There is a rising trend within Threat actors to find newer, more effective and stealthy ways to attack and gain persistence in a network. One way to achieve this is by abusing legitimate software such as Windows Management Instrumentation and PowerShell. This is the case for Living Off the Land and Fileless threats. By using these techniques, attackers can distribute their malicious code bypassing software whitelisting and avoid antivirus detection. A method to detect these threats is by monitoring endpoints activity. However, this option comes with many challenges that range from getting enough system’s activity information to handle hundreds of events per second.
In our research, we analyze this monitoring method and the design challenges involved in it. Furthermore, we propose a solution that aims to detect and alert when advance threats are identified in a system. In order to provide an endpoint monitoring system free of any vendor lock-in, this solution combines the capabilities of different open source projects as well as free tools. These include, Sysmon for monitoring system activity, Elastic Stack (ELK) to store and search the collected data, ElastAlert to trigger alarms and the Sigma Project to define the rules for the alarms. This highly customizable solution would enable organizations to hunt for threats inside their network or create rules that would automatically detect specific threats upfront.