The author has been publishing a series of articles on creating rules and alerts in the Elastic stack, and this is the fourth installment.
The Elastic stack is a collection of software products for searching, spying, and analyzing data, as well as for creating dashboards and visualising information.
In this article, the author walks through the steps on how to build a search query to find logs related to a specific executable, in this case, Mimikatz.
By typing the name of the executable into the search query bar, logs from the Windows system where Mimikatz was executed in the past can be found.
These logs are crucial in order to identify the fields that are needed to create an effective alert in the Elastic stack.
Based on this example, a search query is configured that looks for any kind of executable that is launched and spawns another process where command-line parameters are being used to reflect a specific behaviour.
This behaviour usually indicates that the executable is performing a specific action on a remote or local system, which could be suspicious from an security analyst’s point of view.