endpoint security

Detecting Evasion Techniques in Endpoint Logs

Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.

defense-evasiondetection-engineeringedrendpointmitre-att&ckthreat-hunting
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Hunting for adversary defense evasion techniques (MITRE ATT&CK TA0005) in endpoint telemetry
  • Building detection rules for common evasion methods (process injection, timestomping, log clearing)
  • Investigating incidents where adversaries disabled or bypassed security tools
  • Analyzing endpoint logs for indicators of living-off-the-land binary (LOLBin) abuse

Do not use this skill for network-level evasion (use network traffic analysis) or for malware reverse engineering.

Prerequisites

  • Sysmon installed and configured with comprehensive logging rules (SwiftOnSecurity or Olaf Hartong config)
  • Windows Security Event Log with advanced audit policy enabled
  • EDR telemetry (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)
  • SIEM platform for log correlation (Splunk, Elastic, Sentinel)
  • MITRE ATT&CK Enterprise matrix for technique reference

Workflow

Step 1: Detect Log Tampering (T1070)

Windows Event Log clearing (T1070.001):

# Sysmon Event ID 1 (Process Create) for wevtutil
EventID: 1
CommandLine contains: "wevtutil cl" OR "wevtutil clear-log"
 
# Security Event ID 1102 - Audit log was cleared
EventID: 1102
Source: Microsoft-Windows-Eventlog
 
# System Event ID 104 - Event log was cleared
EventID: 104
 
# PowerShell log clearing
EventID: 1 (Sysmon)
CommandLine contains: "Clear-EventLog" OR "Remove-EventLog"
 
# Splunk query:
index=windows (EventCode=1102 OR EventCode=104)
  OR (EventCode=1 CommandLine="*wevtutil*cl*")
  OR (EventCode=1 CommandLine="*Clear-EventLog*")
| table _time host user CommandLine EventCode

Timestomping (T1070.006):

# Sysmon Event ID 2 - File creation time changed
EventID: 2
# Look for creation times set far in the past on recently-written files
# Correlate with Event ID 11 (FileCreate) - if FileCreate is recent but
# creation time in Event ID 2 is old, timestomping is likely
 
# MDE Advanced Hunting (KQL):
DeviceFileEvents
| where ActionType == "FileTimestampModified"
| where Timestamp > ago(7d)
| extend TimeDiff = datetime_diff('day', Timestamp, ReportedFileCreationTime)
| where TimeDiff > 30
| project Timestamp, DeviceName, FileName, FolderPath,
    ReportedFileCreationTime, InitiatingProcessFileName

Step 2: Detect Process Injection (T1055)

# Sysmon Event ID 8 - CreateRemoteThread
EventID: 8
# Alert when source process is unusual (not system processes)
# Filter out known legitimate: antivirus, debugging tools
SourceImage NOT IN ("C:\Windows\System32\csrss.exe",
                     "C:\Windows\System32\lsass.exe")
 
# Sysmon Event ID 10 - ProcessAccess with suspicious access masks
EventID: 10
GrantedAccess contains: "0x1F0FFF" OR "0x1FFFFF" OR "0x001F0FFF"
# PROCESS_ALL_ACCESS = 0x1F0FFF (common in injection)
# Filter legitimate: AV accessing all processes
 
# Sysmon Event ID 25 - Process Tampering
EventID: 25
Type: "Image is replaced"  # Process hollowing indicator
 
# Splunk detection:
index=sysmon EventCode=8
| where NOT match(SourceImage, "(?i)(csrss|svchost|MsMpEng|defender)")
| stats count by SourceImage TargetImage host
| where count < 5
| sort - count

Step 3: Detect Security Tool Disabling (T1562)

# Service stopped events for security services
EventID: 7045 (new service) OR 7036 (service state change)
ServiceName IN ("WinDefend", "Sense", "CrowdStrike Falcon Sensor",
                 "SentinelAgent", "csagent", "MBAMService")
 
# Sysmon Event ID 1 - Processes that disable Defender
CommandLine contains: "Set-MpPreference -DisableRealtimeMonitoring"
  OR "sc stop WinDefend"
  OR "sc config WinDefend start= disabled"
  OR "net stop" AND ("windefend" OR "sense" OR "csagent")
 
# Registry modification to disable security features
# Sysmon Event ID 13 - Registry value set
TargetObject contains: "DisableAntiSpyware"
  OR "DisableRealtimeMonitoring"
  OR "DisableBehaviorMonitoring"
Details: "DWORD (0x00000001)"
 
# MDE KQL:
DeviceRegistryEvents
| where RegistryValueName in ("DisableAntiSpyware", "DisableRealtimeMonitoring")
| where RegistryValueData == "1"
| project Timestamp, DeviceName, RegistryKey, InitiatingProcessFileName

Step 4: Detect Masquerading (T1036)

# Sysmon Event ID 1 - Process with legitimate name from unusual path
EventID: 1
Image contains: "svchost.exe" AND Image NOT starts with: "C:\Windows\System32\"
Image contains: "csrss.exe" AND Image NOT starts with: "C:\Windows\System32\"
Image contains: "lsass.exe" AND Image NOT starts with: "C:\Windows\System32\"
 
# Process name mismatch (original filename vs. current name)
# Sysmon captures OriginalFileName from PE header
EventID: 1
OriginalFileName != (parsed filename from Image path)
 
# Double extension files
EventID: 11 (FileCreate)
TargetFilename matches: "*\.pdf\.exe" OR "*\.doc\.exe" OR "*\.jpg\.exe"
 
# Splunk:
index=sysmon EventCode=1
| eval process_name=mvindex(split(Image,"\\"),-1)
| where (process_name="svchost.exe" AND NOT match(Image,"(?i)C:\\\\Windows\\\\System32"))
  OR (process_name="csrss.exe" AND NOT match(Image,"(?i)C:\\\\Windows\\\\System32"))
| table _time host Image ParentImage CommandLine User

Step 5: Detect LOLBin Abuse (T1218, T1127)

# Common LOLBin abuse patterns:
 
# mshta.exe executing remote content
EventID: 1
Image ends with: "mshta.exe"
CommandLine contains: "http" OR "javascript:" OR "vbscript:"
 
# certutil.exe downloading files
EventID: 1
Image ends with: "certutil.exe"
CommandLine contains: "-urlcache" OR "-decode" OR "-encode"
 
# regsvr32.exe executing scriptlets
EventID: 1
Image ends with: "regsvr32.exe"
CommandLine contains: "/s /n /u /i:" OR "scrobj.dll"
 
# rundll32.exe with unusual DLLs
EventID: 1
Image ends with: "rundll32.exe"
CommandLine contains: "javascript:" OR ".js" OR "http:"
 
# MSBuild executing inline tasks
EventID: 1
Image contains: "MSBuild.exe"
CommandLine NOT contains: ".sln" AND NOT contains: ".csproj"

Step 6: Build Detection Rule Correlation

# Combine multiple weak signals into high-confidence detection:
 
# Rule: Potential post-exploitation evasion chain
# Trigger when 3+ evasion techniques observed on same host within 1 hour
 
# Splunk correlation search:
index=sysmon host=*
| eval technique=case(
    EventCode=2, "timestomping",
    EventCode=8 AND NOT match(SourceImage,"csrss|svchost"), "process_injection",
    EventCode=1 AND match(CommandLine,"(?i)wevtutil.*cl"), "log_clearing",
    EventCode=13 AND match(TargetObject,"DisableRealtimeMonitoring"), "security_disable",
    EventCode=1 AND match(CommandLine,"(?i)(mshta|certutil.*urlcache|regsvr32.*/s.*/n)"), "lolbin_abuse",
    true(), NULL
)
| where isnotnull(technique)
| bin _time span=1h
| stats dc(technique) as technique_count values(technique) as techniques by host _time
| where technique_count >= 3
| sort - technique_count

