2. Interpreting Results
As HEG steps through and executes each test, it will provide output like below:
Pink: - Mitre Tactic: Description of Tactic
Yellow: - [First Line] Timestamp - Description of Technique. [Second Line] Timestamp - Complete. (Without this final timestamp it can be difficult to know when a particular process finished executing)
Green: - EventIDs that could be expected to see from this test. Of course, will be depending on system logging configurations.
The output is also written to a .txt file (in the logs directory) so that an analyst has the timeline of events to refer back to after the PowerShell window will have been closed.
HEG takes a copy of each relevant log channel that will have recorded logs during its execution and outputs each to .csv for easier handling. This allows an analyst to deep dive into the actual logs with Jupyter, Python, Excel etc
Checking the Events_Timeline file we can track down any of the tests, for this example we can choose 'Creating a scheduled task'
We can open the security_Logs.csv and search for 4688, 4657 and 4698 events between 07:05:37pm and 07:05:41pm (below screenshot was processed by HEG-AA if you want to have an automated analysis run on your own HEG .csvs to make them easier to work with - download it!)
