Level 1: Ephemeral Values
Description: Observables that are trivial for an adversary to change, or that change even without adversary intervention.
Ephemeral values capture the context of what is currently happening to a user, process, or system. This includes observables such as process IDs, hash values, domain names, file names, and others. While these observables offer high precision, they are often easy to evade.
Why are these observables the lowest level?
These observables cannot be relied on to identify adversary behavior. These indicators take minimal effort for an adversary to change 1. A new hash value can be created if one bit is changed in a file. A file name can be obfuscated within an image. When building out analytics, these observables will mostly capture values which point to the context of a certain application, user, or process. While these observables can detect known malicious applications or processes, these will not detect anything new, or if the adversary decides to change an operational or environmental variable to evade detection. To ensure detection in-depth, these observables should be combined observables from other levels.
Examples: Hash values, IP addresses, protocol-specific ports, file names, domain names, processes, user oriented observables, others
Observables
Category |
Observables |
Generating Activity |
Evade Behavior |
|---|---|---|---|
Hash values |
Hashes (Sysmon)
|
Passing file or object through mathmatical formula to create unique identifying number |
Change one bit in file and regenerate hash |
IP address |
SourceIp (Sysmon)
DestinationIp (Sysmon)
|
Assigned by ISP 2 |
Connect to a different ISP, restart router or modem, or utilize a VPN |
Protocol-specific ports |
DestinationPort (Sysmon)
SourcePort (Sysmon)
|
Ports are standardized across network devices 3, while others aren’t associated with a protocol standard |
Change port configuration settings in code or computer |
Filenames |
Image (Sysmon)
Parent image (Sysmon)
CurrentDirectory (Sysmon)
Extension (Sysmon)
TargetFilename (Sysmon)
|
Created by user to identify file |
Filename can be changed by user or can be obfuscated in code deployment |
Domain names |
SourceHostname (Sysmon)
DestinationHostname (Sysmon)
|
Reigster domain name with registrar 4 |
Map tools or website to different domain name |
Processes |
ProcessGuid (Sysmon)
ProcessId (Sysmon)
Parent process GUID (Sysmon)
Subject SID (EID)
Target SID (EID)
New process ID (EID)
Creator Process ID (WEID)
|
New processes create creates a child process. The parent and child processes each are assigned a PID 5 |
Operating System Kernel creates a new process and associated metadata |
Pipes |
Pipe names (Sysmon)
|
A pipe server or user specifies a name for a pipe when it calls CreateNamedPipe functon 6 |
Change the name of the pipe |
References