Key Concepts

Term Definition
Defense Evasion (TA0005) MITRE ATT&CK tactic where adversaries attempt to avoid detection during operations
Process Injection (T1055) Technique of injecting code into another process's memory space to execute in a trusted context
Timestomping (T1070.006) Modifying file timestamps to make malicious files appear old and blend with legitimate files
Masquerading (T1036) Naming malicious files or processes to match legitimate system files to avoid detection
LOLBin Living Off the Land Binary; legitimate Windows tool repurposed by adversaries
Indicator Removal (T1070) Clearing logs, deleting files, or modifying artifacts to remove evidence of compromise

Tools & Systems

  • Sysmon: Advanced Windows system monitoring with kernel-level visibility
  • Microsoft Defender for Endpoint: EDR with advanced hunting (KQL) for evasion detection
  • CrowdStrike Falcon: IOA-based behavioral detection for evasion techniques
  • Elastic Security: SIEM with prebuilt detection rules for ATT&CK evasion techniques
  • Sigma Rules: Vendor-agnostic detection rule format with extensive evasion rule library

Common Pitfalls

  • Alert fatigue from process injection rules: Many legitimate tools (AV, accessibility) perform process injection. Maintain an allowlist of known-good source processes.
  • Missing Sysmon Event ID 8/10: Default Sysmon configurations may not capture CreateRemoteThread or ProcessAccess. Use a comprehensive Sysmon config.
  • Ignoring parent process context: A suspicious command line from cmd.exe is concerning only if the parent of cmd.exe is unusual (e.g., Excel spawning cmd.exe).
  • Not correlating across event types: Single events are often benign. Combine multiple weak signals (process creation + network connection + file creation) for high-confidence detections.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.7 KB

API Reference: Detecting Evasion Techniques in Endpoint Logs

Key Windows Event IDs for Evasion

Event ID Source Evasion Technique
1102 Security Audit log cleared (T1070.001)
Sysmon 2 Sysmon Timestomping (T1070.006)
Sysmon 8 Sysmon CreateRemoteThread (T1055)
Sysmon 10 Sysmon Process Access / LSASS (T1003)
4688 Security Process creation with cmdline

python-evtx Usage

import Evtx.Evtx as evtx
with evtx.Evtx("Sysmon.evtx") as log:
    for record in log.records():
        xml = record.xml()
        # Parse EventID, CommandLine, SourceImage, TargetImage

Evasion Detection Patterns

# Log clearing
r"wevtutil\s+(cl|clear-log)"
r"Clear-EventLog"
# Security tool disable
r"Set-MpPreference\s+-DisableRealtimeMonitoring\s+\$true"
r"sc\s+(stop|delete)\s+WinDefend"
# AMSI bypass
r"[Ref].Assembly.GetType.*AMSI"
r"amsiInitFailed"

MITRE ATT&CK TA0005 Techniques

Technique ID Detection
Indicator Removal T1070 Log clearing, file deletion
Timestomping T1070.006 Sysmon Event ID 2
Process Injection T1055 Sysmon Event ID 8
Impair Defenses T1562.001 AV/EDR disabling commands
AMSI Bypass T1562.001 PowerShell AMSI patching

Splunk SPL Detection

index=sysmon (EventCode=2 OR EventCode=8 OR EventCode=10)
| eval technique=case(
    EventCode=2, "Timestomping",
    EventCode=8, "Process Injection",
    EventCode=10, "Process Access")
| stats count by technique, SourceImage, Computer

CLI Usage

python agent.py --evtx-file Sysmon.evtx
python agent.py --evtx-file Security.evtx
standards.md1.6 KB

