Skip to content

Home

Jump to bottom
mvelazc0 edited this page Sep 10, 2018 · 2 revisions

What is Oriana ?

Oriana is an incident response & threat hunting tool that ingests a subset of Windows event logs to provide defenders situational awareness in Windows environments using a friendly and easy to use web interface. Using Oriana, an analyst can quickly respond common questions that arise in an incident response or threat hunting scenario. These questions include but are not limited to:

  • What services have been installed on the environment ? On which endpoints ? When ? What did they execute ?
  • What scheduled tasks have been created on the environment ? On which endpoints ? When ? What did they execute ?
  • Which and how many endpoints has a specific user logged in to locally or remotely ? When ?
  • Which and how many users have logged in to a specific computer locally or remote ? When ?

Oriana also implements a few analytic calculations that can help incident responders and hunters identify outliers and suspicious behavior. These analytics can help a defender identify :

  • Services or tasks that haven been installed on a low number of endpoints ( frequency analysis )
  • Services or tasks that have a random name ( n-gram score )
  • Users with a high number of authentication events
  • Users that have logged in remotely to a large number of hosts
  • Possible lateral movement events / sessions

For more information, see the Analytics section.

How does it work ?

Oriana leverages a PowerShell script that exports certain event logs and some of their fields into a CSV file. The script will generate one CSV file per endpoint its executed on and will write the file to a network share that needs to be previously provisioned. The more endpoints you run the script on, the better the information Oriana will be able to provide.

Currently, Oriana makes use of the following events:

  • 4624: An account was successfully logged on
  • 4625: An account failed to log on
  • 4776: The domain controller attempted to validate the credentials for an account
  • 7045: A Service was installed on the system
  • 4698: A scheduled task was created

Note that these events will have to be enabled on the Audit policy. More information can be found on the Audit policy section.

Why Oriana ?

The Windows event log has a lot of interesting information that can help investigate an incident or hunt for unusual behavior. However, correlating these events across a large number of hosts can be a difficult task without the proper instrumentation. Oriana is a simple and open source option to approach this problem.

Do I need Oriana if I already have a SIEM ?

Organizations that already have SIEM for centralized logging with endpoint events flowing into it can probably implement the same analytics Oriana implements using the SIEM's correlation engine or query language. However, because Oriana is custom built for this purpose, the presentation layer through the Web interface can be easier to read. For more information, see the Analytics section.

Clone this wiki locally