pith. sign in

arxiv: 2407.18858 · v1 · submitted 2024-07-26 · 💻 cs.CR

HADES: Detecting Active Directory Attacks via Whole Network Provenance Analytics

Qi Liu , Kaibin Bao , Wajih Ul Hassan , Veit Hagenmeyer This is my paper

Pith reviewed 2026-05-23 23:24 UTC · model grok-4.3

classification 💻 cs.CR
keywords Active Directoryprovenance-based intrusion detectioncross-machine tracingAPT detectionauthentication anomaly detectionlogon session partitioningnetwork provenance analytics
0
0 comments X

The pith

HADES performs the first accurate cross-machine provenance tracing for Active Directory attacks by partitioning executions according to logon sessions.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents HADES as a provenance-based intrusion detection system that overcomes the single-machine limit of prior systems to reveal the full scope of Active Directory attacks across a network. It introduces logon session based execution partitioning to establish reliable causal links between events on different machines. The system activates whole-network tracing only after detecting an authentication anomaly with a new lightweight model, then applies a triage algorithm drawn from observed patterns in such attacks. Evaluations indicate it outperforms both open-source detectors and a commercial AD attack tool.

Core claim

HADES is the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging logon session based execution partitioning to overcome several challenges in cross-machine tracing, supported by an on-demand design triggered by a novel authentication anomaly detection model and a triage algorithm that integrates two key insights from AD attacks.

What carries the argument

logon session based execution partitioning, which divides system executions by logon sessions to create accurate cross-machine causal relationships for whole-network provenance graphs.

If this is right

  • Whole-network tracing becomes feasible only on demand rather than continuously, reducing overhead.
  • Attackers' traversal across machines can be exposed in a single causal graph instead of isolated per-machine views.
  • Authentication anomalies serve as reliable early triggers for deeper provenance analysis.
  • Triage of alerts improves by incorporating two specific insights observed in AD attack patterns.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The partitioning approach could be tested on other centralized identity systems that rely on session-based authentication.
  • Integration with existing enterprise logging would require mapping logon events to the partitioning logic without custom kernel changes.
  • False linkage rates might vary with different Windows domain configurations or non-Windows clients.

Load-bearing premise

Logon session based execution partitioning correctly links events across machines in real enterprise networks without generating excessive false connections or missing genuine ones.

What would settle it

Running HADES on a labeled enterprise network trace containing a known multi-machine AD attack and observing either missed causal links or many spurious ones in the resulting graph.

Figures

Figures reproduced from arXiv: 2407.18858 by Kaibin Bao, Qi Liu, Veit Hagenmeyer, Wajih Ul Hassan.

Figure 1
Figure 1. Figure 1: Active directory attack overview. explosion occurs for long-running processes, in which each input is conservatively considered causally responsible for all subsequent outputs, and vice versa, cross-machine dependency explosion arises if cross-machine edges are created simply on a network connection basis. Naively connecting two intra￾machine provenance graphs, whenever there is a logon event from one mach… view at source ↗
Figure 2
Figure 2. Figure 2: HADES overview. Consequently, various kinds of attacks specifically exploiting vulnerabilities in Microsoft’s AD design and implementation emerged over time, resulting in a partial or even full-scale compromise of many enterprise networks [32, 33]. Often, an attack is launched first against a targeted user via spear-phishing, or a vulnerable domain-joined machine accessible from outside, to get an initial … view at source ↗
Figure 3
Figure 3. Figure 3: An AD attack graph created by HADES on the Oilrig [ [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Standard AD authentication process. Domain Controller AD Database User Authentication Service Ticket Granting Service KDC AS-REP Roasting Kerberoasting Pass-the-Ticket Overpass-the-Hash Pass-the-Hash Silver-Ticket Golden-Ticket AS-REP Roasting Kerberoasting Pass-the-Ticket Overpass-the-Hash Pass-the-Hash Silver-Ticket Golden-Ticket Application Servers [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Authentication incompleteness/abnormality. [PITH_FULL_IMAGE:figures/full_fig_p005_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: CDF of threat score for false and true alerts. [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: CDF of response time of HADES. D. Case Study 1) Pass-the-Hash: Pass-the-Hash attacks leverage NTLM authentication process, instead of the default AD authentica￾tion process Kerberos. This authentication anomaly manifests in our authentication anomaly detection model introduced in Section IV. However, using this model alone introduces many false alerts, as NTLM authentication process is still widely in use … view at source ↗
read the original abstract

Due to its crucial role in identity and access management in modern enterprise networks, Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. Conventional intrusion detection systems (IDS) excel at identifying malicious behaviors caused by malware, but often fail to detect stealthy attacks launched by APT actors. Recent advance in provenance-based IDS (PIDS) shows promises by exposing malicious system activities in causal attack graphs. However, existing approaches are restricted to intra-machine tracing, and unable to reveal the scope of attackers' traversal inside a network. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging a novel concept called logon session based execution partitioning to overcome several challenges in cross-machine tracing. We design HADES as an efficient on-demand tracing system, which performs whole-network tracing only when it first identifies an authentication anomaly signifying an ongoing AD attack, for which we introduce a novel lightweight authentication anomaly detection model rooted in our extensive analysis of AD attacks. To triage attack alerts, we present a new algorithm integrating two key insights we identified in AD attacks. Our evaluations show that HADES outperforms both popular open source detection systems and a prominent commercial AD attack detector.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces HADES, the first provenance-based IDS (PIDS) for Active Directory environments that performs whole-network causality-based tracing. It relies on a novel logon session based execution partitioning technique to address cross-machine tracing challenges, an on-demand design triggered by a lightweight authentication anomaly detection model derived from AD attack analysis, and a triage algorithm incorporating two key AD attack insights. Evaluations claim superior performance over open-source IDS and a commercial AD detector.

Significance. If the logon session partitioning reliably produces accurate cross-machine causal graphs without excessive false linkages or missed connections, the work would meaningfully extend PIDS beyond intra-machine limits and improve detection of stealthy APT activity in enterprise AD deployments. The on-demand architecture and empirical outperformance claims are the primary contributions; no machine-checked proofs or parameter-free derivations are present.

major comments (2)
  1. [Evaluation / Design] The central claim that logon session based execution partitioning enables accurate cross-machine causality (abstract and design sections) rests on the assumption that session boundaries correctly capture inter-machine dependencies in real enterprise logs. The evaluation must report concrete metrics (e.g., precision/recall of cross-machine edges against ground-truth attack graphs) rather than only end-to-end detection rates; without these, the outperformance claim cannot be isolated from possible over- or under-linkage artifacts.
  2. [Anomaly Detection Model] The lightweight authentication anomaly detection model is described as rooted in extensive AD attack analysis, yet no quantitative breakdown (false-positive rates on benign logon patterns, feature importance, or comparison to standard AD event baselines) is referenced in the abstract. This model triggers the expensive whole-network tracing, so its accuracy directly affects system practicality and must be validated on representative enterprise traces.
minor comments (2)
  1. [System Overview] Clarify the exact provenance data sources (e.g., Windows event logs, Sysmon) and any preprocessing steps for logon session extraction in the system overview.
  2. [Evaluation] The abstract states outperformance over 'popular open source detection systems' and 'a prominent commercial AD attack detector'; name the specific baselines and report the evaluation metrics (F1, detection latency, etc.) with dataset sizes and attack coverage.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our evaluation of cross-machine causality and the anomaly detection model. We address each major comment below, indicating where revisions will be made to strengthen the manuscript.

read point-by-point responses

  1. Referee: [Evaluation / Design] The central claim that logon session based execution partitioning enables accurate cross-machine causality (abstract and design sections) rests on the assumption that session boundaries correctly capture inter-machine dependencies in real enterprise logs. The evaluation must report concrete metrics (e.g., precision/recall of cross-machine edges against ground-truth attack graphs) rather than only end-to-end detection rates; without these, the outperformance claim cannot be isolated from possible over- or under-linkage artifacts.

    Authors: We agree that reporting precision and recall for cross-machine edges against ground-truth would better isolate the contribution of logon session partitioning. Our evaluations emphasize end-to-end detection on realistic AD attack scenarios because constructing comprehensive ground-truth cross-machine attack graphs requires extensive manual labeling not available in standard datasets. In the revision we will add a dedicated analysis subsection that measures edge-level accuracy on a manually inspected subset of traces, quantifies observed false linkages in benign traffic, and discusses the practical challenges of ground-truth construction. This will clarify the reliability of the partitioning technique. revision: yes

  2. Referee: [Anomaly Detection Model] The lightweight authentication anomaly detection model is described as rooted in extensive AD attack analysis, yet no quantitative breakdown (false-positive rates on benign logon patterns, feature importance, or comparison to standard AD event baselines) is referenced in the abstract. This model triggers the expensive whole-network tracing, so its accuracy directly affects system practicality and must be validated on representative enterprise traces.

