Oriana: incident response & threat hunting tool
Oriana
Oriana is an incident response & threat hunting tool that ingests a subset of Windows event logs to provide defenders situational awareness in Windows environments using a friendly and easy to use web interface. Using Oriana, an analyst can quickly respond to common questions that arise in incident response or threat hunting scenario. These questions include but are not limited to:
- What services have been installed on the environment? On which endpoints? When? What did they execute?
- What scheduled tasks have been created on the environment? On which endpoints? When? What did they execute?
- Which and how many endpoints has a specific user logged in to locally or remotely? When?
- Which and how many users have logged in to a specific computer locally or remote? When?
Oriana also implements a few analytic calculations that can help incident responders and hunters identify outliers and suspicious behavior. These analytics can help a defender identify :
- Services or tasks that have been installed on a low number of endpoints ( frequency analysis )
- Services or tasks that have a random name ( n-gram score )
- Users with a high number of authentication events
- Users that have logged in remotely to a large number of hosts
- Possible lateral movement events / sessions
How does it work?
Oriana leverages a PowerShell script that exports certain event logs and some of their fields into a CSV file. The script will generate one CSV file per endpoint its executed on and will write the file to a network share that needs to be previously provisioned. The more endpoints you run the script on, the better the information Oriana will be able to provide.
Currently, Oriana makes use of the following events:
- 4624: An account was successfully logged on
- 4625: An account failed to log on
- 4776: The domain controller attempted to validate the credentials for an account
- 7045: A Service was installed on the system
- 4698: A scheduled task was created
Note that these events will have to be enabled on the Audit policy. More information can be found on the Audit policy section.
Install && Use
Copyright (c) 2018, Mauricio Velazco
All rights reserved.