Standards & References - Detecting Evasion Techniques in Endpoint Logs

Primary Standards

MITRE ATT&CK TA0005 - Defense Evasion

  • URL: https://attack.mitre.org/tactics/TA0005/
  • Scope: 43 techniques and 80+ sub-techniques for defense evasion
  • Key techniques: T1055 (Process Injection), T1070 (Indicator Removal), T1036 (Masquerading), T1218 (System Binary Proxy Execution), T1562 (Impair Defenses)

Sigma Detection Rules

  • URL: https://github.com/SigmaHQ/sigma
  • Scope: Community-maintained detection rules in vendor-agnostic format
  • Evasion rules: rules/windows/process_creation/proc_creation_win_*, rules/windows/sysmon/

LOLBAS Project

Compliance Mappings

Framework Requirement Detection Coverage
NIST 800-53 SI-4 System Monitoring Evasion detection via endpoint logging
NIST 800-53 AU-6 Audit Record Review Log analysis for tampering indicators
PCI DSS 4.0 10.4.1 - Audit log review Automated detection of log tampering
ISO 27001 A.12.4.1 - Event logging Integrity monitoring of security logs

Supporting References

workflows.md2.2 KB

Workflows - Detecting Evasion Techniques in Endpoint Logs

Workflow 1: Evasion Technique Threat Hunt

[Select evasion technique to hunt]

    ├── T1055 Process Injection
    ├── T1070 Log Tampering
    ├── T1036 Masquerading
    ├── T1562 Security Tool Disabling


[Craft detection query (Splunk/KQL/Elastic)]


[Execute across 30-90 days of endpoint telemetry]


[Triage results]

    ├── Known-good (allowlist) ──► [Add to baseline, refine query]
    ├── Suspicious ──► [Deep investigation]
    │                       │
    │                       ├── Correlate with other telemetry
    │                       ├── Check process tree
    │                       ├── Review network connections
    │                       │
    │                       ├── True positive ──► [Escalate to IR]
    │                       └── False positive ──► [Tune detection]

    └── No results ──► [Validate logging covers technique]

Workflow 2: Detection Rule Deployment

[Create Sigma/SIEM detection rule]


[Test against historical data]

    ├── High false positive rate ──► [Refine exclusions]

    └── Acceptable FP rate ──► [Deploy in alert mode]


                                [Monitor for 2 weeks]


                                [Review alert quality]


                                [Promote to production detection]

Workflow 3: Evasion Incident Response

[Evasion technique detected]


[Assess scope: Which endpoints affected?]


[Correlate with initial access and persistence]


[Determine if adversary achieved objectives]

    ├── Active intrusion ──► [Full incident response]

    └── Isolated event ──► [Remediate endpoint, enhance detection]

Scripts 2

agent.py5.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Defense evasion detection agent for endpoint logs.

Detects MITRE ATT&CK TA0005 evasion techniques including log clearing,
timestomping, process injection indicators, and security tool disabling
by analyzing Sysmon and Windows Security event logs.
"""

import argparse
import json
import re
from datetime import datetime

try:
    import Evtx.Evtx as evtx
except ImportError:
    evtx = None

EVASION_EVENT_IDS = {
    1102: {"name": "Audit Log Cleared", "severity": "CRITICAL", "mitre": "T1070.001"},
    4688: {"name": "Process Creation", "severity": "INFO", "mitre": "T1059"},
    4689: {"name": "Process Termination", "severity": "INFO", "mitre": ""},
}

SYSMON_EVASION_IDS = {
    1: "Process Create",
    2: "File creation time changed (Timestomping)",
    8: "CreateRemoteThread",
    10: "Process Access",
    12: "Registry Object Create/Delete",
    13: "Registry Value Set",
}

TIMESTOMP_INDICATORS = [
    r"SetFileTime", r"timestomp", r"\$STANDARD_INFORMATION",
    r"NtSetInformationFile", r"SetFileInformationByHandle",
]

