{"id":5485,"date":"2018-10-27T02:15:02","date_gmt":"2018-10-27T02:15:02","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5485"},"modified":"2018-10-27T23:02:06","modified_gmt":"2018-10-27T23:02:06","slug":"process-monitoring-process-cmd-line-monitoring-data-sources","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/10\/27\/process-monitoring-process-cmd-line-monitoring-data-sources\/","title":{"rendered":"Process monitoring\/Process cmd line monitoring &#8211; data sources"},"content":{"rendered":"<p>One of the most popular way of hunting is looking at the processes that have been executed on a specific system, or a set of them.<\/p>\n<p>There are many data sources that can be useful in analysis of executed processes, so after being inspired by this interesting <a href=\"https:\/\/twitter.com\/kwm\/status\/1055592171359760384\">Twitter thread<\/a> I tried to put together a quick &amp; dirty list of logs\/ideas listed there + some more. If you have any other ideas please let me know. Thank you.<\/p>\n<ul>\n<li>Windows\n<ul>\n<li>4688 with no cmd line arguments<\/li>\n<li>4688 with cmd line arguments<\/li>\n<li>4688 with cmd line arguments &amp; name of the parent process (newer Windows systems)<\/li>\n<li>Sysmon \/ 1<\/li>\n<li>EDR logs<\/li>\n<li>AV logs<\/li>\n<li>Local Proxy logs<\/li>\n<li>Local IDS logs (CIDS)<\/li>\n<li>DCOM Logs<\/li>\n<li>WMI Logs<\/li>\n<li>there are also some &#8216;indirect&#8217; logs that may indicate some process ran at some stage in the past (most of these listed below include PID, process name) e.g.:\n<ul>\n<li>service creation \/ start logs<\/li>\n<li>powershell logs<\/li>\n<li>WER logs<\/li>\n<li>Application error logs<\/li>\n<li>Application hung logs<\/li>\n<li>App Locker logs<\/li>\n<li>Restart Manager logs<\/li>\n<li>Diagnostics-Performance logs<\/li>\n<li>Firewall logs<\/li>\n<li>System\/change time logs<\/li>\n<li>System Logon events logs<\/li>\n<li>Forensic artifacts (if e.g. EDR picks them up &#8212; see this excellent reference by <a href=\"https:\/\/twitter.com\/harrisonamj\">@harrisonamj<\/a>:<a href=\"https:\/\/blog.1234n6.com\/2018\/10\/available-artifacts-evidence-of.html\"> https:\/\/blog.1234n6.com\/2018\/10\/available-artifacts-evidence-of.html<\/a> \u2026), etc.<\/li>\n<li>etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Linux\n<ul>\n<li>auditd (see this <a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_enterprise_linux\/7\/html\/security_guide\/sec-audit_record_types\">reference<\/a>)\n<ul>\n<li>EXECVE<\/li>\n<li>USER_CMD<\/li>\n<li>BPRM_FCAPS<\/li>\n<li>SYSCALL<\/li>\n<li>ANOM_EXEC<\/li>\n<\/ul>\n<\/li>\n<li>content of .bash_history retrieved as a snapshot on regular basis<\/li>\n<\/ul>\n<\/li>\n<li>OSX\n<ul>\n<li>xnumon logs (anyone actually using it?)<\/li>\n<li>content of .bash_history retrieved as a snapshot on regular basis<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Noise in the logs:<\/p>\n<p>Unfortunately, there is a lot of noise; I have written about it many times before: Enterprise solutions, especially asset inventory tools create a crazy number of processes that:<\/p>\n<ul>\n<li>contaminate the logs and make our jobs much harder, because they use the very same techniques as described in MITRE; just for good reasons<\/li>\n<li>clutter the logs by adding huge volumes of events with lots of additional data that we don&#8217;t want to parse through, but we have to (performance hit is visible; every new system is a noise multiplier)<\/li>\n<\/ul>\n<p>Lookup tables, white lists of any sorts, regexes by host, by process name, by PID, by user name, by SID, by tokens, etc. are all good, but&#8230; these are nice gates for someone to exploit it. All they have to do is to name their malicious processes like a well-known processes.<\/p>\n<p>It&#8217;s a cat and mouse game, but we could really do much better without this non-sense in logs&#8230;<\/p>\n<p>Dear vendors, could you please reduce your 3rd-party tools dependencies?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the most popular way of hunting is looking at the processes that have been executed on a specific system, or a set of them. There are many data sources that can be useful in analysis of executed processes, &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/10\/27\/process-monitoring-process-cmd-line-monitoring-data-sources\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[74],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5485"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5485"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5485\/revisions"}],"predecessor-version":[{"id":5491,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5485\/revisions\/5491"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}