Professional Documents
Culture Documents
María del Carmen Prudente Tixteco, Lidia Prudente Tixteco, Gabriel Sánchez Pérez, Linda Karina Toscano
Medina
Instituto Politécnico Nacional
Sección de Estudios de Posgrado e Investigación ESIME Culhuacan
Santa Ana 1000, San Francisco Culhuacán, Coyoacán, D. F., México
mprudentet0900@alumno.ipn.mx, lprudente@ipn.mx, gasanchezp@ipn.mx, ltoscano@ipn.mx
Abstract— Nowadays computer attacks and intrusions have further damages within the information system infrastructure
become more common affecting confidentiality, integrity or the [6].
availability of computer systems. They are more sophisticated Security Windows Event Logs Codes can be mainly used
making the job of the information security analysts more to describe malicious activity [4], and these can be added to
complicated, mainly because of the attacking vectors are more antivirus signatures, IP addresses, URLs or domains to make
robust and complex to identify. One of the main resources that IOCs more robust and specific to determine if a computer
information security people have on their disposition are system could be compromised.
Indicators of Compromise (IOCs), which allow the identification The containment step for the IR process is considered the
of potentially malicious activity on a system or network.
most important; because it allows us to know if changes
Usually IOCs are made off virus signatures, IP addresses,
URLs or domains and some others elements, which are not
were made in the system [2], e.g., changes in privileges
sufficient to detect an intrusion or malicious activity on a
within registry keys, relocation of .dll system files or any
computer system. The Windows event logs register different other manipulation of processes and/or files during the
activities in a Windows® operating system that are valuable intrusion on a computer system.
elements in a forensic analysis process. IOCs can be generated Knowing the behavior of the attacker is of great
using Windows event logs for intrusion detection, improving importance, it helps to achieve a better analysis stage for IR
Incident Response (IR) and forensic analysis processes. This and forensic analysis processes, applying proactive actions
paper presents a procedure to generate IOCs using Windows and preventing future intrusions, e.g., computer system
event logs to achieve a more efficient diagnostic computer hardening.
system for IR. Event logs should not be considered as isolated events;
they have to be considered as a whole, that happen over a
Keywords-indicators of compromise; windows event logs; period of time and occur commonly, i.e., to obtain an IOC a
intrusion detection. failed login is not enough; this event must be associated with
some others to determine a compromised computer system
I. INTRODUCTION event.
This article presents a procedure to use Windows event
In the process of IR and forensic analysis, determining
logs to generate IOCs, achieving the detection of a computer
that a computer system is compromised could mean success
system intrusion and help the information security people or
or failure to mitigate a security incident. Attack vectors have
a CIRT to take quickly and effective decisions to defend the
increased their complexity, making more difficult for
information system infrastructure.
information security analysts to identify their presence.
This paper is organized as follows. Section II presents
Different tools have been developed to facilitate their
state of the art. Section III presents an explanation of
identification; one of these tools are the IOCs.
Windows event logs. Section IV describes the functionality
IOCs are pieces of forensic data, that could be found in
of indicators of compromise. Section V describes the
log entries or system files, which can help to identify
development of this research. Section VI presents the results
potentially malicious activity on a system or network [1].
of this research and Section VII conclusion and future work.
In order to reduce the number of false-positive results
over time, it is required to improve IR and forensic analysis II. STATE OF THE ART
procedures that collaborate directly with the Computer
Incident Response Team (CIRT). An incident is a compromise or a security violation in an
As a part of a forensic analysis recommendation of organization. Preparation of the CIRT through planning,
Computer Emergency Response Teams (CERTs), is of vital communication, and practice of the IR process will provide
importance that a computer system intrusion is promptly the experience needed to perform actions timely should an
identified, in order to perform the actions that will avoid incident occur [2].
There are six basic steps when an IR occurs: preparation,
identification, containment, eradication, recovery and lessons
learned; they provide the basic foundation to create and • Examine log files.
perform their own IR plan. Specifically, there is one task • Check for odd user accounts and groups.
within the containment phase that should be done: the system • Check all groups for unexpected user membership.
back-up. This provides the information about how the events • Look for unauthorized user rights.
happened, resulting in an incident from a malicious activity, • Check for unauthorized applications that start up
or to be used for observing how the system was automatically.
compromised during the phase of lessons learned [2]. • Check for unauthorized processes.