LOG_CLEARING_COMMANDS = [
    r"wevtutil\s+(cl|clear-log)",
    r"Clear-EventLog",
    r"Remove-EventLog",
    r"del\s+.*\.evtx",
    r"wmic\s+nteventlog.*clear",
]

SECURITY_TOOL_DISABLE = [
    r"(Stop|Disable)-Service.*(Windows Defender|WinDefend|MsMpSvc)",
    r"Set-MpPreference\s+-DisableRealtimeMonitoring\s+\$true",
    r"sc\s+(stop|delete)\s+(WinDefend|MsMpSvc|Sense)",
    r"netsh\s+advfirewall\s+set\s+.*state\s+off",
    r"reg\s+add.*DisableAntiSpyware.*1",
    r"taskkill.*/im\s+(MsMpEng|avp|avgui|mbam)",
]

AMSI_BYPASS_PATTERNS = [
    r"amsi(Init|Scan)Buffer",
    r"AmsiUtils",
    r"amsiContext",
    r"[Ref].Assembly.GetType.*AMSI",
]


def analyze_evtx_for_evasion(filepath):
    if evtx is None:
        return {"error": "python-evtx not installed: pip install python-evtx"}
    findings = []
    with evtx.Evtx(filepath) as log:
        for record in log.records():
            xml = record.xml()
            event_id_match = re.search(r'<EventID[^>]*>(\d+)</EventID>', xml)
            if not event_id_match:
                continue
            event_id = int(event_id_match.group(1))
            time_match = re.search(r'SystemTime="([^"]+)"', xml)
            timestamp = time_match.group(1) if time_match else ""

            if event_id == 1102:
                findings.append({
                    "event_id": 1102, "timestamp": timestamp,
                    "severity": "CRITICAL", "mitre": "T1070.001",
                    "description": "Security audit log was cleared",
                })

            if event_id == 2:
                findings.append({
                    "event_id": 2, "timestamp": timestamp,
                    "severity": "HIGH", "mitre": "T1070.006",
                    "description": "File creation time modified (timestomping)",
                })

            if event_id == 8:
                source = re.search(r'<Data Name="SourceImage">([^<]+)', xml)
                target = re.search(r'<Data Name="TargetImage">([^<]+)', xml)
                findings.append({
                    "event_id": 8, "timestamp": timestamp,
                    "source": source.group(1) if source else "",
                    "target": target.group(1) if target else "",
                    "severity": "HIGH", "mitre": "T1055",
                    "description": "CreateRemoteThread detected (process injection)",
                })

            if event_id in (1, 4688):
                cmdline = re.search(r'<Data Name="CommandLine">([^<]+)', xml)
                if not cmdline:
                    cmdline = re.search(r'<Data Name="NewProcessName">([^<]+)', xml)
                if cmdline:
                    cmd = cmdline.group(1)
                    for pattern in LOG_CLEARING_COMMANDS:
                        if re.search(pattern, cmd, re.IGNORECASE):
                            findings.append({
                                "event_id": event_id, "timestamp": timestamp,
                                "command": cmd[:200], "severity": "CRITICAL",
                                "mitre": "T1070.001",
                                "description": "Log clearing command detected",
                            })
                    for pattern in SECURITY_TOOL_DISABLE:
                        if re.search(pattern, cmd, re.IGNORECASE):
                            findings.append({
                                "event_id": event_id, "timestamp": timestamp,
                                "command": cmd[:200], "severity": "CRITICAL",
                                "mitre": "T1562.001",
                                "description": "Security tool disabling detected",
                            })
                    for pattern in AMSI_BYPASS_PATTERNS:
                        if re.search(pattern, cmd, re.IGNORECASE):
                            findings.append({
                                "event_id": event_id, "timestamp": timestamp,
                                "command": cmd[:200], "severity": "HIGH",
                                "mitre": "T1562.001",
                                "description": "AMSI bypass attempt detected",
                            })
    return findings


