Network Forensics Investigation in Virtual Data Centers Using ELK

Rajesh, P. K.; Ismail, B. Mohammed; Alam, Mansoor; Tahernezhadi, M.; Monika, A.

doi:10.1145/3459104.3459135

Cited by 7 publications

(3 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The ELK Stack was also used by the authors in [13,14] for the analysis of massive log records and the identification of malicious behavior. Specifically, the work in [13] implemented a logstash massive data processing pipeline to collect a critical mass of logs, whereas [14] generated Sysmon logging events. In both cases, the ELK stack was utilized for log file iteration and the identification of malicious patterns.…”

Section: Related Workmentioning

confidence: 99%

Revisiting the Detection of Lateral Movement through Sysmon

2022

View full text Add to dashboard Cite

This work attempts to answer in a clear way the following key questions regarding the optimal initialization of the Sysmon tool for the identification of Lateral Movement in the MS Windows ecosystem. First, from an expert’s standpoint and with reference to the relevant literature, what are the criteria for determining the possibly optimal initialization features of the Sysmon event monitoring tool, which are also applicable as custom rules within the config.xml configuration file? Second, based on the identified features, how can a functional configuration file, able to identify as many LM variants as possible, be generated? To answer these questions, we relied on the MITRE ATT and CK knowledge base of adversary tactics and techniques and focused on the execution of the nine commonest LM methods. The conducted experiments, performed on a properly configured testbed, suggested a great number of interrelated networking features that were implemented as custom rules in the Sysmon’s config.xml file. Moreover, by capitalizing on the rich corpus of the 870K Sysmon logs collected, we created and evaluated, in terms of TP and FP rates, an extensible Python .evtx file analyzer, dubbed PeX, which can be used towards automatizing the parsing and scrutiny of such voluminous files. Both the .evtx logs dataset and the developed PeX tool are provided publicly for further propelling future research in this interesting and rapidly evolving field.

show abstract

Section: Related Workmentioning

confidence: 99%

Revisiting the Detection of Lateral Movement through Sysmon

2022

View full text Add to dashboard Cite

show abstract

“…The ELK Stack was also used by the authors in [13,14] for the analysis of massive log records and the identification of malicious behaviour. Specifically, the work in [13] implemented a logstash massive data processing pipeline to collect a critical mass of logs, whereas [14] generated Sysmon logging events. In both cases, the ELK stack was utilised for log file's iteration and identification of malicious patterns.…”

Section: Related Workmentioning

confidence: 99%

“…Login activity is tracked and outlined through a graph of interrelated logins among the implicated hosts to conclude in the detection of anomalies among logins referring to LM. Network forensics investigation in virtual data centers using ELK [13] 2021…”

mentioning

confidence: 99%

Revisiting the Detection of Lateral Movement through Sysmon

Smiliotopoulos¹,

Barmpatsalou²,

Kambourakis³

2022

Preprint

View full text Add to dashboard Cite

This work attempts to answer in a clear way the following key questions regarding the optimal initialization of the Sysmon tool, towards the identification of Lateral Movement in the MS Windows ecosystem. First, from an expert’s standpoint and with reference to the relevant literature, what are the criteria of determining the possibly optimal initialization features of the Sysmon’s event monitoring tool, which are also applicable as custom rules within the config.xml configuration file? Second, based on the identified features, how can a functional configuration file, able to identify as many LM variants as possible, be generated? To answer these questions, we relied on the MITRE ATT&amp;CK knowledge base of adversary tactics and techniques, and focused on the execution of the nine commonest LM methods. The conducted experiments, performed on a properly configured testbed, suggested a great number of interrelated networking features, that were implemented as custom rules in the Sysmon’s config.xml file. Moreover, by capitalizing on the rich corpus of the 870K Sysmon logs collected, we create and evaluate in terms of TP and FP rates an extensible Python .evtx file analyzer, dubbed PeX, which can be used towards automatizing the parsing and scrutiny of such voluminous files. Both the .evtx logs dataset and the developed PeX tool are provided publicly for further propelling future research in this interesting and rapidly evolving field.

show abstract