Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs

摘要

Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR.