Last day to get an iPad Air w/ Smart Keyboard or Pixel 4a Smartphone with 5-6 day course registration! View details.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.


Featuring 59 Papers as of April 14, 2021

  • Practical Process Analysis – Automating Process Log Analysis with PowerShell by Matthew Moore - December 29, 2020 

    Windows event log analysis is an important and often time-consuming part of endpoint forensics. Deep diving into user logins, process analysis, and PowerShell/WMI activity can take significant time, even with current tools. Additionally, while utilities exist to automatically parse out various Windows Logs, most of them do not include any native analytical functionality outside of the ability to manually filter on certain strings or event IDs. Window’s native scripting solution, PowerShell, combined with Microsoft’s Log Parser utility allowed for several scripts to be created with a focus on Process Creation and analysis. These scripts can detect processes spawning from unusual locations, processes that exist outside of a baseline ‘Allow List’, or processes that might otherwise appear to be normal, but are actually anomalous. These scripts complement other current tools such as Kape or Kansa, allowing for automated analysis of the data gathered.

  • No Strings on Me: Linux and Ransomware Graduate Student Research
    by Richard Horne - October 7, 2020 

    Ransomware poses an ever-increasing threat to businesses and organizations as it continues to evolve and change. Many organizations are forced to pay for solutions to this growing problem with expensive and out-of-date signature-based solutions. As the possibility looms for ransomware to impact all operating systems and businesses alike, organizations will need to focus on early detections and warnings to stay ahead of its spread. This paper aims to examine the probability of detecting ransomware throughout its lifecycle within Linux environments. In conjunction with detections, the ultimate goal of the ideas presented is to provide security teams with a more reliable and cost-effective method to detect, react, and neutralize Linux ransomware variants.

  • Chaining Vulnerability Scans inTenable IO Using Python by Jeff Holland - August 10, 2020 

    Enterprise vulnerability scanning traditionally makes use of multiple scanners, runs scans against targets in a parallel manner for maximum efficiency, and uses substantial amountsof bandwidth. However, a particular scanning use case exists that involves scanning targets in a sequential, or "chained", manner so as to conserve bandwidth. Tenable IO and the Tenable-supported PyTenable library do not currently support chained scanning. Using Tenable IO and a collection of Python scripts, an application by which to scan targets in a chained manner will be presented. Additional features such as the automation of scan creation, deletion and execution will be demonstrated, as well as the use of configuration files to define scans and logging parameters. The culmination of these application features will address and satisfy the use case of deploying chained scans in Tenable IO using Python and the Tenable IO REST API.

  • Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths Graduate Student Research
    by Brianne Fahey - June 26, 2019 

    Preparations made during the Identify Function of the NIST Cybersecurity Framework can often pay dividends once an event response is warranted. Knowing what log data is available improves incident response readiness and providing a visual layout of those sources enables responders to pivot rapidly across relevant elements. Thinking in graphs is a multi-dimensional approach that improves upon defense that relies on one-dimensional lists and two-dimensional link analyses. This paper proposes a methodology to survey available data element relationships and apply a graph database schema to create a visual map. This graph data map can be used by analysts to query relationships and determine paths through the available data sources. A graph data map also allows for the consideration of log sources typically found in a SIEM alongside other data sources like an asset management database, application whitelist, or HR information which may be particularly useful for event context and to review potential Insider Threats. The templates and techniques described in this paper are available in GitHub for immediate use and further testing.

  • Microsoft DNS Logs Parsing and Analysis: Establishing a Standard Toolset and Methodology for Incident Responders Graduate Student Research
    by Shelly Giesbrecht - November 2, 2018 

    Microsoft DNS request and response event logs are frequently ignored by incident responders within an investigation due to a historical reputation of being hard to parse and analyze. The fundamental importance of DNS to networking and the functioning of the Internet suggests this oversight could lead to a lack of crucial contextual information in an investigative timeline. This paper seeks to define a best practice for parsing, exporting and analyzing Microsoft DNS Debug and Analytical logs through the comparison of existing tool combinations to DNSplice, a purpose-built utility coded during the development of this paper. Findings suggest that DNSplice is superior to other toolsets tested where time to completion is a critical factor in the investigative process. Further research is required to determine if the findings are still valid on larger datasets or different analysis hardware.

