This article introduces an engine we have designed to match signatures in Windows events. My motivations were driven by some observations done after several analysis I have been running. The first observation is that Windows OS has hundreds of different event logs. Some event logs can simply characterize that something is going wrong on a system while some others are clearly the signature of a compromise. The two previous observations make the study of the Windows very important and sometime decisive. If you have the proper events enabled you can easily reconstruct 80% of the story. On the other hand, it can be very hard to find relevant information in this large amount of events. Another issue I noticed is that sometimes the indication of a compromise is a very specific event that I never heard about. One conclusion out of these observations is that some Windows events are IOCs and I was not aware of any efficient way to check my Windows events. The other deduction was that there was no mean of sharing the knowledge about those IOCs. This is where my adventure began to develop both a rule format and an engine that anyone could use to share and match signatures against Windows events.

The rule format

Before designing the engine, I wanted to define the rules' format. One of the prerequisites I imposed to myself was to make the rules as straightforward as possible for both writing and understanding. Since I think that any incident responder must know Yara, I directly thought about having a rule format close to the one of Yara but adapted to my application. However, I also wanted to avoid any additional layer of parsing, so I chose to encode the rules within JSON objects. This choice would also make the format easily parsable by any programing language since JSON is heavily supported.

The engine