Detecting attacks leveraging vulnerabilities fixed in MS17-010 from Event Log

Many organizations have experienced the damages of cyberattacks leveraging Windows vulnerabilities. Unpatched Windows have been used still now, especially in Industrial Control System (ICS) for operational reasons. In that case, attackers likely abuse them to expand infection. Especially vulnerabilities fixed in MS17-010 has been leveraged for spreading infection of malware such as the WannaCry ransomware and other malware for targeted attacks. Many systems (e.g., electric noticeboard, payment terminal, car production line) around the world were exploited by leveraging Windows vulnerabilities, leading to system failures of a variety of critical infrastructure. Attackers can easily exploit the vulnerabilities since convenient tools for attacking such as ”EternalBlue” or ”Eternal Romance” are published on the Internet. This tool abuses legitimate processes running on Windows systems. Thus operators may hardly notice the trace of attacks. Attacks leveraging vulnerabilities can be mitigated by applying security updates; however, sometimes applying security updates is difficult because of its long-term life cycle and a severe requirement for availability. There are several methods for detecting attacks leveraging vulnerabilities such as the Intrusion Detection System (IDS), but sometimes it is difficult to implement since it needs to alter the existing system structure. In this research, we propose a method for detecting attacks leveraging the vulnerabilities fixed in MS17-010 by analyzing Window’s built-in Event Logs. The proposed method can detect attacks against almost all supported versions of Windows. Furthermore, it can be easily integrated into a production environment since it only uses Windows standard functions.