Description
This project automatically collect and enrich the binary hashes executed on the company IT infrastructure, identified as malicious by the EDR (Endpoints Detection and Response). The objective is to develop Threat Intelligence through logical data processing, detect potentials malwares, and eventually to take remedial actions.
I developed a C# program that:
- Connects to the SIEM (Security information and event management) to retrieve EDR logs about malicious executables launched on company devices.
- Storing the executables signatures (hashes) in a SQL Server database, with all the informations of the log (user, path, device …)
- Consulting the public reputation of the executable thanks to the Virustotal API
- Searches for the hash in a CTI platform of the company, containing large malicious IOC database, collected during past events and past attacks, to check if the hash is associated with any past security event.
- Updates the informations of the SQL Server databases frequently with new Virustotal score or new relations in the CTI platform
Technology used
- C#
- SIEM
- CTI Platform
- SQL Server