or expect, is there another solution that I have that can, or does to fill this gap? Likely another solution will fill many gaps an EDR will have making telemetry important, but less of a deciding factor. For example, without a good SIEM, EDR will miss, or not collect many important aspects or early indicators of an attack such as;

• Early and ongoing Recon events

• Lateral Movement

JP-CERT has the BEST lateral movement detection research paper I have found and recommend it in my presentations. It is this type of data that EDR does poorly on and a SIEM with the right data can do very well.

• https://www.jpcert.or.jp/english/pub/sr/ir_research.html

Some things to consider when looking at an EDR solution that would be at the top of my list are things like;

• Ease of use - Can a SOC use this solution

• Can you get the details needed to remediate a system (Detailed Triage)

• Can you easily exclude items and false positives (a lot will fail this one)

• Can you easily create rules for new or missing telemetry (need logs)

• Can you you add local logs to the solution (key)

• Is the query language robust enough - Wildcards and include and exclude lists

Not all EDRs should be compared, or should not be compared to others as their features are not close enough to compare. There are two main categories of EDR type solutions;

• Ecosystem - This would be the Cisco, Palo Alto, Checkpoint, etc. You likely buy their whole ecosystem and take advantage of the discounts and SIEMs they all own and have

• Non-Ecosystem - These are solutions that are not associated with big iron or firewall vendors, independently owned or have multiple solutions

You can get my slides and watch my talk on EDR from a few years ago here:

• DerbyCon 2017 - http://www.irongeek.com/i.php?page=videos/derbycon7/t416-edr-etdr-next-gen-av-is-all-the-rage-so-why-am-i-enraged-michael-gough

• DerbyCon 2017 Preso - https://www.slideshare.net/slideshow/edr-etdr-next-gen-av-is-all-the-rage-so-why-am-i-enraged/80220180

Another criteria that came out in our testing 16 EDR solutions is they type of attacks they can or cannot detect. We tested 3 types of attacks and compared the detection’s to the samples we used that our IPS solution detected. Shockingly… half did not detect samples the IPS saw a malicious comm indicator and that surprised us. The three conditions we tested were:

• Typical user Word Doc type malware (most did fine with this)

• Already infected system (some failed this)

• Pushing malware to a system like an adversary/Red Team would do (many failed this)

  An example that many EDRs we tested failed was Dll side loading where the folder and file get renamed on reboot (typical Dridex) and used a valid Windows utility (LoLBas) to load a malicious Dll in a user directory. More than half failed this test

Just some things to think about when deciding on an EDR type solution and be sure to compare solutions, apples to apples and be sure to seriously evaluate the solutions that they do what you expect.

Happy Hunting!

• More Cheat Sheets

For more information:

• https://www.malwarearchaeology.com/md-training

• https://bsidesok.com/

• Crowdstrike Logscale Cheat Sheet

• FileBeat - Has examples of text file and CSV log file collections and exclusions including collection of the Beats logs

• WinLogBeat - Has examples based on the logging cheat sheets and Sysmon to collect various log Event IDs and examples of tuning exclusions

See the updates on the Logging Page

• www.BSidesOK.com

HouSecCon in Houston - May 5th - Preparing for a Ransomware or malware Incident 1 Day - POSTPONED - TBD

• www.HoustonSecCon.org

You can get the new Cheat Sheet HERE:

When: April 10th-11th 2018

Where: BSides OK (Just southwest of Tulsa)

• BSidesok.com

• Glenpool Conference Center in Glenpool, OK

• Hotel - Holiday Inn Express & Suites Glenpool Tulsa South (next door)

Course Description:

Malware Discovery and Malware Analysis is an essential skill for today’s Information Security, Security Operations Center (SOC), and IT professionals. This course is perfect for people wanting to improve and get faster at Incident Response.