  • Testing Web Application Security Scanners against a Web 2.0 Vulnerable Web Application Graduate Student Research
    by Edmund Foster - October 11, 2018 

    Web application security scanners are used to perform proactive security testing of web applications. Their effectiveness is far from certain, and few studies have tested them against modern ‘Web 2.0' technologies which present significant challenges to scanners. In this study three web application security scanners are tested in 'point-and-shoot' mode against a Web 2.0 vulnerable web application with AJAX and HTML use cases. Significant variations in performance were observed and almost three-quarters of vulnerabilities went undetected. The web application security scanners did not identify Stored XSS, OS Command, Remote File Inclusion, and Integer Overflow vulnerabilities. This study supports the recommendation to combine multiple web application security scanners and use them in conjunction with a specific scanning strategy.

  • Which YARA Rules Rule: Basic or Advanced? Graduate Student Research
    by Chris Culling - August 10, 2018 

    YARA rules, if used effectively, can be a powerful tool in the fight against malware. However, it appears that the majority of individuals who use YARA write only the most basic of rules, instead of taking advantage of YARA’s full functionality. Basic YARA rules, which focus primarily on identifying malware signatures via detection of predetermined strings within the target file, folder, or process, can be evaded as malware variants are created. Advanced YARA rules, on the other hand, which often include signatures as well, also focus on the malware’s behavior and characteristics, such as size and file type. While it is not uncommon for strings within malware to change, it is much rarer that its primary behavior will. After analyzing multiple samples of two different malware strains within the same family, it became clear that using both basic and advanced YARA rules is the most effective way for users and analysts to implement this powerful tool. As there are a large number of advanced capabilities contained within YARA, this paper will focus on easy-to-use, advanced features, including YARA's Portable Execution (PE) module, to highlight some of the more powerful aspects of YARA. While it takes more time and effort to learn and utilize advanced YARA rules, in the long run, this method is a worthwhile investment towards a safer networking environment.

  • One-Click Forensic Analysis: A SANS Review of EnCase Forensic Analyst Paper (requires membership in community)
    by Jake Williams - June 27, 2018 

    When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.

  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.

  • Tailoring Intelligence for Automated Response Analyst Paper (requires membership in community)
    by Sonny Sarai - May 2, 2018 

    Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.

  • Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Tools Graduate Student Research
    by J. Richard “Rick” Kiper, Ph.D. - March 16, 2018 

    One of the most common challenges for a digital forensic examiner is tool selection. In recent years, examiners have enjoyed a significant expansion of the digital forensic toolbox – in both commercial and open source software. However, the increase of digital forensics tools did not come with a corresponding organizational structure for the toolbox. As a result, examiners must conduct their own research and experiment with tools to find one appropriate for a particular task. This study collects input from forty six practicing digital forensic examiners to develop a Digital Forensics Tools Typology, an organized collection of tool characteristics that can be used as selection criteria in a simple search engine. In addition, a novel method is proposed for depicting quantifiable digital forensic tool characteristics.

  • Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform Analyst Paper (requires membership in community)
    by Dave Shackleford - October 17, 2017 

    SANS Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.

  • Next-Gen Protection for the Endpoint: SANS Review of Carbon Black Cb Defense Analyst Paper (requires membership in community)
    by Jerry Shenk - September 14, 2017 

    In today’s threat landscape, organizations wanting to shore up their defenses need endpoint tools that not only detect, alert and prevent malware and malware-less attacks, but also provide defenders a road map of the systems and pathways attackers took advantage of. Our review shows that Carbon Black’s Cb Defense does all this and more with a high degree of intelligence and analytics. Utilizing a cloud-based delivery system, it makes informed decisions on subtle user and system behaviors that we wouldn’t otherwise see with traditional antivirus tools. Importantly, it saved us time: Manual correlation and false positives are among the top 10 time-consuming tasks IT professionals hate, according to a recent article in Dark Reading.2 Rather than toggling between separate security systems, tra c logs and so on, we used a single cloud interface—through drill-down and pivot—to determine whether a threat was a false positive or real.