    Authors: The abstract summarizes the model as derived from AD attack analysis but does not include quantitative metrics. The full manuscript evaluates the model on enterprise traces and reports low false-positive rates that make on-demand tracing practical. We will revise the abstract to explicitly reference these metrics (false-positive rates on benign patterns and comparison to AD event baselines) and expand the evaluation section with feature importance results if not already detailed. This addresses the concern that the trigger mechanism's accuracy must be validated. revision: yes

Circularity Check

0 steps flagged

No significant circularity; system design and empirical claims are self-contained

full rationale

The paper presents HADES as a system design leveraging a novel logon session based execution partitioning for cross-machine tracing, an authentication anomaly detection model, and a triage algorithm, supported by evaluations against baselines. No equations, fitted parameters, or derivations are described that reduce claims to self-referential inputs. The central claims rest on the described construction and empirical results rather than any self-citation chain, uniqueness theorem, or renaming of known results. The provided text contains no load-bearing self-citations or ansatzes smuggled via prior work by the same authors.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 1 invented entities

Abstract-only view yields no visible free parameters, axioms, or invented entities beyond the high-level novel partitioning concept; full paper would be needed for exhaustive ledger.

invented entities (1)
  • logon session based execution partitioning no independent evidence
    purpose: Enable accurate causality-based cross-machine tracing
    Introduced as novel concept to overcome cross-machine challenges

pith-pipeline@v0.9.0 · 5750 in / 1088 out tokens · 22795 ms · 2026-05-23T23:24:42.175527+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

73 extracted references · 73 canonical work pages

  1. [1]

    CrowdStrike 2023 Global Threat Report

    CrowdStrike, Inc. CrowdStrike 2023 Global Threat Report

    work page 2023

  2. [2]

    Available: https : / / www

    [Online]. Available: https : / / www . crowdstrike . com / global-threat-report/

    work page

  3. [3]

    CrowdStrike 2023 Threat Hunting Report

    CrowdStrike, Inc. CrowdStrike 2023 Threat Hunting Report

    work page 2023

  4. [4]

    Available: https : / / www

    [Online]. Available: https : / / www . crowdstrike . com / resources/reports/threat-hunting-report/

    work page

  5. [5]

    Attackers Set Sights on Active Directory: Un- derstanding Your Identity Exposure

    Venu Shastri. Attackers Set Sights on Active Directory: Un- derstanding Your Identity Exposure . Accessed: Dec. 2023. [Online]. Available: https : / / www . crowdstrike . com / blog / attackers-set-sights-on-active-directory-understanding-your- identity-exposure/

    work page 2023

  6. [6]

    Endpoint and Identity Security: A Critical Combination to Stop Modern Attacks

    Venu Shastri. Endpoint and Identity Security: A Critical Combination to Stop Modern Attacks . Accessed: Dec. 2023. [Online]. Available: https : / / www . crowdstrike . com / blog / unifying-endpoint-and-identity-security/

    work page 2023

  7. [7]

    MITRE T1558.003

    The MITRE Corporation. MITRE T1558.003. Accessed: Dec

    work page

  8. [8]

    Available: https://attack.mitre.org/techniques/ T1558/003/

    [Online]. Available: https://attack.mitre.org/techniques/ T1558/003/

    work page

  9. [9]

    MITRE T1550.002

    The MITRE Corporation. MITRE T1550.002. Accessed: Dec

    work page

  10. [10]

    Available: https://attack.mitre.org/techniques/ T1550/002/

    [Online]. Available: https://attack.mitre.org/techniques/ T1550/002/

    work page

  11. [11]

    Active Directory Holds the Keys to your Kingdom, but is it Secure? 2020

    Swetha Krishnamoorthi and Jarad Carleton. Active Directory Holds the Keys to your Kingdom, but is it Secure? 2020. [Online]. Available: https://www.frost.com/frost-perspectives/ active-directory-holds-the-keys-to-your-kingdom-but-is-it- secure/

    work page 2020

  12. [12]

    https://nmap.org/

    Nmap. https://nmap.org/. Last accessed: May, 2024

    work page 2024

  13. [13]

