Jason Liu (University of Illinois at Urbana-Champaign), Muhammad Adil Inam (University of Illinois at Urbana-Champaign), Akul Goyal (University of Illinois at Urbana-Champaign), Dylen Greenenwald (University of Illinois at Urbana-Champaign), Adam Bates (University of Illinois at Urbana-Champaign), Saurav Chittal (Purdue University)
Academic research on provenance analysis is primarily based on high-fidelity event streams captured on Linux/Unix devices (e.g., Linux Audit). Unfortunately, provenance tracing becomes much more complicated on Windows, where microkernel design principles lead to far noisier provenance graphs. These complications further compound when analyzing the efficient, low-fidelity event streams generated by commercial Endpoint Detection & Response products.
Fortunately, provenance tracing is still possible in spite of these obstacles. We first present a method of recovering whole-system provenance from commercial EDR telemetry. This graph conservatively models all possible information flows, but is even less precise than traditional whole-system provenance graphs – that is, there is more dependency explosion, or false provenance. We go on to present four heuristics that allow us to denoise the provenance graph under realistic threat investigation scenarios. The first two heuristics are process-centric, leveraging domain knowledge of Windows service control flow patterns to mitigate the dependency explosion caused by Windows IPC. The second two heuristics are data-centric, intended to cluster and denoise data accesses on Windows where accesses to environmental configuration data (i.e., Registry keys) are auditable events. In evaluations based on the MITRE Enginuity simulation of the Carbanak APT, we demonstrate that these heuristics reduce graph complexity by up to 98% as compared to a baseline tracing algorithm. These tracing strategies enable further research into provenance integrations for EDR, moving the community towards a more realistic and relevant deployment model.