As you may know, I’m a pretty big proponent for documenting things that we “see” or find during investigations, and then baking those things back into the parsing and decoration process, as a means of automating and retaining corporate knowledge. This means that something I see once can be added to the parsing, decoration, and enrichment process, so that I never have to remember to look for it again. Things I’ve seen before can be raised up through the “noise” and brought to my attention, along with any references or necessary context. This makes subsequent investigations more efficient, and gets me to where I’m actually doing analysis much sooner.
One of the ways I do this is by creating simple plugins for Events Ripper, a proof-of-concept tool for “mining” Windows Event Log data for pivot points that can be applied to analysis, and in particular timeline analysis. Events Ripper uses the events file, the intermediate step between normalizing Windows Event Log events into a timeline, extracting pivot points and allowing me to build the picture of what happened, and when, a great deal faster than doing so manually.
The recently created or updated plugins include:
sec4797.pl
Check for “Microsoft-Windows-Security-Auditing/4797” events, indicating that a user account was checked for a blank password. I’d never seen these events before, but they popped up during a recent investigation, and helped to identify the threat actor’s activity, as well as validate the compromised account they were using.
filter.pl
“Microsoft-Windows-Security-Auditing/5156”, and /5158 events; this plugin ou
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: