guide symantec endpoint detection and response threat hunting · 2020. 6. 1. ·...

Symantec™ Endpoint Detection and Response Threat HuntingGuide

Symantec™ Endpoint Detection and Response Threat Hunting Guide

Table of Contents

Copyright statement............................................................................................................................ 3Introduction...........................................................................................................................................4

About this guide...............................................................................................................................................................4Finding threats..................................................................................................................................... 5

Finding suspicious behavior.......................................................................................................................................... 5Finding suspicious processes........................................................................................................................................5Finding suspicious network connections..................................................................................................................... 9Finding suspicious registry changes.......................................................................................................................... 10Finding attempts to discover vulnerabilities.............................................................................................................. 11Finding compliance and configuration vulnerabilities...............................................................................................11Finding Java malware, trojans, and exploits.............................................................................................................. 11Finding attempts to deliver malicious code................................................................................................................12Finding threat campaign activity..................................................................................................................................12Database search and filtering methods.......................................................................................................................12Event Summary Type IDs..............................................................................................................................................19

2


Copyright statement

Copyright ©2020 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”)are for your informational purposes only and are subject to change or withdrawal by Broadcom at any time. ThisDocumentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, withoutthe prior written consent of Broadcom. This Documentation is confidential and proprietary information of Broadcomand may not be disclosed by you or used for any purpose other than as may be permitted in a separate confidentialityagreement between you and Broadcom.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, youmay print a reasonable number of copies of the Documentation for internal use by you and your employees in connectionwith that software, provided that all Broadcom copyright notices and legends are affixed to each reproduced copy.

The right to print copies of the Documentation is limited to the period during which the applicable license for such softwareremains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing toBroadcom that all copies and partial copies of the Documentation have been returned to Broadcom or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW OR AS AGREED BY BROADCOM IN ITS APPLICABLELICENSE AGREEMENT, BROADCOM PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OFANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESSFOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL BROADCOM BE LIABLE TO THEEND USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OFTHIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESSINTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF BROADCOM IS EXPRESSLY ADVISED IN ADVANCE OFTHE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement andsuch license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is Symantec, a Broadcom Company.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to therestrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

3


Introduction

About this guideThis guide provides guidance, including query examples and use-cases, to help you find threats to your network. Theinformation provided is not intended to be an exhaustive compendium — the subject domain is too large for a singledocument. It does, however, provide a foundation for learning the methods and techniques to use Symantec EDR to hunt-down threats.

The MITRE ™ organization provides extensive details about the cyber-threats that pose dangers to your network. Formore information, view the MITRE Enterprise Matrix for the tactics and techniques that represent the MITRE ATT&CK®.

The searches that you'll perform in this guide are done in the EDR appliance console on the Search > Database >Events tab.

When you type or paste a text-based query into the Database > Events search field, its validity is checked immediately. Ifthe query is valid, a green check mark appears. If there is a problem with the query, an error appears.

As soon as you click the search icon (magnifying glass) at the end of the search field, the query string is converted totokens.

To clear the search field, click Clear Filter Query.

Many of the queries in this guide are composed with a type_id. See Event Summary Type IDs for a list of the type_idvalues and their descriptions.

4

https://attack.mitre.org/matrices/enterprise/


Finding threats

Finding suspicious behaviorFind command line arguments matching Regex

See Database search and filtering methods for more information about Regex-based event searches.

type_id:8001 AND operation:1 AND process.cmd_line:[REGEX]

Find unusual user logins or lateral movement

This query is used when systems are compromised and credentials are stolen. The hackers will use those accounts tomove around the organization or create other accounts with privileges. These can be identified by looking for unusuallogin activity with stolen accounts or by looking for new accounts that have been created.

Add the session.user.name field as a column, then look in Selected Fields to see the counts for each user accountthat's used to login to the computer.

type_id:8000 AND device_name:[hostname]

Finding suspicious processesFind any instances of discovery tools on an endpoint

Attackers can use a common reconnaissance tool to launch one or more processes to compromise hosts in your network.Use this query to find any instances where these common tools are present on a host.

type_id:8001 AND operation:1 AND

(process.file.name:net.exe OR

process.file.name:ipconfig.exe OR

process.file.name:whoami.exe OR

process.file.name:quser.exe OR

process.file.name:ping.exe OR

process.file.name:netstat.exe OR

process.file.name:tasklist.exe OR

process.file.name:Hostname.exe OR

process.file.name:at.exe)

5


Find any obfuscated PowerShell commands

Malicious PowerShell commands can be obfuscated using a number of techniques such as string concatenation andstring manipulation.

process.file.name:powershell.exe AND

operation:1 AND

(obfuscated.cmd_uses_concat_obfuscation:true OR

obfuscated.cmd_uses_reorder_obfuscation:true OR

obfuscated.cmd_uses_tick_obfuscation:true)

Find any powershell.exe downloads

Known trusted processes such as PowerShell are used during attacks to download additional exploit tools.

event_actor.file.name:powershell.exe AND

(type_id:8007 OR

(type_id:8003 AND operation:1))

Find any encoded PowerShell commands

Another common use of PowerShell is during the lateral movement phase of the attack, allowing a threat to execute codeon a remote computer inside the network. PowerShell can also download and execute commands directly from memory,making it hard for you to trace the infection.

Encoding converts a command-line to a base64 version. There are legitimate reasons to do this; most commonly becausePowerShell can handle certain characters that Cmd.exe cannot. Attackers use encoding to obfuscate the actual intent ofthe command. These queries find any PowerShell instances that have a base64 encoded command line.

process.file.name=powershell.exe AND

operation:1 AND

(process.cmd_line:"*-enc*" OR

process.cmd_line:"*encoded*")

Fileless attacks using wscript to launch a malicious VBS or Java script

Wscript can be used to launch malicious scripts that can be used for fileless attacks. This is common when scripts arelaunched from office documents. Look for VBS or Java scripts executed from directories such as download, temp, dataand internet history. These are not typical locations for VBS or Java script execution.

process.file.name:[cscript.exe OR wscript.exe] AND

process.cmd_line:[vbs OR js]

6


Find any Window Background Intelligent Transfer Service (BITS) transfers

The Windows Background Intelligent Transfer Service (BITS) can be used to transfer malicious binaries betweencomputers.

process.file.name:bitsadmin.exe AND

(process.cmd_line:"*/transfer*" OR

process.cmd_line="*Addfile*")

List the processes that run from unusual locations

NOTE

Attacks that run processes and binaries from unusual or unexpected locations fall under the threat categorycalled Masquerading. A general overview of masquerading attacks is provided by https://attack.mitre.org/techniques/T1036/.

Malware that injects itself in memory will sometimes place it's file in a unusual location. Processes are expected to runfrom certain locations, such as Program Files, Program Files(x86), and their child directories. Processes running fromother locations should be treated as potentially malicious and should be examined for their threat potential.

process.file.name:/.*exe/ AND

-process.file.folder:/.*windows.*/ AND

-process.file.folder:/.*program.*/ AND

operation:1

List the processes that run from the Recycle bin

Attackers can try to hide a malicious process by running it from the Recycle bin. Processes running from the Recycle binare obviously, highly suspicious.

type_id:8001 AND

operation:1 AND

process.file.path:"recycle.bin"

List the processes that run from browser file paths

Attackers can try to hide a malicious process by using a name that's similar to the name of a legitimate service, andrunning it from the browser file path.

type_id:8001 AND

operation:1 AND

process.file.path:["Temporary Internet Files" OR

"AppData\\Local\\Mozilla\\Firefox\\Profiles" OR

"AppData\\Local\\Google\\Chrome" OR

"Downloads"]

7

https://attack.mitre.org/techniques/T1036/

https://attack.mitre.org/techniques/T1036/


List the processes that run from User Profile file paths

Attackers can try to hide a malicious process by using a name that's similar to the name of a legitimate service, andrunning it from the user file path.

type_id:8001 AND

operation:1 AND

process.file.normalized_path:CSIDL_PROFILE

List the running service binaries that are not in the System32 directory

A common attack vector is to run binaries from locations other than System32.

(type_id:8001 AND operation:1) AND

event_actor.file.name:services.exe AND

-process.file.normalized_path:CSIDL_SYSTEM

List the executables that run from locations other than the Windows or Program Files directories


-process.file.folder:["windows" OR "Program Files"]

Find the instances of Svchost where the parent process is not services.exe

Services is always the parent process of Svchost. If there is a different parent process, it could mean that it is malware.


process.file.name:svchost.exe AND

-event_actor.file.name:services.exe

Display a specified service name

NOTE

The query below is the event search. You might want to just search for the file entity.

(process.file.name:<ENTER_SERVICE_NAME> AND type_id:8001 AND operation:1)

List all CreateService events

enriched_data.rule_name:[eModifyExistingService OR

eNewService]

8


List non-System32 binaries running as a hosted service

To perform this search, in the EDR appliance console, go to Search > Database > Endpoint.

First, execute a search to get all registry values matching the service DLL:

reg_value.path:"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\*\\Parameter AND

reg_value.name:ServiceDll

Then search the results with:

-reg_value.data:"*SYSTEM32*"

List stopped services and their endpoints

Search the Windows Event Logs for Event IDs 7035 and 7036. To perform this search, in the EDR appliance console, goto Search > Database > Endpoint.

First execute a search to get all matching registry values:

reg_value.path:"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet

\\Services\\*" AND reg_value.name:Start

Then search within the results for:

reg_value.data:4

Display when a specific endpoint service has stopped

This is an example that you can alter to return data for the service of interest:

type_id:8001 AND operation:2 AND process.cmd_line:"defragsvc"

Show a list of attachments launched from Outlook that are associated with one of the following documentreaders: "winword.exe", "excel.exe", or "POWERPNT.exe"


event_actor.cmd_line:"*content.outlook*" AND

event_actor.file.name:[winword.exe OR

powerpnt.exe OR excel.exe]

List the links opened from Outlook within a specific time frame

Use the following query to show the events. Add the process.cmd_line field as a column to quickly see the URLs.

event_actor.file.name:outlook.exe AND

process.file.name:[chrome.exe OR

iexplore.exe OR firefox.exe]

Finding suspicious network connectionsList the outbound network traffic occurring on non-standard ports

type_id:8007 AND

-target_ip:["192.168.0.0/16" OR

"10.0.0.0/8" OR "172.16.0.0/12" OR

"127.0.0.0/8"] AND

9


-target_port:[80 OR 443]

NOTE

Insert your own expected internal address prefixes into the "-external_ip:" portion of the query. You must alsoadd any additional remote ports you consider to be non-standard.

List all Remote Desktop Protocol (RDP) connections on a specified endpoint

type_id:8007 AND

(source_port:3389 OR target_port:3389) AND

device_name:<HOSTNAME>

For enriched events:

enriched_data.rule_name:eRemoteDesktopProtocol AND

device_name:<HOSTNAME>

Finding suspicious registry changesDisplay persistence (Run Key)

Adds:

enriched_data.category_name:"Load Point Modification" AND operation:1

Changes:


Deletes:


10


Finding attempts to discover vulnerabilitiesFind the attempts to list users or groups using net.exe commands

(type_id:8001 AND operation:1 AND process.file.name:net.exe AND (process.cmd_line:/.*user.*/ OR

process.cmd_line:/.*group.*/) AND -process.cmd_line:/.*user:.*/

Finding compliance and configuration vulnerabilitiesList the web servers or database processes running under a Local System account

process.file.name:[w3wp.exe OR sqlservr.exe OR

httpd.exe OR nginx.exe] AND

(type_id:8001 AND operation:1) AND

process.user.name:SYSTEM

Finding Java malware, trojans, and exploitsList the .JAR files written to %AppData%


file.name:/.*\.jar/ AND file.folder:"*\\appdata\\roaming*"

List the JAR files running from the %AppData% folder


process.cmd_line:/.*\.jar/ AND

process.cmd_line:"*\\appdata\\roaming*"

List the Java.exe process that's writing executable files:


file.family_id:3 AND event_actor.file.name:java.exe

11


Find the child process of "whoami" spawning under the Java.exe process

event_actor.file.name:java.exe AND

process.file.name:whoami.exe

Finding attempts to deliver malicious codeFind a Word document attachment containing a clicked link followed by a browser download

Malware is often delivered in documents that contain links that initiate downloads from malicious sites, for instance, a linkin a Word document.

This search can also be used as a template to search email attachments, browser downloads, and searches that joinmultiple events by time.

event_actor.file.name:winword.exe AND process.file.name:chrome.exe

NOTE

Edit as needed for other document readers and other browsers.

Finding threat campaign activityRetrieve the last 30 days of network connections to known Dofoil NameCoin servers

type_id:8007 AND target_ip:["139.59.208.246" OR

"130.255.73.90" OR "31.3.135.232"]

Database search and filtering methodsSymantec Endpoint Detection and Response provides several methods to search for and filter data. Search and filteringmethods lists and briefly describes each method. Click the method name to see the query syntax and examples for themethod.

NOTE

Do not use "=" in database queries. Use ":" instead.

Table 1: Search and filtering methods

Method Description

Quick filters Predefined filters for commonly sought data.Freeform Returns or excludes data based solely on a value, regardless of the field(s) the value appears with.

12


Method Description

Exact match Returns or excludes data matching the exact field names and their values.Ranged Returns or excludes data falling between two specified values of a given field.Regex Returns or excludes data matching a regular expression.

Note: Symantec EDR uses a subset of the Perl regular expression features. See https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax for supported features.

Exists Returns the data based on the presence or absence of a given field.One-of Returns or excludes data based on specific values for a given field.Complex Two or more of the preceding search methods that when combined can create queries of nearly any complexity.

Example data set

Three records are used for the examples in this section, each with the same fields but with different values. Examplesdata set lists the records and their data that are used in the examples.

NOTE

A hyphen ("-") indicates that the field is not present in the record.

Table 2: Examples data set

type_id(integer)

email address(keyword)

location(text)

received_date(date)

command_namekeyword)

4118 [email protected], MA4125 Cambridge, CA 2018-03-23T00:00:01.733Z4128 [email protected], OH get_file

Quick filters

Quick filters are predefined searches for commonly sought detections and data. The available quick filters depend on thetype of search you perform; database, entities, endpoint, and so on. The available quick filters for a given search typeappear in the Add Filter dialog. You can select quick filters from the pop-up dialog, or you can manually enter the name ofa quick filter into the search-filter bar.

Search and Logging features and functions in the console

NOTE

Quick filters are not supported for Internet Explorer. Use Firefox or Chrome to use quick filter functionality.

Syntax

quick:"<quick_filter_value>"

NOTE

The value for the quick filter must be enclosed in quotes.

Example

Query: quick:"Get File"

13

https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax



Table 3: Results for the quick filter query:"Get File"

type_id(integer)

email_address(keyword)

location(text)

received_date(date)

command_name(keyword)

4128 [email protected], OH - get_file

Freeform

Freeform searches are "fuzzy" searches; the results are approximate matches based on the query string. The followingcaveats apply to freeform searches:

• The results reflect any events which contain the specified value.• Values that contain spaces or colons must be enclosed in quotes.• Date values do not work within freeform searches. For instance, the following are not allowed:

– "12:00"– "2018-02-22 17:15:31 UTC"For time-based searches, see Exact match.

• Data of the type text is case-insensitive. Data of the type keyword is case-sensitive.

Syntax

value_query

Example A

Query: cambridge

Table 4: Results for the freeform query: cambridge

type_id(integer)


location(text)

received_date(date)


4118 [email protected] Cambridge, MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -

Example B

Query: 41*

Table 5: Results for the freeform query: 41*

type_id(integer)


location(text)

received_date(date)


4118 [email protected] Cambridge, MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected], OH - get_file

Example C

Query: -cambridge

The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not contain a value of cambridge in any field.

14


Table 6: Results for the freeform query: -cambridge

type_id(integer)


location(text)

received_date(date)


-cambridge No result No result No result No result

Exact match

The exact-match search method returns only those records that precisely match the field:value parameters that you enter.

Syntax: field:value

The following caveats apply for the exact-match search:

• Fields are case-sensitive.• Values that contain spaces or colons must be enclosed in quotes.

Example A

Query: type_id: 4118

Table 7: Results for the exact-match query type_id: 4118

type_id(integer)


location(text)

received_date(date)


4118 [email protected] Cambridge, MA - -

Example B

Query: location:"Cambridge, CA"

Table 8: Results for the exact-match query location:"Cambridge, CA"

type_id(integer)


location(text)

received_date(date)


4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -

Example C

Query: -type_id: 4118

The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not contain a value of "4118" in the "type_id" field.

Table 9: Results for the exact-match query -type_id: 4118

type_id(integer)


location(text)

received_date(date)


4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected] Cambridge, OH - get_file

Ranged

Ranged searches let you search for the values that appear within a given numeric range.

Syntax: > field:{<gte> TO <lte>}

15


<gte> = "greater than or equal to", and <lte> = "less than or equal to." Replace either <gte> or <gte> with '*' to indicate noupper or lower bound. For example, {* TO *} returns all values for the field.

NOTE

Regex is not supported for <gte> or <lte> elements. For instance, age:{3 TO 10} works, but age:{10 TO 3*} doesnot.

Example A

Query: type_id: {4000 TO *}

Table 10: Results for the ranged query: type_id: {4000 TO *}

type_id(integer)


location(text)

received_date(date)


4118 [email protected], MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected] Cambridge, OH - get_file

Example B

Ranged queries also work with text. Text is tested lexically (progressive alphabetizing) for inclusion in the range.

Query: location: {"Cambridge, CA" TO "Cambridge, OH" }

Table 11: Results for the ranged query: location: {"Cambridge, CA" TO "Cambridge, OH" }

type_id(integer)


location(text)

received_date(date)


4118 [email protected], MA - -4125 - -

Cambridge, CA2018-03-23T00:00:01.733Z -

4128 [email protected] Cambridge, OH - get_file

Example C

Query: -type_id: {* TO 4118}

The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not contain the values ranging from "0 to 4118" in the "type_id" field.

Table 12: Results for the ranged query: -type_id: {* TO 4118}

type_id(integer)


location(text)

received_date(date)


4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected] Cambridge, OH - get_file

Regex

Regex searches let you use regular expressions to test field values for inclusion in the search results.

16


NOTE

Symantec EDR uses a subset of the Perl regex features. See https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax for supported features.

Regex queries only work on keyword and text fields.

Syntax: field:/<regex_pattern>/

Example A

Query: email_address:/.*some.*/

Table 13: Results for the regex query: email_address:/.*some.*/

type_id(integer)


location(text)

received_date(date)


4188 [email protected], MA - -4128 [email protected] Cambridge, OH - get_file

Example B

Query: email_address:/.*some(one|place).*/

Table 14: Results for the regex query: email_address:/.*some(one|place).*/

type_id(integer)


location(text)

received_date(date)



Query: -command_name:/.*/

The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not match the regex command_name:/.*/

Table 15: Results for the regex query: -command_name:/.*/

type_id(integer)


location(text)

received_date(date)



Exists

The "exists" query looks for the records that contain (or do not contain) a specific field.

Syntax: exists:field

Example A

Query: exists:command_name

17




Table 16: Results for the exists query: exists:command_name

type_id(integer)


location(text)

received_date(date)



Example B

Query: -exists:email_address

The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not include the field, email_address

Table 17: Results for the exists query: -exists:email_address

type_id(integer)


location(text)

received_date(date)


4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -

One-of

One-of searches let you search for different values for a given field.

Syntax: field:[<value> OR <value> ...]

NOTE

You can append additional values to extend the search.

Example A

Query: type_id:[4118]

Table 18: Results for one-of query: type_id:[4118]

type_id(integer)


location(text)

received_date(date)



Example B

Query: type_id:[4118 OR 4125]

Table 19: Results for the one-of query: type_id:[4118 OR 4125]

type_id(integer)


location(text)

received_date(date)



Example C

Query: -type_id:[4118 OR 4125]

The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not include the type_id, "4118" or "4125"

18


Table 20: Results for the one-of query: -type_id:[4118 OR 4125]

type_id(integer)


location(text)

received_date(date)



Complex

Complex queries contain two or more of the other search methods.

Syntax: ( <SEARCH_METHOD> <AND | OR> <SEARCH_METHOD> ) ...

NOTE

You can append other search functions (with their fields and values) to achieve any desired level of specificity.Use parentheses to set the order of precedence for the search.

Example

Query: (quick:"Get File" AND -type_id:{4118 TO 4125})

This example combines a quick filter and a ranged query into a single complex query. The minus sign preceding a rangeinverts the query.

Table 21: Results for the complex query: (quick:"Get File" AND -type_id:{4118 TO 4125})

type_id(integer)


location(text)

received_date(date)



Event Summary Type IDsEvent Summary data is organized by type_id: description. For example, if you are analyzing Vantage events, this isrepresented in Symantec EDR as 4113: Vantage Detection.

To learn more about Event Summary field descriptions, see the Symantec™ Endpoint Detection and Response SearchFields Reference Guide.

Table 22: type_ids

Event type and ID number Description

1: Application Activity Reports status information about an application activity an enduser performed. For example, an administrator runs a databasesearch or endpoint search. Or the administrator runs a commandline interface command (e.g., expand_storage).

20: User Session Audit Reports user logon and logoff activity at a management console ora managed client.

21: Entity Audit Reports activity by a managed client, a micro service, or a userat a management console. The activity can be a create, update,and delete operation on a managed entity. For example, the Policyservice records policy change events, the SEP client reports localpolicy changes, and the policy administrator updates policies atthe console.

238: Device Control Reports a device control disabled device.239: Device Control Reports a buffer overflow event.

19



240: Device Control Reports software protection has thrown an exception.502: Application Control Reports agent behavior events.1000: System Health Reports any change to a component's health which impacts

overall health of the Symantec EDR appliance, software, orhardware. For example "DB Connection failure/success ", "LowDisk", or "High CPU".

4096: Reputation Lookup Reports when a request is made to Symantec Insight or SymantecMobile Insight for information about the reputation of a file.

4098: Intrusion Prevention Reports when a Symantec intrusion prevention system detected apossible malicious IPS signature.

4099: Suspicious File Detection Reports when a suspicious file was detected.4100: SONAR Detection Reports when Symantec Online Network for Advanced Response

(SONAR) technology detected a new threat.4102: Antivirus (Endpoint Detection) Reports when an antivirus was detected on an endpoint.

Many 4102 events are recorded4109: File IoC Event Reports when an Incident of Compromise (IoC) event occurred on

a file.4110: Network IoC Event Reports when an Incident of Compromise (IoC) event occurred on

a network.4112: Blacklist (IP/URL/Domain) Reports when an IP, URL, or Domain was detected that is in a

Symantec-provided Blacklist or the Symantec EDR Blacklist.4113: Vantage Detection Reports when Symantec Vantage technology detected malicious

activity on an endpoint or Vantage signature-based threats werefound in the network system.

4115: Insight Detection Reports when Symantec Endpoint Protection has queried the filereputation server about a file on a managed endpoint or Insightdetected malicious activity that occurred in your network.

4116: Mobile Insight Reports when Symantec Mobile Insight technology detectedissues with an Android executable.

4117: Sandboxing Detection Reports when sandboxing technology observed a malicious file inyour network.

4118: Blacklist (file) Reports when a file was detected that is in a Symantec-providedBlacklist or the Symantec EDR Blacklist.

4123: Endpoint File Detection Reports when a suspicious file was detected on an endpoint.4124: Endpoint Detection Reports when a suspicious IP, URL, or domain was detected on

an endpoint. Also reports Application Control and Device Controlevents.

4125: Email Detection Reports when suspicious email was detected.4353: Antivirus (Network) Detection Reports when an antivirus was detected on a network.8000: Session Event Reports when a user attempts a log on or log off, successfully or

otherwise.8001: Process Event Reports when a process launches, terminates, or opens another

process, successful or otherwise.8002: Module Event Reports when a process loads or unloads a module.8003: File Event Reports operations on file system objects.8004: Directory Event Reports operations on directories.

20

https://knowledge.broadcom.com/external/article?legacyId=TECH256704



8005: Registry Key Event Reports actions on Windows registry keys.8006: Registry Value Event Reports actions on Windows registry values.8007: Network Event Reports attempted network connections, successful or otherwise.8009: Kernel Event Reports when an actor process creates, reads, or deletes a kernel

object.8080: Session Query Result Reports information on existing user sessions.8081: Process Query Result Reports information on a running process.8082: Module Query Result Reports information on loaded modules.8083: File Query Result Reports information on file system objects.8084: Directory Query Result Reports directory information.8085: Registry Key Query Result Reports information on Windows Registry keys.8086: Registry Value Query Result Reports information on Windows Registry values.8089: Kernel Object Query Result Reports information on kernel objects.8090: Service Query Result Reports information service queries.8099: Query Command Errors Reports information on EOC (Evidence of Compromise Query

command errors.8103: File Remediation Reports information on file system objects.8119: File Remediation Errors Reports information on errors that result from an EOC (Evidence

of Compromise) file remediation action.

21

guide symantec endpoint detection and response threat hunting · 2020. 6. 1. ·...

Documents