I created 2 new checks for anomaly detection to flag possible file copies and file volume moves. These checks were suggested in Issue #46.
Here's a screenshot against SANS nromanoff image. This is filtered on Filename containing "svchost.exe", which includes the timestomped c:\Windows\System32\dllhost\svchost.exe malware. Note that "Possible Volume Move" flag is set on this file because the attacker did not backdate the access timestamp--only the create & modify times--so it appears to be a volume move file.
Hello David,
I created 2 new checks for anomaly detection to flag possible file copies and file volume moves. These checks were suggested in Issue #46.
Here's a screenshot against SANS nromanoff image. This is filtered on Filename containing "svchost.exe", which includes the timestomped c:\Windows\System32\dllhost\svchost.exe malware. Note that "Possible Volume Move" flag is set on this file because the attacker did not backdate the access timestamp--only the create & modify times--so it appears to be a volume move file.
Thanks, Mike