Revisiting the Detection of Lateral Movement through Sysmon

Abstract: This work attempts to answer in a clear way the following key questions regarding the optimal initialization of the Sysmon tool for the identification of Lateral Movement in the MS Windows ecosystem. First, from an expert’s standpoint and with reference to the relevant literature, what are the criteria for determining the possibly optimal initialization features of the Sysmon event monitoring tool, which are also applicable as custom rules within the config.xml configuration file? Second, based on the identifi… Show more

“…As an extent to [22] and for addressing the key gap of the creation of datasets through EVTX log files, among others, the current work contributes such a tool, entitled evtx_To_CSV_Export Tool (ETCExp). The tool, detailed in section 3, was developed to serve as an easily configurable and above all OS-independent command line tool that helps incident response teams and researchers to parse and transform massive EVTX log files into compatible unlabeled datasets (CSV files), ready to be used along with ML algorithms.…”

“…The tool, detailed in section 3, was developed to serve as an easily configurable and above all OS-independent command line tool that helps incident response teams and researchers to parse and transform massive EVTX log files into compatible unlabeled datasets (CSV files), ready to be used along with ML algorithms. Further, ETCExp tool is designed to implement the proposed in [22] EDR policy for automatically labelling the transformed Sysmon logs, into a multiclass CSV set of samples. Besides the labelling process, the ETCExp tool performs on demand, feature selection, subsets extraction, and basic data pre-processing through One Hot Encoding and MinMax algorithms.…”

“…As shown in Table 3, the LMD-2022 corpus comprises four subsets that were thoroughly presented in [22], namely Normal, NormalVsMalicious01, Nor-malVsMalicious02, and FullSet. Specifically, the Normal subset incorporates logs related to legitimate network traffic that were collected prior and during the execution of nine executed LM techniques, namely "Exploitation of Remote Services (EoRS)" (four variants of EoRS techniques) and "Exploitation of Hashing Techniques (EoHT)" (five variants of EoHT techniques).…”

“…For categorizing each of the ≈ 1.75M samples of LMD-2023 into one of the three aforementioned classes, we utilized the EDR policy presented in [22]. Furthermore, for fully automating the labeling process, we im- On the other hand, the values of the remaining 83 features were scrutinized based on the acquired insights from the studied literature in Section 2.…”

“…As it concerns Sysmon logs manipulation, the work in [22], was the first to deal with the presentation of a LM-oriented Endpoint Detection and Response (EDR) policy towards the first level identification of LM incidents thought the analysis of raw log files. The work ended with the presentation and evaluation of the Python_Evtx_Analyzer -(PeX) EDR tool, which incorporated the aforementioned EDR-policy's criteria.…”

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

“…As an extent to [22] and for addressing the key gap of the creation of datasets through EVTX log files, among others, the current work contributes such a tool, entitled evtx_To_CSV_Export Tool (ETCExp). The tool, detailed in section 3, was developed to serve as an easily configurable and above all OS-independent command line tool that helps incident response teams and researchers to parse and transform massive EVTX log files into compatible unlabeled datasets (CSV files), ready to be used along with ML algorithms.…”

“…The tool, detailed in section 3, was developed to serve as an easily configurable and above all OS-independent command line tool that helps incident response teams and researchers to parse and transform massive EVTX log files into compatible unlabeled datasets (CSV files), ready to be used along with ML algorithms. Further, ETCExp tool is designed to implement the proposed in [22] EDR policy for automatically labelling the transformed Sysmon logs, into a multiclass CSV set of samples. Besides the labelling process, the ETCExp tool performs on demand, feature selection, subsets extraction, and basic data pre-processing through One Hot Encoding and MinMax algorithms.…”

“…As shown in Table 3, the LMD-2022 corpus comprises four subsets that were thoroughly presented in [22], namely Normal, NormalVsMalicious01, Nor-malVsMalicious02, and FullSet. Specifically, the Normal subset incorporates logs related to legitimate network traffic that were collected prior and during the execution of nine executed LM techniques, namely "Exploitation of Remote Services (EoRS)" (four variants of EoRS techniques) and "Exploitation of Hashing Techniques (EoHT)" (five variants of EoHT techniques).…”

“…For categorizing each of the ≈ 1.75M samples of LMD-2023 into one of the three aforementioned classes, we utilized the EDR policy presented in [22]. Furthermore, for fully automating the labeling process, we im- On the other hand, the values of the remaining 83 features were scrutinized based on the acquired insights from the studied literature in Section 2.…”

“…As it concerns Sysmon logs manipulation, the work in [22], was the first to deal with the presentation of a LM-oriented Endpoint Detection and Response (EDR) policy towards the first level identification of LM incidents thought the analysis of raw log files. The work ended with the presentation and evaluation of the Python_Evtx_Analyzer -(PeX) EDR tool, which incorporated the aforementioned EDR-policy's criteria.…”

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

A technical characterization of APTs by leveraging public resources

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs