Tracking Malware and Threat Actor Activity with Process Monitoring
Part 1: What are Windows Process Creation Events and Why You Should Consider Enabling Them
The year 2020 was certainly an eventful one in the land of cyber security. There was no shortage of ransomware attacks, data breaches and of course, the grand finale of the Solarwinds breach.
Undoubtedly there have been many more similar but unreported events, and my personal prediction is that 2021 will be no different.
It is almost certain that many of the large organisations who were subject to these attacks had made significant investment in information security controls, complied with one or more regulatory frameworks, had an in-house security team or SOC, and had well documented security policies and processes.
So what more can be done?
Whilst it is easy to say for someone like myself who works for a vendor, the events of 2020 only lend weight to the argument that organisations must embrace a mindset of ‘assume breach’.
This means that organisations should strive to increase the level of visibility into their environment as much as practically possible in order to detect any possible malicious activity.
This entails not only reviewing logging levels across the board, but reviewing attack detection efficacy and coverage, and implementing proactive measures such as threat hunting into daily processes.
Secondly, organisations should not rely on a single control but rather look to implement a security architecture which has overlapping fields of visibility for their endpoints, servers and other digital assets. This is also known as ‘detection in depth’.
But we all know of this, right?
So rather than trying to save the world in a single blog post, allow me to discuss a log source which, in my experience, is not commonly enabled or leveraged in any way but can provide high value for defenders when detecting or tracing malicious activity.
Furthermore, the log source I am describing does not require any additional investment in agents, tools, gadgets or advanced artificial machine-learning enabled cyborg robots (assuming you are running Windows 7 or above, which unfortunately, is not everyone). It also does not require any additional software to be installed.
So what is this magical log source?
As the title of this article suggests, I am referring to Windows process creation events. These are events which, if enabled, Windows will log within the Windows Event Viewer as Event ID 4688. These particular events are disabled by default on Windows.
Monitoring process creation events for the purpose of threat detection is also referred to as process monitoring (this does overlap with another Microsoft tool, Sysmon, which is out of scope for today but will be the subject of a future post).
Objectives of this Series
What now follows is a three-part blog series. Part 1 will introduce process creation events and provide two reasons why you should consider enabling them. Part 2 will look at how to enable process creation events, followed by a number of examples that describe how they can provide valuable information to achieve the following two broad goals:
- Tracing malware execution
- Tracing human attacker presence within an environment
Part 3 will discuss how organisations can centralise these events in a SIEM (Security Information and Event Management) tool, and describe how this can compliment an existing endpoint protection platform such as an EDR tool.
Note that the terms tracing and tracking are used interchangeably, and the definition being ‘find or discover by investigation’. Secondly, the term human attacker was derived from this Microsoft article, and is used to describe where a cyber attack sequence is performed manually by a human threat actor, as opposed to an automatically executing malware sample.
What are Process Creation Events?
Process creation events are a type of Windows event which, when enabled, will be written to the local Windows Event Viewer as Event ID 4688, every time a new process starts. They contain information such as the time, process name, parent process and so on.
On a Windows computer, a process is simply a running program. Many processes will be started as a part of normal operation on a standard workstation or server throughout the course of a working day, and many of these processes will be completely benign.
However, it is well known that malware will also often start one or more processes (even if it’s fileless — more about this later) as part of its own operation. An attacker with remote access to an environment may also start various processes in order to interact with a computer in an attempt to achieve their objectives. It is these types of malicious activities that can be logged with process creation events.
And if they can be logged, they can be detected and tracked.
Now that we have introduced the topic of process monitoring and covered what process creation events are, we shall look at two reasons why you should consider enabling process creation events in your environment.
Why Perform Process Monitoring: Increase your MITRE ATT&CK Technique Detection Coverage
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for describing attacker techniques as well as providing a detailed technical knowledge base of those techniques. MITRE ATT&CK has been beneficial to organisations in identifying their own capabilities when it comes to detecting attacks, by using heatmaps and performing gap analysis activities. Many organisations are now also aligning their detection capabilities using MITRE ATT&CK by aligning alerts to specific ATT&CK techniques.
Given the overall popularity of MITRE ATT&CK within the industry, it must be noted that process monitoring with command line (which includes process creation events) provide the most coverage of MITRE ATT&CK techniques when compared to any other log source, as shown in the table below:
In short, organisations looking to align detection capability to the MITRE ATT&CK framework should consider enabling process creation events.
Why Perform Process Monitoring: Adhering to Industry Guidance
The second good reason that organisations should consider performing process monitoring via enabling process creation events, is that this practice is in fact recommended in the following industry guidance:
- Microsoft recommend enabling process creation events in the Microsoft Baseline Audit Policy settings (Audit Process Creation, EVID 4688):
- The Center for Internet Security (CIS) v7.1 controls recommend that organisations ‘Enable command-line audit logging for command shells’ within subcontrol 8.8
Organisations should also consider the guidance in these and other industry frameworks when deciding to enable process creation events.
Conclusion
This concludes the first part of our three-part series, in which we have introduced Windows process creation events and described that these can be used by organisations to perform process monitoring. We also went through two reasons why organisations should consider enabling Windows process creation events. Part 2 of this series will describe how these events are enabled, and demonstrate how they can track malware and threat actor activity.