def main():
    parser = argparse.ArgumentParser(description="Defense Evasion Detector")
    parser.add_argument("--evtx-file", required=True, help="EVTX file (Sysmon or Security)")
    args = parser.parse_args()

    findings = analyze_evtx_for_evasion(args.evtx_file)
    if isinstance(findings, dict) and "error" in findings:
        results = findings
    else:
        results = {
            "timestamp": datetime.utcnow().isoformat() + "Z",
            "source_file": args.evtx_file,
            "findings": findings,
            "total_findings": len(findings),
            "by_severity": {},
        }
        for f in findings:
            sev = f.get("severity", "UNKNOWN")
            results["by_severity"][sev] = results["by_severity"].get(sev, 0) + 1

    print(json.dumps(results, indent=2))


if __name__ == "__main__":
    main()
process.py7.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Endpoint Evasion Technique Detector

Analyzes Windows event logs (exported as EVTX/CSV) for common defense
evasion techniques mapped to MITRE ATT&CK TA0005.
"""

import json
import csv
import re
import sys
import os
from collections import defaultdict
from datetime import datetime


EVASION_PATTERNS = {
    "T1070.001-log_clearing": {
        "name": "Indicator Removal: Clear Windows Event Logs",
        "severity": "high",
        "patterns": [
            r"wevtutil\s+(cl|clear-log)",
            r"Clear-EventLog",
            r"Remove-EventLog",
        ],
        "event_ids": ["1102", "104"],
    },
    "T1055-process_injection": {
        "name": "Process Injection",
        "severity": "high",
        "sysmon_event_ids": ["8", "10", "25"],
        "patterns": [
            r"VirtualAllocEx",
            r"WriteProcessMemory",
            r"CreateRemoteThread",
            r"NtMapViewOfSection",
        ],
    },
    "T1562.001-disable_security": {
        "name": "Impair Defenses: Disable or Modify Tools",
        "severity": "critical",
        "patterns": [
            r"Set-MpPreference\s+-Disable",
            r"sc\s+(stop|config)\s+(WinDefend|Sense|MBAMService)",
            r"net\s+stop\s+(windefend|sense|csagent)",
            r"DisableAntiSpyware",
            r"DisableRealtimeMonitoring",
        ],
    },
    "T1036-masquerading": {
        "name": "Masquerading",
        "severity": "medium",
        "suspicious_paths": {
            "svchost.exe": r"C:\\Windows\\System32\\svchost\.exe",
            "csrss.exe": r"C:\\Windows\\System32\\csrss\.exe",
            "lsass.exe": r"C:\\Windows\\System32\\lsass\.exe",
            "smss.exe": r"C:\\Windows\\System32\\smss\.exe",
            "services.exe": r"C:\\Windows\\System32\\services\.exe",
        },
    },
    "T1218-lolbin_abuse": {
        "name": "System Binary Proxy Execution",
        "severity": "high",
        "patterns": [
            r"mshta\.exe.*https?://",
            r"mshta\.exe.*javascript:",
            r"certutil\.exe.*-urlcache",
            r"certutil\.exe.*-decode",
            r"regsvr32\.exe.*/s.*/n.*/u.*/i:",
            r"rundll32\.exe.*javascript:",
            r"MSBuild\.exe(?!.*\.(sln|csproj|vbproj))",
            r"installutil\.exe.*/logfile=",
        ],
    },
    "T1070.006-timestomping": {
        "name": "Indicator Removal: Timestomp",
        "severity": "medium",
        "sysmon_event_ids": ["2"],
    },
}


def analyze_sysmon_csv(csv_path: str) -> list:
    """Analyze Sysmon events exported as CSV for evasion techniques."""
    detections = []

