期刊名称:Indian Journal of Computer Science and Engineering
印刷版ISSN:2231-3850
电子版ISSN:0976-5166
出版年度:2019
卷号:10
期号:5
页码:118-127
DOI:10.21817/indjcse/2019/v10i5/191005008
出版社:Engg Journals Publications
摘要:Modern threats are very much sophisticated and they bypass legitimate security tools. Staticthreat hunting methods are futile. The alternate threat hunting method is to dynamically analyze theirentry and behavior in the network. The two popular methods to analyze threats are to use smart machineintelligent hunting software or monitor end point activity. The end point activities can be obtained fromsystem log using Sysmon. The event logs are filtered to eliminate the normal day-to-day activities and thesuspicious activities are forwarded to server with ELK stack. The server analyzes the process creation,parent processes and their behavior. Filter is applied on the server side to analyze and hunt the threats.As a case study, threatslike 1. Malicious code to remotely access files on shared drive and to delete them 2.Remote registry access to create or delete files on victim’s registry 3. Malware codes to escalate rightsand to delete files were injected on the victim client machine by a threat actor from another client. Thesystem identified all the threats successfully and segmented them with alert message. The complete systemwas implemented on virtual environment on Windows with Oracle VM Virtual Box for creating virtualenvironment.
