Level 1: Ephemeral Values
Description: Observables that are trivial for an adversary to change, or that change even without adversary intervention.
Ephemeral values capture the context of what is currently happening to a user, process, or system. These observables include process IDs, hash values, domain names, filenames, and others. While these observables offer high accuracy, they are often easy to evade.
Why are these observables the lowest level?
These observables cannot be relied on to identify adversary behavior. These indicators take minimal effort for an adversary to change 1. A new hash value can be created if one bit is changed in a file. A filename can be obfuscated within an image. When building out analytics, these observables will mostly capture values that point to the context of a certain application, user, or process. While these observables can detect known malicious applications or processes, they will not detect anything new, nor will they detect if the adversary decides to change an operational or environmental variable to evade detection. To ensure detection in-depth, these observables should be combined with observables from other levels.
Examples: Hash values, IP addresses, protocol-specific ports, file names, domain names, processes, user oriented observables, others
Observables
Category |
Observables |
Generating Activity |
Evade Behavior |
|---|---|---|---|
Hash Values |
Hashes (Sysmon)
|
Passing a file or object through a mathmatical formula to create a unique identifying number. |
Change one bit in a file and regenerate the hash. |
IP Address |
SourceIp (Sysmon)
DestinationIp (Sysmon)
|
Assigned by ISP. 2 |
Connect to a different ISP, restart the router or modem, or utilize a VPN. |
Protocol-Specific Ports |
DestinationPort (Sysmon)
SourcePort (Sysmon)
|
Ports are standardized across network devices, 3 while others aren’t associated with a protocol standard. |
Change port configuration settings in the code or computer. |
Filenames |
Image (Sysmon)
Parent image (Sysmon)
CurrentDirectory (Sysmon)
Extension (Sysmon)
TargetFilename (Sysmon)
|
Created by the user to identify a file. |
Filename can be changed by the user or can be obfuscated in code deployment. |
Domain Names |
SourceHostname (Sysmon)
DestinationHostname (Sysmon)
|
Reigster the domain name with the registrar. 4 |
Map tools or website to a different domain name. |
Processes |
ProcessGuid (Sysmon)
ProcessId (Sysmon)
Parent process GUID (Sysmon)
Subject SID (EID)
Target SID (EID)
New Process ID (EID)
Creator Process ID (WEID)
|
New processes create a child process. The parent and child processes are each assigned a PID. 5 |
Operating System Kernel creates a new process and associated metadata. |
Pipes |
Pipe Names (Sysmon)
|
A pipe server or user specifies a name for a pipe when it calls CreateNamedPipe functon. 6 |
Change the name of the pipe. |
References