  • Asking the Right Questions: A Buyer's Guide to Dynamic Scanning to Secure Web Applications Analyst Paper (requires membership in community)
    by Barbara Filkins - September 12, 2017 

    Securing a web apps across its lifecycle is fundamentally different than securing an app born inside a secure perimeter. The selection of tools designed to scan running applications is more complex and challenging select than are conventional tools as the threat these are designed to counter is also more intensive and more pervasive. This makes the choice of tool critical. We walk you through the various parameters involved in the decision-making process in this paper.

  • Detecting Incidents Using McAfee Products by Lucian Andrei - October 10, 2016 

    Modern attacks against computer systems ask for a combination of multiple solutions in order to be prevented and detected. This paper will do the analysis of the capacities of commercial tools, with minimal configuration, to detect threats. Traditionally, companies use antivirus software to protect against malware, and a firewall combined with an IDS to protect against network attacks. This paper will analyze the efficacy of the following three combinations: antivirus, antivirus plus host IDS, and antivirus combined with a host IDS plus application whitelisting in order to withstand application attacks. Before doing the tests we predicted that the antivirus will block 20% of the attacks, the HIDS will detect an additional 15%, and McAfee Application Control will protect at least against 50% more of the attacks executed by an average attacker using known exploits, without much obfuscation of the payload. The success of defensive commercial tools against attacks will justify the investment a company will be required to make.

  • Using Vagrant to Build a Manageable and Sharable Intrusion Detection Lab Graduate Student Research
    by Shaun McCullough - September 20, 2016 

    This paper investigates how the Vagrant software application can be used by Information Security (InfoSec) professionals looking to provide their audience with an infrastructure environment to accompany their research. InfoSec professionals conducting research or publishing write-ups can provide opportunities for their audience to replicate or walk through the research themselves in their own environment. Vagrant is a popular DevOps tool for providing portable and repeatable production environments for application developers, and may solve the needs of the InfoSec professional. This paper will investigate how Vagrant works, the pros and cons of the technology, and how it is typically used. The paper describes how to build or repurpose three environments, highlighting different features of Vagrant. Finally, the paper will discuss lessons learned.

  • Mimikatz Overview, Defenses and Detection Graduate Student Research
    by James Mulder - February 29, 2016 

    Over the past decade or so, we have seen hacker tools mature from tedious bit flipping to robust attack frameworks.

  • How to Leverage PowerShell to Create a User- Friendly Version of WinDump Graduate Student Research
    by Robert Adams - January 18, 2016 

    Security professionals rely on a myriad of tools to accomplish their job. This is no different than the toolboxes that plumbers, electricians, and other trade professionals carry with them every day.

  • Burp Suite(up) with fancy scanning mechanisms by Zoltan Panczel - December 28, 2015 

    Burp Suite Professional is a powerful HTTP interception proxy with lots of additional functions like Spider, Sequencer or Scanner (Portswiggernet, 2015). This tool is one of the most recommended security scanners (Henry Dalziel, 2015). The capabilities of this software almost make this the perfect web vulnerability scanner.

  • Extracting Files from Network Packet Captures Graduate Student Research
    by Rebecca Deck - December 28, 2015 

    Full content packet captures provide analysts with the ability to review exactly what has transpired on a network. Analysts neither have to rely on questionable logs nor perform guesswork when determining what data have been transferred.

  • The Power and Implications of Enabling PowerShell Remoting Across the Enterprise Graduate Student Research
    by Robert Adams - December 23, 2015 

    The marketing department of Company X has been the target of a phishing attack.

