Intrusion Detection with Windows Event ID’s

This paper is the best I have ever read on how to build IOC's with Windows Event ID's. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document!

The Project Sauron APT

Key takeaways, DNS keeps being an important protocol for exfiltration Process Injection, Memory Persistence, no file trace in disk Living of the land techniques to move laterally They thwarted the attribution process not using twice the same threat infrastructure