Photo by Laura College on Unsplash

Tracking Malware and Threat Actor Activity with Process Monitoring

Part 3: Centralising Process Creation Events with a SIEM

Figure 1. A process creation event in LogRhythm
pcalua.exe -a C:\Windows\System32\calc.exe
Figure 2. Parent and child processes displayed in LogRhythm
Figure 3. A trend graph of process execution within LogRhythm
Figure 4. A MITRE ATT&CK alarm within LogRhythm

5 Reasons for Enabling Process Monitoring Alongside Existing Endpoint Protection Platforms

Figure 5. VirusTotal detections for Sunburst malware in January 2021

Considerations

Conclusion