DISCOVERING CYBER INDICATORS OF COMPROMISE ON WINDOWS OS 10 CLIENTS USING POWERSHELL AND THE .NET FRAMEWORK
Loading...
Authors
Turner, Jackie E.
Galloway, Andrea E.
Subjects
indicators of compromise
IOC
Windows
Windows 10
PowerShell
.NET
.NET framework
scripts
incident response
IOC
Windows
Windows 10
PowerShell
.NET
.NET framework
scripts
incident response
Advisors
Fulp, John D.
Huffmire, Theodore D.
Date of Issue
2018-09
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
This report describes research that was conducted for the purpose of advancing cyber incident response capability at the U.S. DoD-defined Tier 3 level. As both authors (at time of writing) serve in cyber support roles within the U.S. Navy, the report is written with some specificity to Navy shipboard and facility environments. Given the complexity of modern cyber systems, analysis is generally considered to be the most technically difficult task involved in the incident handling life-cycle. Significant knowledge is required to detect (or verify) that an incident has occurred and to obtain sufficient additional system information with which to direct an informed response and recovery effort. This work focuses on analysis of the Windows OS 10 (client) platform using tools native to PowerShell. The authors “attack” a host, then demonstrate how PowerShell can be used to analyze system artifacts so as to determine details regarding either attack techniques used or system weaknesses that allowed the attack to succeed. The authors then describe how the most reliable artifacts can be combined to define indicators of compromise (IOC) using PowerShell scripts—scripts that could then be deployed to proactively “hunt” for other infected systems.
Type
Thesis
Description
Series/Report No
Department
Information Sciences (IS)
Organization
Identifiers
NPS Report Number
Sponsors
Funding
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.