0

I am trying to create a scoring Jupyter Notebook created for Windows Processes and I was wondering about what information would I exactly need to generate a basic Score for each process running on a Windows Machine.

  1. For the information retrieval I will be using a .bat(WMIC) script or PowerShell
  2. For the parsing I will be using a Python Notebook on Jupyter.
  3. For Storing and Visualisations I will be using Elasticsearch and Kibana.

My question is about the first step, since I am looking for what information i need to generate the score for each process like :

  • A process whitelist
  • A process Blacklist
  • Hashes Verification
  • Signature Verification
  • Process Size in Bytes

Do you think I need more information? and what it is exactly and why ?

Hilo21
  • 33
  • 3
  • The techniques you want to use (jupyter, powershell...) are irrelevant for this question. What would be important though (and what is missing) would be an explanation of what your score should actually represent. And if this is clear you can ask which features of the process and maybe of the environment contain the details useful to your score. Given that this might be more than you might easily get your hands on you also need to describe what your abilities regarding getting features are. – Steffen Ullrich Jan 18 '19 at 12:46
  • First I will create a script (powershell or .bat) that retrieves these properties i asked about. The script will be executed on remote machine of clients that will not grant us visibility on their endpoints. After that we will receive the zipped file containing the information we need in different formats (.txt .csv). these files will be parsed and analyzed using a Jupyter Notebook and some basic visualisations. The elasticsearch and Kibana part will be integrated later in this project. – Hilo21 Jan 18 '19 at 13:05
  • Hope it is more clear now – Hilo21 Jan 18 '19 at 13:06
  • The score should enable analysts where to look. We receive daily files containing information about running processes generated using WMIC tool. The goal is to make it easy for analysts to analyze and point them where are the suspicious ones in a nice clean interface and using interactive visualizations (Jupyter) – Hilo21 Jan 18 '19 at 13:10

0 Answers0