You are here

Attackers Inside the Walls: Detecting Malicious Activity


Small and medium-sized businesses (SMBs) do not always have the budget for advanced intrusion detection system (IDS) technology. Although open-source software can fill this gap, these free solutions may not provide full coverage from known attacks—especially once the attacker is inside the perimeter.

This predicament led to the insightful research and whitepaper recently published in the SANS Reading Room. This study investigated the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment, and its ability to detect malicious actors on an internal network.

Reliance on existing configurations—in this case, logging scope and alerting rules—is critical for SMBs. There is a distinct divide between having zero alerts (no configuration or tuning in place) and a customized ruleset designed for your environment. While the configuration mentioned in the paragraph above may not be perfect for your environment, it will address a large number of concerns more efficiently than starting from scratch, and can be fine-tuned over time to close that gap. It is also crucial for organizations to understand the scope of the existing configuration. This particular research focused on malicious use of legitimate administrative tools, which will be difficult to detect using a generic baseline for logging and alerting.

The technologies examined in this paper contain much of the information needed to investigate potential threats, but do not provide a plug-and-play alerting mechanism with the default configurations. This is due in part to the custom activity representing common traffic in each environment, and is also due to the selected attacks that leverage legitimate Windows utilities. SMBs may benefit from disabling some of these utilities outright if they are not being used for system administration. Other risk mitigation steps, such as performing daily tasks with a non-administrative user account, can reduce the likelihood of attack success and increase the visibility of attempted attacks.

Analysts or custom rules are needed to determine if the usage of tools such as PsExec or “net use” should be considered legitimate or potentially malicious. The data provided through Windows Event Logs’, Sysmon rules’, and Security Onion’s analyzation of the results aids in efficient parsing of large event log volumes. SMBs can rely on this toolset to identify some common attack techniques, but should not see this as a “set it and forget it” solution to trigger alerts for all attackers.

Constant vigilance is required to properly protect your company from malicious attempts to infiltrate your system. The research conducted and published in the SANS Reading Room has induced productive conversations surrounding possible solutions for SMBs looking to bridge the gap between budget and security.

For more information on the results of the research and recommendations, read the full white paper in the SANS Reading Room, or reach out to Sean Goodwin at

For more information on the tools that were used in this research, please visit Security Onion, Wazuh, and Sysmon.