A Centralized System for Detecting Attacks from Windows Event Logs

Abstract

Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks from the Windows event logs. It aims to detect attacks on Windows 7 clients by focusing on three most critical Common Vulnerabilities Exposures (CVEs), which are CVE 2017-0143 (EternalBlue), CVE 2017-0199 (HTA), and CVE 2019-0708 (BlueKeep). To validate our proposed system, we emulate various attacks and generate datasets on each attack type. Then the log server collects Windows event logs from each client. We identify attacks by comparing logs obtained during attacks and logs obtained during normal operations. Then we develop detection signatures for each CVE from specific event IDs. Once SHIRO finds the attack signatures in the records, it identifies the attack type and alerts to the administrator. Our experiments based on both pre-generated datasets and the real-time attacks confirm that SHIRO can detect three types of attacks accurately. The experiment results prove that SHIRO is useful for the administrator to find the compromised Windows machines efficiently.