Create Server.Hunt.Comparison.yaml

[DenKi42]

This artifact is used to compare other artifacts from two different hunts. The basic idea is that a baseline (Hunt 1) is created from selected artifacts before an attack. A second hunt (Hunt 2) can then be carried out after the attack using the same artifacts. Now, using this script, artifacts from both hunts can be compared. This allows legitimate activities to be filtered out and makes it easier to identify malicious activities in Hunt2.

Furthermore, when comparing artifacts, it is necessary to select columns (here the identifying_column) that should be used for the comparison in both artifacts, since a comparison of complete data sets leads to errors. Because many artifacts contain timestamps that update. The use of values such as hashes therefore makes sense.

For example, the following artifacts and their identifying columns can be used to compare to a baseline:

• Windows.System.Pslist - Hash
• Windows.Forensics.Prefetch - Hash
• Windows.Sysinternals.Autoruns - SHA-256
• Windows.Sys.AllUsers - Name

[CLAassistant]

All committers have signed the CLA.