APT LOG ANALYSIS - TRACKING ATTACK TOOLS BY AUDIT POLICY AND SYSMON -

No ratings

Presented at First 2017 by

Shusei Tomonaga

Typical network intrusion in APT is followed by lateral movement. For effective incident response, investigation and detection of the lateral movement phase is critical. However, evidence of tool execution during the phase is not always acquired under default settings of Windows. JPCERT/CC, therefore, conducted a study on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase and closely examined what has been logged. This presentation will explain some attack patterns and tools which are commonly used for APT. JPCERT/CC analyzed the incidents that they have handled, and discovered that there are common patterns in the use of methods and tools in the lateral movement phase. It will also introduce techniques to detect or investigate such incidents by using Audit Policy (a Windows function) and Sysmon (a tool provided by Microsoft).