    Microsoft. Setspn. Accessed: Jan. 2024. [Online]. Available: https://learn.microsoft.com/en-us/previous-versions/windows/ it- pro/windows- server- 2012- r2- and- 2012/cc731241(v=ws. 11)

    work page 2024

  14. [14]

    8 LOLBins Every Threat Hunter Should Know

    Falcon OverWatch Team. 8 LOLBins Every Threat Hunter Should Know. Accessed: May 2023. [Online]. Available: https: //www.crowdstrike.com/blog/8-lolbins-every-threat-hunter- should-know/

    work page 2023

  15. [15]

    Trellix Threat Report 2023

    Trellix. Trellix Threat Report 2023. 2023. [Online]. Available: https : / / www. trellix . com / advanced - research - center / threat - reports/feb-2023/

    work page 2023

  16. [16]

    MITRE Matrix

    The MITRE Corporation. MITRE Matrix. Accessed: Jan. 2023. [Online]. Available: https : / / attack . mitre . org / matrices / enterprise/

    work page 2023

  17. [17]

    ProTracer: Towards practical provenance tracing by alternating between logging and tainting

    Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. “ProTracer: Towards practical provenance tracing by alternating between logging and tainting”. In: Network and Distributed System Security (NDSS). 2016, pp. 1–15. 12

    work page 2016

  18. [18]

    SLEUTH: Real-time attack scenario re- construction from COTS audit data

    Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott D Stoller, and VN Venkatakrishnan. “SLEUTH: Real-time attack scenario re- construction from COTS audit data”. In: USENIX Security Symposium. 2017, pp. 487–504

    work page 2017

  19. [19]

    Towards scalable cluster audit- ing through grammatical inference over provenance graphs

    Wajih Ul Hassan, LeMay Mark, Nuraini Aguse, Adam Bates, and Thomas Moyer. “Towards scalable cluster audit- ing through grammatical inference over provenance graphs”. In: Network and Distributed System Security (NDSS) . 2018, pp. 1–15

    work page 2018

  20. [20]

    HOLMES: Real-Time APT Detec- tion through Correlation of Suspicious Information Flows

    S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V . N. Venkatakrishnan. “HOLMES: Real-Time APT Detec- tion through Correlation of Suspicious Information Flows”. In: IEEE Symposium on Security and Privacy (S&P) . 2019, pp. 1137–1152

    work page 2019

  21. [21]

    NoDoze: Com- batting threat alert fatigue with automated provenance triage

    Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. “NoDoze: Com- batting threat alert fatigue with automated provenance triage”. In: Network and Distributed System Security (NDSS) . 2019, pp. 1–15

    work page 2019

  22. [22]

    Tactical Provenance Analysis for Endpoint Detection and Response Systems

    Wajih Ul Hassan, Adam Bates, and Daniel Marino. “Tactical Provenance Analysis for Endpoint Detection and Response Systems”. In: IEEE Symposium on Security and Privacy (S&P). 2020, pp. 1172–1189

    work page 2020

  23. [23]

    Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics

    Md Nahid Hossain, Sanaz Sheikhi, and R Sekar. “Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics”. In: IEEE Symposium on Security and Privacy (S&P) . 2020, pp. 1139–1155

    work page 2020

  24. [24]

    KAIROS: Practical Intrusion Detection and Investi- gation using Whole-system Provenance

    Z. Cheng, Q. Lv, J. Liang, Y . Wang, D. Sun, T. Pasquier, and X. Han. “KAIROS: Practical Intrusion Detection and Investi- gation using Whole-system Provenance”. In: IEEE Symposium on Security and Privacy (S&P) . 2024, pp. 9–28

    work page 2024

  25. [25]

    FLASH: A Compre- hensive Approach to Intrusion Detection via Provenance Graph Representation Learning

    M. Rehman, H. Ahmadi, and W. Hassan. “FLASH: A Compre- hensive Approach to Intrusion Detection via Provenance Graph Representation Learning”. In: IEEE Symposium on Security and Privacy (S&P) . 2024, pp. 142–161

    work page 2024

  26. [26]

    Shade- watcher: Recommendation-guided cyber threat analysis using system audit records

    Jun Zeng, Xiang Wang, Jiahao Liu, Yinfang Chen, Zhenkai Liang, Tat-Seng Chua, and Zheng Leong Chua. “Shade- watcher: Recommendation-guided cyber threat analysis using system audit records”. In: IEEE Symposium on Security and Privacy (S&P). 2022, pp. 489–506

    work page 2022

  27. [27]

    PROGRAPHER: An Anomaly Detection System based on Provenance Graph Embedding

    Fan Yang, Jiacen Xu, Chunlin Xiong, Zhou Li, and Ke- huan Zhang. “PROGRAPHER: An Anomaly Detection System based on Provenance Graph Embedding”. In:USENIX Security Symposium. 2023, pp. 4355–4372

    work page 2023

  28. [28]

    Are we there yet? An In- dustrial Viewpoint on Provenance-based Endpoint Detection and Response Tools

    Feng Dong, Shaofei Li, Peng Jiang, Ding Li, Haoyu Wang, Liangyi Huang, Xusheng Xiao, Jiedong Chen, Xiapu Luo, Yao Guo, and Xiangqun Chen. “Are we there yet? An In- dustrial Viewpoint on Provenance-based Endpoint Detection and Response Tools”. In: ACM Conference on Computer and Communications Security (CCS) . 2023, pp. 2396–2410

    work page 2023

  29. [29]

    High accuracy attack provenance via binary-based execution parti- tion

    Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. “High accuracy attack provenance via binary-based execution parti- tion”. In: Network and Distributed System Security (NDSS) . 2013, pp. 1–16

    work page 2013

  30. [30]

    Accurate, low cost and instrumentation-free security audit logging for Windows

    Shiqing Ma, Kyu Hyung Lee, Chung Hwan Kim, Junghwan Rhee, Xiangyu Zhang, and Dongyan Xu. “Accurate, low cost and instrumentation-free security audit logging for Windows”. In: Annual Computer Security Applications Conference (AC- SAC). 2015, pp. 401–410

    work page 2015

  31. [31]

    TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT Detection

    Hassaan Irshad, Gabriela Ciocarlie, Ashish Gehani, Vinod Yegneswaran, Kyu Hyung Lee, Jignesh Patel, Somesh Jha, Yonghwi Kwon, Dongyan Xu, and Xiangyu Zhang. “TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT Detection”. In: IEEE Transactions on Information Forensics and Security 16 (2021), pp. 4363–4376

    work page 2021

  32. [32]

    99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms

    Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. “99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms”. In: USENIX Security Sym- posium. 2022, pp. 2783–2800

    work page 2022

  33. [33]

    Elastic Detection Rules

    Elastic. Elastic Detection Rules . Accessed: Sept. 2023. [On- line]. Available: https://github.com/elastic/detection-rules

    work page 2023

  34. [34]

    SigmaHQ. Sigma. Accessed: Sept. 2023. [Online]. Available: https://github.com/SigmaHQ/sigma

    work page 2023

  35. [35]

    Why 86% of Organizations Are Increasing Their Investment in Active Directory Security

    Michele Crockett. Why 86% of Organizations Are Increasing Their Investment in Active Directory Security . Accessed: Dec

    work page

  36. [36]

    Available: https://securityboulevard.com/2021/ 11/why-86-of-organizations-are-increasing-their-investment- in-active-directory-security/

    [Online]. Available: https://securityboulevard.com/2021/ 11/why-86-of-organizations-are-increasing-their-investment- in-active-directory-security/

    work page 2021

  37. [37]

    noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds

    Alex Talyanski. noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds. Accessed: June

    work page

  38. [38]

    Available: https://www.crowdstrike.com/blog/ nopac- exploit- latest- microsoft- ad- flaw- may- lead- to- total- domain-compromise/

    [Online]. Available: https://www.crowdstrike.com/blog/ nopac- exploit- latest- microsoft- ad- flaw- may- lead- to- total- domain-compromise/

    work page

  39. [39]

    A gloabl threat to enterprises: the impact of Active Directory attacks

    Tenable, Inc. A gloabl threat to enterprises: the impact of Active Directory attacks . Accessed: June 2024. [Online]. Available: https://de.tenable.com/whitepapers/a-global-threat- to-enterprises-the-impact-of-ad-attacks?page=2

    work page 2024

  40. [40]

    UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats

    Xueyan Han, Thomas Pasqueir, Adam Bates, James Mickens, and Margo Seltzer. “UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats”. In: Network and Distributed System Security (NDSS) . 2020, pp. 1–18

    work page 2020

  41. [41]

    Oilrig emulation plan

    The MITRE Corporation. Oilrig emulation plan . Accessed: Oct. 2023. [Online]. Available: https : / / github. com / center - for-threat-informed-defense/adversary emulation library/tree/ master/oilrig

    work page 2023

  42. [42]

    Golden Ticket

    The MITRE Corporation. Golden Ticket. Accessed: Jan. 2024. [Online]. Available: https://attack.mitre.org/techniques/T1558/ 001/

    work page 2024

  43. [43]

    SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions

    Muhammad Adil Inam, Yinfang Chen, Akul Goyal, Jason Liu, Jaron Mink, Noor Michael, Sneha Gaur, Adam Bates, and Wajih Ul Hassan. “SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions”. In: IEEE Symposium on Security and Privacy (S&P) . 2023, pp. 2620–2638

    work page 2023

  44. [44]

    Security auditing

    Microsoft. Security auditing . Accessed: May 2023. [Online]. Available: https : / / learn . microsoft . com / en - us / previous - versions / windows / it - pro / windows - 10 / security / threat - protection/auditing/security-auditing-overview

    work page 2023

  45. [45]

    LSA Logon Sessions

    Microsoft. LSA Logon Sessions . Accessed: Feb. 2024. [On- line]. Available: https://learn.microsoft.com/en-us/windows/ win32/secauthn/lsa-logon-sessions

    work page 2024

  46. [46]

    Russinovich and Aaron Margosis

    Mark E. Russinovich and Aaron Margosis. Troubleshooting with the Windows Sysinternals Tools, 2nd Edition . Microsoft Press, 2016

    work page 2016

  47. [47]

    Solomon, Kate Chase, and Mark E

    Andrea Allievi, Alex Ionescu, David A. Solomon, Kate Chase, and Mark E. Russinovich. Windows Internals, Part 2, 7th Edition. Microsoft Press, 2022

    work page 2022

  48. [48]

    Windows Security Monitoring: Scenarios and Patterns

    Andrei Miroshnikov. Windows Security Monitoring: Scenarios and Patterns. Wiley, 2018

    work page 2018

  49. [49]

    Windows Security Internals: A Deep Dive into Windows Authentication, Authorization, and Auditing

    James Forshaw. Windows Security Internals: A Deep Dive into Windows Authentication, Authorization, and Auditing . No Starch Press, 2024

    work page 2024

  50. [50]

    T1021.001

    The MITRE Corporation. T1021.001. Accessed: Jan. 2024. [Online]. Available: https://attack.mitre.org/techniques/T1021/ 001/

    work page 2024

  51. [51]

    Fast User Switching

    Microsoft. Fast User Switching . Accessed: Feb. 2024. [On- line]. Available: https://learn.microsoft.com/en-us/windows/ win32/shell/fast-user-switching

    work page 2024

  52. [52]

    User Account Control

    Microsoft. User Account Control . Accessed: Feb. 2024. [On- line]. Available: https://learn.microsoft.com/en-us/windows/ security/application-security/application-control/user-account- control/

    work page 2024

  53. [53]

    MITRE ATT&CK Campaigns

    The MITRE Corporation. MITRE ATT&CK Campaigns . Ac- cessed: May 2024. [Online]. Available: https://attack.mitre. org/campaigns/

    work page 2024

  54. [54]

    Elasticsearch

    Elastic NV. Elasticsearch. Accessed: Sept. 2023. [Online]. Available: https://www.elastic.co/. 13

    work page 2023

  55. [55]

    EQL search

    Elastic NV. EQL search . Accessed: Sept. 2023. [Online]. Available: https : / / www. elastic . co / guide / en / elasticsearch / reference/current/eql.html

    work page 2023

  56. [56]

    System Monitor

    Mark Russinovich and Thomas Garnier. System Monitor. Ac- cessed: Feb. 2023. [Online]. Available: https://learn.microsoft. com/en-us/sysinternals/downloads/sysmon

    work page 2023

  57. [57]

