-
Notifications
You must be signed in to change notification settings - Fork 32
Hunting Analytics
Using the raw event logs information imported to the postgres database, Oriana implements a few basic algorithms that can help in identifying suspicious behavior and outliers on a Windows environment.
Leveraging Service Creation events (7045) and New Scheduled Task events (4698), Oriana calculates the frequency of each service and task across all hosts.
This allows a hunter to quickly identify suspicious services/tasks and related forensic information like on which computers they executed and the command line utilized.
Logon events 4624 and 4625 provide insight into user-to-host relationships. By leveraging these authentication events and relationships, Oriana calculates, for example,
- The total number of unique hosts a user has authenticated to remotely or locally
- The total number of users that have authentication to a host remotely or locally
- The total number of unique RDP servers a user has authenticated to
- The total number of failed remote authentication events per user
Oriana presents this information using a sortable HTML table that helps hunters identify outliers worth investigating.
By correlating remote authentication events (4624 and 4625 with Logon Type 3 ) and code execution events (new service: 7045 and new task: 4698) Oriana identifies possible lateral movement events worth investigating.
Grouping possible lateral movement events by time can also help identify a lateral movement session. I use this term to describe an attacker moving laterally across several hosts in a defined period of time.
After replicating different attack scenarios in a lab environment i added a few extra detections based on user behavior described below.
A user is failing to authenticate with valid credentials but without enough privileges (Event 4625 Status=0xc000015b ) to several hosts in a fixed period of time. This behavior could represent an attacker trying to validate credentials to find local administrator access.
A user is successfully authenticating (Event 4624) to several hosts in a fixed period of time. This behavior could represent an attacker enumerating or moving laterally across the environment.
A local account is being used to authenticate to several hosts (Event 4776) in a fixed period of time.This behavior could represent an attacker spraying the environment with a local account.
A user is successfully authenticating interactively ( Event 4625 Logon Type NOT 3 or 10 ) to several hosts. This behavior could represent compromised credentials being used on several hosts.