Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
29 lines (17 sloc) 1.31 KB

Finding Known-Bad in Antivirus Logs

Purpose: Identify things that the AV system has found that you particularly care about

Data Required: Endpoint security logs (AV); List of "bad things" to look for.

Collection Considerations:

Analysis Techniques: String matching


If you collect all your endpoint security logs in one place, you can search them for specific strings that correspond to things you're particularly interested in finding. In other words, things you may want to treat as more important than normal alerts the endpoint security tool may already be creating.

Examples of types of strings to look for:

  • Known webshell filenames
  • Anything running under a system directory (%WINDOWS%, %RECYCLER%) or other unusual locations (the webroot)
  • AV "street names" you are concerned about
  • Packed executables (if this information is logged)
  • Known attacker tools (cred dumpers, scanners, etc)
  • Any detection with the string "dropper" in the name

More Info