    with open(csv_path, "r", encoding="utf-8-sig") as f:
        reader = csv.DictReader(f)
        for row in reader:
            event_id = row.get("Event ID", row.get("EventID", ""))
            message = row.get("Message", row.get("Details", ""))
            command_line = row.get("CommandLine", "")
            image = row.get("Image", row.get("Process Name", ""))
            timestamp = row.get("Date and Time", row.get("TimeCreated", ""))

            full_text = f"{message} {command_line} {image}".lower()

            for technique_id, technique in EVASION_PATTERNS.items():
                detected = False
                detection_detail = ""

                if "event_ids" in technique and event_id in technique["event_ids"]:
                    detected = True
                    detection_detail = f"Event ID {event_id} detected"

                if "sysmon_event_ids" in technique and event_id in technique["sysmon_event_ids"]:
                    detected = True
                    detection_detail = f"Sysmon Event ID {event_id}"

                for pattern in technique.get("patterns", []):
                    if re.search(pattern, full_text, re.IGNORECASE):
                        detected = True
                        detection_detail = f"Pattern match: {pattern}"
                        break

                if "suspicious_paths" in technique and image:
                    image_lower = image.lower()
                    for proc_name, expected_path in technique["suspicious_paths"].items():
                        if proc_name in image_lower:
                            if not re.match(expected_path, image, re.IGNORECASE):
                                detected = True
                                detection_detail = f"Masquerading: {proc_name} from unexpected path {image}"

                if detected:
                    detections.append({
                        "timestamp": timestamp,
                        "technique_id": technique_id.split("-")[0],
                        "technique_name": technique["name"],
                        "severity": technique["severity"],
                        "event_id": event_id,
                        "process": image,
                        "command_line": command_line[:300],
                        "detail": detection_detail,
                        "host": row.get("Computer", row.get("host", "")),
                    })

    return detections


def generate_detection_report(detections: list, output_path: str) -> None:
    """Generate evasion detection report."""
    by_technique = defaultdict(list)
    by_severity = defaultdict(int)
    by_host = defaultdict(int)

    for d in detections:
        by_technique[d["technique_id"]].append(d)
        by_severity[d["severity"]] += 1
        by_host[d["host"]] += 1

    report = {
        "report_generated": datetime.utcnow().isoformat() + "Z",
        "total_detections": len(detections),
        "summary": {
            "by_severity": dict(by_severity),
            "by_technique": {k: len(v) for k, v in by_technique.items()},
            "by_host": dict(by_host),
        },
        "detections": detections[:200],
    }

    with open(output_path, "w", encoding="utf-8") as f:
        json.dump(report, f, indent=2)


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python process.py <sysmon_events.csv>")
        print()
        print("Analyzes exported Sysmon/Windows event logs for defense evasion techniques.")
        sys.exit(1)

    csv_path = sys.argv[1]
    if not os.path.exists(csv_path):
        print(f"Error: File not found: {csv_path}")
        sys.exit(1)

    print("Analyzing endpoint logs for evasion techniques...")
    detections = analyze_sysmon_csv(csv_path)

    base = os.path.splitext(os.path.basename(csv_path))[0]
    out_dir = os.path.dirname(csv_path) or "."

    report_path = os.path.join(out_dir, f"{base}_evasion_report.json")
    generate_detection_report(detections, report_path)
    print(f"Detection report: {report_path}")

    print(f"\n--- Evasion Detection Summary ---")
    print(f"Total detections: {len(detections)}")

    severity_counts = defaultdict(int)
    technique_counts = defaultdict(int)
    for d in detections:
        severity_counts[d["severity"]] += 1
        technique_counts[d["technique_id"]] += 1

    for sev in ["critical", "high", "medium", "low"]:
        if severity_counts[sev]:
            print(f"  {sev.upper()}: {severity_counts[sev]}")

    if technique_counts:
        print(f"\nBy technique:")
        for tid, count in sorted(technique_counts.items(), key=lambda x: -x[1]):
            print(f"  {tid}: {count}")

Assets 1

template.mdtext/markdown · 0.8 KB
Keep exploring