The All-Seeing Eye of Sauron: A PowerShell tool for data collection and threat hunting

The cost of a data breach directly relates to the time it takes to detect, contain, and eradicate it. According to a study by the Ponemon Institute, the average time to identify a breach in 2019 was 206 days (Ponemon Institute, 2019). Reducing this timeframe is paramount to reducing the overall timeline of removing a breach, and the costs associated with it. With ever-evolving adversaries creating new ways of compromising organizations, preventive security measures are essential, but not enough. Organizations should not assume they will be compromised, but instead that they already have been. Finding and removing these already existing breaches can be difficult. To find existing breaches, organizations need to conduct threat hunting, which seeks to uncover the presence of an attacker in an environment not previously discovered by existing detection technologies (Gunter & Seitz, 2018). This paper looks at the PowerShell tool, Eye of Sauron, which can be used for threat hunting by identifying indicators of compromise (IOCs), as well as anomaly detection using data stacking in a Windows environment. Its capability to detect the presence of IOCs is tested in two scenarios, first in a simulated attack, and second after the introduction of malware.