I published the following diary on isc.sans.edu: “Hunting for Suspicious Processes with OSSEC“:
Here is a quick example of how OSSEC can be helpful to perform threat hunting. OSSEC is a free security monitoring tool/log management platform which has many features related to detecting malicious activity on a live system like the rootkit detection or syscheck modules. Here is an example of rules that can be deployed to track malicious processes running on a host (it can be seen as an extension of the existing rootkit detection features). What do I mean by malicious processes? Think about crypto miners. They are plenty of suspicious processes that can be extracted from malicious scripts… [Read more]
Please share! 😉
I’m always interested in new ideas.
There is also a possibility to implement a search for new binary executed.
I have some idea on how to do that with OSSEC.