2020 was certainly an eventful year in the land of cybersecurity. There was no shortage of ransomware attacks and data breaches, and my personal prediction is that 2021 will be no different
Large organizations are increasingly making significant investments in information security controls, in compliance with one or more regulatory frameworks. Plus many have an in-house security team or security operations center (SOC) with well-documented security policies and processes. But what more can be done?
The events of 2020 only lend weight to the argument that organizations must embrace a mindset of “assume breach.” This means that organizations should strive to increase the level of visibility into their environment — as much as possible — to detect any malicious activity. This entails reviewing logging levels across the board, reviewing attack detection efficacy and coverage, and implementing proactive measures such as threat hunting into daily processes.
Also, organizations should not rely on a single control but rather implement a security architecture which has overlapping fields of visibility for their endpoints, servers, and other digital assets. This is also known as detection in depth.
Other Ways to Detect Malicious Activity
Let’s discuss a log source which, in my experience, is not commonly enabled or leveraged, but can provide high value for defenders when detecting or tracing malicious activity.
Furthermore, the log source I am describing does not require any additional investment in agents, tools, gadgets, or advanced artificial machine learning-enabled cyborg robots (assuming you are running Windows 7 or above, which unfortunately, is not everyone). It also does not require any additional software to be installed.
Tracking Malware and Threat Actor Activity with Process Monitoring
So what is this magical log source? As the title of this article suggests, I am referring to Windows process creation events. These are events which, if enabled, Windows will log within the Windows Event Viewer as Event ID 4688. These particular events are disabled by default on Windows.
Monitoring process creation events for the purpose of threat detection is also referred to as process monitoring. Here is what you need to know about process creation events and two reasons why you should consider enabling them.
What are Process Creation Events?
Process creation events are a type of Windows event which, when enabled, will be written to the local Windows Event Viewer as Event ID 4688, every time a new process starts. They contain information such as the time, process name, parent process, and so on.
On a Windows computer, a process is simply a running program. Many processes will be started as part of a normal operation on a standard workstation or server throughout a working day, and many of these processes will be completely benign; however, malware will also often start one or more processes as part of its own operation. An attacker with remote access to an environment may start various processes in order to interact with a computer in an attempt to achieve their objectives. You can log these types of malicious activities with process creation events.
And if they are logged, they can be detected and tracked!
Why Perform Process Monitoring
Let’s explore two reasons why you should consider enabling process creation events in your environment:
1. Increase your MITRE ATT&CK™ Technique Detection Coverage
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for describing attacker techniques and provides a detailed technical knowledge base of those techniques. MITRE ATT&CK has been beneficial to organizations in identifying their own capabilities when it comes to detecting attacks, by using heatmaps and performing gap analysis activities. Many organizations are now also aligning their detection capabilities using MITRE ATT&CK by aligning alerts to specific ATT&CK techniques.
Given the overall popularity of MITRE ATT&CK within the industry, it must be noted that process monitoring with command line (which includes process creation events) provides the most coverage of MITRE ATT&CK techniques when compared to any other log source, as shown in the table below by Jose Luis Rodriguez and Roberto Rodriguez.
In short, organizations looking to align detection capability to the MITRE ATT&CK framework should consider enabling process creation events.
- Adhere to Industry Guidance
The second good reason that organizations should consider performing process monitoring via enabling process creation events, is that this practice is in fact recommended in the following industry guidance:
- Microsoft recommend enabling process creation events in the Microsoft Baseline Audit Policy settings (Audit Process Creation, EVID 4688).
- The Center for Internet Security (CIS)1 controls recommend that organizations “Enable command-line audit logging for command shells” within subcontrol 8.8.
Organizations should also consider the guidance in these and other industry frameworks when deciding to enable process creation events.
Learn More About Process Creation Events
This post is part of a blog series covering everything there is to know about process creation events. Stay tuned for part two and part three which will be published in the coming weeks and cover the following topics:
- Part two will look at how to enable process creation events, followed by a number of examples that describe how they can provide valuable information to achieve tracing malware execution and tracing human attacker presence within an environment.
- Part three will discuss how organizations can centralize these events in a security information and event management (SIEM) solution, and describe how this can compliment an existing endpoint protection platform such as an endpoint detection and response (EDR)