    About Logging Windows

    Sean Wheeler and Mikey Lombardi. About Logging Windows. Accessed: April 2023. [Online]. Available: https : / / learn . microsoft.com/en-us/powershell/module/microsoft.powershell. core/about/about logging windows?view=powershell-7.3

    work page 2023

  58. [58]

    Keromytis

    Angelos D. Keromytis. DARPA Transparent Computing E3 . Accessed: Sept. 2023. [Online]. Available: https://github.com/ darpa- i2o /Transparent- Computing/ blob/master /README- E3.md

    work page 2023

  59. [59]

    DARPA Transparent Computing

    Jacob Torrey. DARPA Transparent Computing. Accessed: Sept

    work page

  60. [60]

    Available: https : / / github

    [Online]. Available: https : / / github . com / darpa - i2o / Transparent-Computing

    work page

  61. [61]

    DARPA OpTC

    Mike van Opstal and William Arbaugh. DARPA OpTC. Ac- cessed: Sept. 2023. [Online]. Available: https://github.com/ FiveDirections/OpTC-data

    work page 2023

  62. [62]

    MITRE Adversary Emulation Li- brary

    The MITRE Corporation. MITRE Adversary Emulation Li- brary. Accessed: Jan. 2023. [Online]. Available: https : / / github. com / center- for- threat - informed - defense / adversary emulation library

    work page 2023

  63. [63]

    MITRE Engenuity

    The MITRE Corporation. MITRE Engenuity . Accessed: Jan

    work page

  64. [64]

    Available: https://attackevals.mitre-engenuity

    [Online]. Available: https://attackevals.mitre-engenuity. org/

    work page

  65. [65]

    APT29 emulation plan

    The MITRE Corporation. APT29 emulation plan . Accessed: Oct. 2023. [Online]. Available: https : / / github. com / center - for-threat-informed-defense/adversary emulation library/tree/ master/apt29

    work page 2023

  66. [66]

    WizardSpider emulation plan

    The MITRE Corporation. WizardSpider emulation plan . Ac- cessed: Oct. 2023. [Online]. Available: https : / / github. com / center - for - threat - informed - defense / adversaryemulation library/tree/master/wizard spider

    work page 2023

  67. [67]

    Chronicle Detection Rules

    Google Security Operations. Chronicle Detection Rules . Ac- cessed: Sept. 2023. [Online]. Available: https://github.com/ chronicle/detection-rules

    work page 2023

  68. [68]

    A different cup of TI? The added value of commercial threat intelligence

    Xander Bouwman, Harm Griffioen, Jelle Egbers, Christian Doerr, Bram Klievink, and Michel van Eeten. “A different cup of TI? The added value of commercial threat intelligence”. In: USENIX Security Symposium . 2020, pp. 433–450

    work page 2020

  69. [69]

    Magic Quadrant for Endpoint Protection Platforms

    Evgeny Mirolyubov, Max Taggett, Franz Hinner, and Nikul Patel. Magic Quadrant for Endpoint Protection Platforms

    work page

  70. [70]

    Available: https : / / www

    [Online]. Available: https : / / www. gartner. com / doc / reprints?id=1-2FFCXFOM&ct=231025&st=sb

    work page

  71. [71]

    The Forrester New Wave: Extended Detection And Response (XDR) Providers, Q4 2021

    Allie Mellen. The Forrester New Wave: Extended Detection And Response (XDR) Providers, Q4 2021 . 2021. [Online]. Available: https://www.forrester.com/report/the-forrester-new- wave-tm-extended-detection-and-response-xdr-providers-q4- 2021/RES176400

    work page 2021

  72. [72]

    MPI: Multiple perspective attack investigation with semantic aware execution partitioning

    Shiqing Ma, Juan Zhai, Fei Wang, Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. “MPI: Multiple perspective attack investigation with semantic aware execution partitioning”. In: USENIX Security Symposium . 2017, pp. 1111–1128

    work page 2017

  73. [73]

    Hopper: Modeling and Detecting Lateral Movement

    Grant Ho, Mayank Dhiman, Devdatta Akhawe, Vern Paxson, Stefan Savage, Geoffrey M V oelker, and David A Wagner. “Hopper: Modeling and Detecting Lateral Movement”. In: USENIX Security Symposium . 2021, pp. 3093–3110

    work page 2021