  • Coding For Incident Response: Solving the Language Dilemma Graduate Student Research
    by Shelly Giesbrecht - July 28, 2015 

    Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.

  • eAUDIT: Designing a generic tool to review entitlements Graduate Student Research
    by Francois Begin - June 22, 2015 

    In a perfect world, identity and access management would be handled in a fully automated way.

  • Rapid Triage: Automated System Intrusion Discovery with Python Graduate Student Research
    by Trenton Bond - February 21, 2014 

    There are six major incident handling phases typically used to manage information security incidents: preparation, identification, containment, eradication, recovery, and lessons learned.

  • How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk? Graduate Student Research
    by Tim Proffitt - September 19, 2013 

    Metrics are used in many facets of a person's life and can be quite beneficial to the decision making process.

  • The Security Onion Cloud Client Network Security Monitoring for the Cloud Graduate Student Research
    by Joshua Brower - September 17, 2013 

    Network Security Monitoring (NSM) is the "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."

  • IP Fragment Reassembly with Scapy Graduate Student Research
    by Mark Baggett - July 5, 2012 

    Overlapping IP fragments can be used by attackers to hide their nefarious intentions from intrusion detection system and analysts.

  • Computer Forensic Timeline Analysis with Tapestry by Derek Edwards - November 29, 2011 

    One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).

  • About Face: Defending Your Organization Against Penetration Testing Teams Graduate Student Research
    by Terrence OConnor - December 6, 2010 

    In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing team’s time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.

  • Capturing and Analyzing Packets with Perl Graduate Student Research
    by John Brozycki - January 28, 2010 

    The steps in setting up a Windows system with Perl and the necessary add-ons to be able to run and create packet capturing Perl scripts.

  • Winquisitor: Windows Information Gathering Tool by Michael Cardosa - January 19, 2010 

    Winquisitor is a tool that facilitates the timely retrieval of information from multiple Windows systems enabling the administrator to respond in an appropriate amount of time. Unlike other command line tools, Winquisitor allows multiple types of queries in a single command with several output formats.

  • New Tools on the Bot War Front Analyst Paper (requires membership in community)
    by Jerry Shenk - December 12, 2009 

    This paper discusses the bot problem and its impact on enterprises, followed by a review of how FireEye's 4200 appliance catches bot installers and bot traffic on the network.

  • Building an Automated Behavioral Malware Analysis Environment using Open Source Software by Jim Clausing - June 18, 2009 

    This paper describes how an automated behavioral malware analysis environment for analyzing malware targeted at Microsoft Windows can be built using free and open source software.

  • IOScat - a Port of Netcat's TCP functions to Cisco IOS by Robert Vandenbrink - May 29, 2009 

    This paper outlines both how IOScat was written, and how it can be used for both Penetration Testing and System Administration.

  • IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms Graduate Student Research
    by Robert VandenBrink - November 18, 2008 

    This paper describes IOSmap, a port scanning tool implemented on Cisco IOS using the native TCL (Tool Command Language) scripting language on that platform. The business requirement for this tool, implementation considerations and challenges, and design choices are discussed.

  • Developing a Snort Dynamic Preprocessor by Daryl Ashley - August 20, 2008 

    The goal of this paper is to demonstrate how to create a controlled environment for testing and writing a dynamic preprocessor.

  • OS and Application Fingerprinting Techniques Graduate Student Research
    by Jon Mark Allen - September 27, 2007 

    This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting applications: nmap, Xprobe2, and p0f. I will discuss similarities and differences between not only active scanning and passive detection, but also the differences between the two active scanners as well. We will conclude with a brief discussion of why successful application or OS identification might be a bad thing for an administrator and offer suggestions to avoid successful detection.

  • Nessus Primer with the NessusWX Client by Cecil Stoll - September 16, 2004 

    The focus of this paper will be to proactively seek out known vulnerabilities on the end systems and the processes running on them.

