Procedures Indexed by Goal
0-day Exploits
Attacker tools in use
Suspicious Process Creation via Windows Event Logs
BIOS/Firmware tampering
Command and Control (C2)
Finding the Unknown with HTTP URIs
Beacon Detection via Intra-Request Time Deltas
Finding C2 in Network Sessions
Compromise of Internet-Facing Service (SQL injection, web shells, etc)
Internet-Facing HTTP Request Analysis
Checking How Outsiders See You
Finding Known-Bad in Antivirus Logs
Suspicious Process Creation via Windows Event Logs
Data Hiding
NTFS Extended Attribute Analysis
Data Staging & Exfiltration
Producer-Consumer Ratio for Detecting Data Exfiltration
Exploits
Suspicious Process Creation via Windows Event Logs
Lateral movement / Compromised Credentials
Detecting Lateral Movement in Windows Event Logs
Windows Lateral Movement via Explicit Credentials
Lateral Movement Detection via Process Monitoring
Finding Golden and Silver Tickets
Identify Suspicious Command Shells
Malicious Listening Services
Malware
Finding Known-Bad in Antivirus Logs
Beacon Detection via Intra-Request Time Deltas
Comparing Host Images/Memory Dumps to Known-Good Baselines
Windows Prefetch Cache Analysis
Finding the Unknown with HTTP URIs
Finding Malware Process Impersonation via String Distance
Phishing
Whaling Detection via Unusual Sender Domains