Focus Areas:
π‘οΈ Security Operations & Defense
, βοΈ DevSecOps
, π» Endpoint Security
, π΅οΈ Threat Intelligence
This Tool Demo covers following tools where the speaker has contributed or authored
THREATSEEKER
THREATSEEKER
Abstract
Threat hunting using Windows logs is essential for identifying and mitigating potential security threats within an organization’s network. It can be a time-consuming and painstaking process due to a large amount of data that needs to be collected and analyzed. The threat-hunting process could be repetitive. However, this process can be improved through custom scripts and tools.
In this talk, we will introduce ThreatSeeker, a windows log analysis framework that allows a threat hunter to find the common threats on the machine quickly. This tool also helps a threat hunter to detect APT movements. ThreatSeeker will allow a user to detect the following attacks:
- Suspicious account behavior
- User Creation and Added/Removed User to Admin group
- Brute Force Attack Detection on SMB, RDP, WinRM, etc.
- Brute Force Attack Detection
- Detection of malicious executable
- Detection of PTH Attack
- Suspicious service creation
- Installed Service with the executable in Suspicious locations
- Detection of Modifying, Starting, Disabling, and Stopping Service
- Detection of special privileges assigned
- Suspicious Command Auditing
- Powershell with Suspicious Argument
- PowerShell Downloads
- Execution of Suspicious executable,, i.e., rundll32.exe, sc.exe, mshta.exe, wscript.exe, cscript.exe
- Suspicious Windows Registry Modification, Addition
- Many More…
All the code and deployment scripts will be made open-source after the talk.