  • An Ettercap Primer by Duane Norton - June 9, 2004 

    Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions.

  • Managing Peer-to-Peer Applications in Dormitory Networks by Wayne Lai - March 9, 2004 

    Network security for dormitory networks have similar but special network security implications than the typical network.

  • Demystifying security tools: Should I use commercial or freeware? by Sang Han - June 2, 2003 

    In this paper, I will touch upon why all network administrators need to incorporate security tool usage into their daily practices to help secure their environment.

  • Patch Management of Microsoft Products Using HFNetChkPro by Kris Poznanski - February 1, 2003 

    Microsoft together with Shavlik Technologies has developed a Network Security Hotfix Checker the HFNetChk tool (Hfnetchk.exe), a command-line tool that administrators can use to centrally assess a computer or group of computers for the absence of security patches.

  • Using Sam Spade by Terry Pasley - January 24, 2003 

    This paper will examine a number of the more useful tools in Sam Spade.

  • netForensics - A Security Information Management Solution by Michael Godfrey - January 28, 2002 

    This paper discusses netForensics, a security information management (SIM) solution that positions itself as a central point for your security information that is collected by various devices.

  • Pocket Nessus by Tony Enriquez - January 23, 2002 

    The purpose of this paper is to introduce a particular set of tools that can be used to secure your network.

  • Tools, Tools, and TOOLS!! by Firas Shaheen - November 22, 2001 

    This paper provides a quick reference on popular tools (IDSes, Firewalls, Exploits, Scanners, Reconnaissance, Password crackers, Auditing, etc.), with a brief explanation on how they work, and where to get them.

  • An Introduction to NMAP by Tim Corcoran - October 25, 2001 

    NMAP is an excellent, multi functional utility that should be a part of every system administrator's toolkit.

  • Stop Port Scans with LaBrea by Jim McClurg - October 19, 2001 

    LaBrea is one of the best ideas in security retaliation.

  • Network Monitoring with Nagios by Scott Seglie - September 25, 2001 

    Nagios is a network-monitoring tool that allows administrators the ability to examine computers, routers, printers, and services.

  • Using Basic Security Module (BSM), Tripwire, System Logs, and Symantec's ITA for Audit Data C by Philip DiFato - September 22, 2001 

    The primary focus of this paper is to provide host based set of tools auditing trace records of attempted attacks on a secured network of Solaris boxes.

  • An Overview of SecureIIS - Are We Really Secured Now? by Zul Suhaimi - September 18, 2001 

    The objective of this practical paper is to understand how our IIS can be protected using an application firewall.

  • PhoneSweep: The Corporate War Dialer by Greg Hodes - September 10, 2001 

    The unsecured modem provides a weak and often overlooked avenue into some of the most secure networks as discussed in this paper.

  • Intrusion Detection using ACID on Linux by Rusty Scott - September 7, 2001 

    This paper addresses a set of security practices that includes a number of key features mentioned in the SANS defense in depth model.

  • Netprowler--A Look at Symantec's Network Based IDS by Eric Biedermann - August 17, 2001 

    This paper examines the features and capabilities of the Netprowler IDS, reviews common types of attacks and looks at an example of a typical intrusion scenario.

  • Virtually Free Network Security Software - For the *nix disinclined by Dennis McHugh - August 14, 2001 

    This paper discusses some of the tools that have become a part of my personal toolkit that provide me with the ability to detect or verify different attacks and vulnerabilities as well as give me information necessary to report the attacks to the proper authorities.

  • Free NT Security Tools by Douglas Orey - August 6, 2001 

    A discussion of several software tools available to assist with security for NT users.

  • Password Cracking with L0phtCrack 3.0 by Patrick Boismenu - June 19, 2001 

    This paper was designed to describe how most password crackers operate.

  • Netcat - The TCP/IP Swiss Army Knife by Tom Armstrong - February 15, 2001 

    Netcat is a tool that every security professional should be aware of and possibly have in their 'security tool box'.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.