Know Yourself. Know Your System(32).

How well are your cyber security analysts familiar with the individual processes executing on your systems? There are thousands of legitimate binaries and scripts on a typical endpoint that could potentially be abused (known as living-off-the-land) -- there almost a thousand executables living under the System32 folder alone. While there are many ways to combat and detect abuse, let me offer one.

Let me introduce xCyclopedia, the machine-readable "encyclopedia for executables". Use it to enrich your process log data. It’s free and open source. Use it to help your analysts triage endpoint alerts and to build new analytics.

The xCyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical endpoint. It provides a machine-readable format of this data (i.e. JSON and eventually CSV) so that it can be immediately usable in other systems such as SIEMs to enrich observed executions with contextual data. The project also provides a powershell script to collect this data yourself!

Please try it out and provide feedback! Thanks!