In order for an IR to be considered successful, the CIRT
• Check for altered permissions on files or registry
should know the steps followed by an attacker when
keys.
computer system is being compromised. There are seven
• Check for changes in user or computer policies.
steps: reconnaissance, weaponize, deliver, exploitation,
installation, command and control (C2), actions on • Audit for intrusion detection.
objectives, that the adversaries usually follow when On the other hand Hun-Ya Lock [5] presents the benefits
attempting an intrusion, these leave a trail behind them [3]. of using OpenIOC framework as common syntax to describe
This process is also known as the Kill Chain Life Cycle the results of malware analysis; this work describes tools and
shown in Figure 1. techniques used during analysis but not in the reporting of
results. The document emphasizes that reporting of the
results is as important as the results themselves and if the
results can be reported in a consistent well-structured manner
that is easily understood by man and machine, then it
becomes possible to automate some of the processes in the
detection, prevention and reporting of malware infections.
IOC Editor is a free editor tool for IOCs. The IOCs are
XML documents that support incident responders capturing
different information about threats including malicious files
attributes, changes in registries and artifacts in memory. IOC
Editor provides an interface to manage data within these
IOCs [7].
IOC Editor can:
• Manipulate the logical structures that define the IOC.
• Apply meta-information to IOC including detailed
Figure 1. Kill Chain Life Cycle. descriptions or arbitrary labels.
• Convert IOCs into XPath filters.
Microsoft Windows® Active Directory’s best practices • Manage lists of terms that are used within IOC.
consider different signs to identify and evaluate a SANS [8] published a checklist to review critical logs
compromised computer system by monitoring and the use of during an IR. It can also be used for a log review routine.
alerts, through a proper configuration of Windows auditing The general approach is:
settings. These signs can help to detect a malicious activity 1) Identify which log sources and/or automated tools
in a computer system early and timely. can be used during the analysis.
The following security events can be considered as part 2) Copy log records over to a single location for later
of the event monitoring to detect possible signs of computer review.
system intrusion within Windows® operating system [4]:
3) Minimize noise by removing routinely and repetitive
• Account Logon Events
log entries after confirming that they are benign.
• Account Management
4) Determine whether logs’ timestamps are reliable;
• Directory Service Access
considering the different time zone differences.
• Logon Events
• Object Access 5) Focus on recent changes, failures, errors, status
• Policy Change changes, access and administration events, and other
• Privilege Use unusual events in the environment.
• Process Tracking 6) Go back in time to reproduce the scenario before and
• System Events Audit after the incident.
There are certain recommendations made by CERTs to 7) Correlate activities across different logs to get a more
help identify a compromised computer system. However, comprehensive picture.
these have to be done by expert analysts [6]. When looking 8) Develop theories about what occurred; explore logs
for signs of intrusion, most of the time if one host has been to confirm or disprove them.
compromised, others on the same network have also been Some potential security log sources that can be found are
compromised. These are some of the signs to look for in a [8]:
possible compromised computer system review [6]: • Server and workstation operating system logs.
4689 A process has exited. TABLE VII. EVENTS OF PRIVILEGE USE CATEGORY.
4647 User initiated logoff. TABLE VIII. EVENTS OF SYSTEM AUDIT CATEGORY.
4624 An account was successfully logged on. Event ID Event Summary
4625 An account failed to log on. 5025 The Windows Firewall Service has been stopped.
A replay attack was detected. May be a harmless 5034 The Windows Firewall Driver has been stopped.
4649
false positive due to misconfiguration error.
4778 A session was reconnected to a Window Station. 4697 Attempt to install a service
4801 The workstation was unlocked. 4618 A monitored security event pattern has occurred.
5) Create or modify files and/or system objects 8) Jame’s account was enabled.
belonging to the installation process itself. 9) The auditing settings on access-control object were
6) Disable or change Windows Firewall Settings to changed.
allow communications between malicious domains. 10) Peter´s account session was closed.
7) Change policies for network connections. The diagram in Figure 7 shows the activity sequence of
8) Install applications to create new services or change an IOC considering the possible events achieved by an
services already running in the system. intruder using Peter’s account.
9) Delete audit events to prevent register activities in the
system.
10) Log out session.
Having acquired all possible actions made by an intruder,
we considered the odds of each event happening
continuously over a determined period of time to classify
them in the following activities: user, audit, services and
objects (shown in Figure 6).