This course focuses on performing fast triage and how to discover if a system has malware, how to build a malware analysis lab and perform basic malware analysis quickly. The goal and objective to apply the results to Malware Management with actionable information to improve your Information Security program. Tools and techniques used and steps to analyze malware to determine if a system is clean or truly infected will be covered. The concept of Malware Management, Malware Discovery and Basic Malware Analysis will be discussed with exercises linking the three concepts together.

• PDF of course description

When: April 9th, 2018 (1-Day)

Where: HouSecCon Marriott Marquis Houston

• http://houstonseccon.org/

Course Description:

Mitre has created the “Adversarial Tactics, Techniques & Common Knowledge” (ATT&CK) to help security practitioners understand the actual techniques and tactics that adversaries use against us. The advantage of ATT&CK is it allows us to build a framework to understand how we might detect, respond, and prevent many of the tactics. Creating your own ATT&CK framework provides for a way for us to map what technologies, procedures, playbooks, reports/queries, and alerts we have, and then map any gaps that we have that then can be addressed.

• PDF of course description

1. Why is Windows audit logging so important
2. How do you check a Windows system for proper audit logging?
3. Where do you get the information on what to set for proper audit logging
4. How do you set the proper things for proper audit logging
5. What tools can be used to view the audit logs

You can sign up here for the training:

• HouSecCon Windows IR and Logging Training

And sign up for the conference on Thursday here:

• HouSecCon Security Conference

Looking to up your malwarez hunting skillz and learn some basics about Windows Incident Response and become a Windows logging guru, come to this class and learn how the blue teamers do it and catch the bad guys.

More info on the Austin ISSA website and register here:

• Registration for the training

Come on by Blackhat Arsenal Thursday and check out LOG-MD in action with the latest version on how to check, set, and harvest malwarious activity on Windows systems.

LOG-MD
Michael Gough & Brian Boettcher
Palm Foyer, Level 3, Station 8
16:00 - 17:50

Based on the 'Windows Logging Cheat Sheet' LOG-MD audits a Windows system for compliance to the 'Windows Logging Cheat Sheet', CIS, US-GCB and AU-ACSC standards, and if it fails creates a nice report to help you know what to set and then guides you where to set the items needed to pass the audit check.  Once properly configured, LOG-MD then harvests security related log data to help you investigate a suspect system.

In addition LOG-MD can perform full file system hashing to create a baseline that can be used to compare against a suspect system.  LOG-MD can also baseline the registry and compare a suspect system registry to a known good baseline to find altered settings and even look for LARGE Reg keys where malware is hiding payloads.

Come by Blackhat Arsenal and check us out and maybe get a goody too ;-)

Oct 3rd thru 5th, 2016 (Tentative date, it may have to move to a later date)

• AustinISSA.org

More information and registration here:

• http://malwarearchaeologyaus.eventbrite.com

George Epperly Business Building - Rose State College - 6420 Southeast 15th Street, Midwest City, OK 73110

• July 18th-19th 2016 - Sponsored by the ISSA OKC chapter

Oklahoma City - Windows Incident Response and Logging

• July 20th 2016 - Sponsored by the ISSA OKC chapter

• ISSA-OKC website

More information and register here:

• http://malwarearchaeologyokc.eventbrite.com

• MalwareArchaeology.com/presentations

• Security Weekly Enterprise PodCast Episode 5

It is important to point out that you cannot start to gain the benefit of your Log Management solution or SIEM until you enable and configure your Windows log setting per the Cheat Sheets found here:

• Windows Logging Cheat Sheets

#Happy Hunting

Here is the presentation from the talk I gave at the Dell Enterprise Security Summit in Atlanta April 21, 2016.

SlideShare Presentation - WIndows Top 10 Events to monitor

We are hosting another Malware Discovery and Basic Analysis class in Houston at Rice University.

When: May 19th-20th 2016

Sponsored by: the ISSA South Texas chapter.

• southtexasissa.org

Register here:

• https://www.eventbrite.com/e/malware-discovery-and-basic-analysis-tickets-24495505717