This
article was first published in EventTracker’s EventSource Newsletter: http://www.eventtracker.com/newsletters/how-to-use-process-tracking-events-in-the-windows-security-log/
I think one of the most underutilized features of Windows
Auditing and the Security Log are Process Tracking events.
In Windows 2003/XP you get these events by simply enabling
the Process Tracking audit policy. In
Windows 7/2008+ you need to enable the Audit Process Creation and, optionally,
the Audit Process Termination subcategories which you’ll find under Advanced
Audit Policy Configuration in group policy objects.
These events are incredibly valuable because they give a
comprehensive audit trail of every time any executable on the system is started
as a process. You can even determine how
long the process ran by linking the process creation event to the process
termination event using the Process ID found in both events. Examples of both events are shown below.
Process Start
|
WinXP/2003
|
592
|
A new process has been
created.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Process Information:
New Process ID: 0xed0
New Process Name: C:\Windows\System32\notepad.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x8c0
|
Win7/2008
|
4688
|
Process End
|
WinXP/2003
|
593
|
A process has exited.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Process Information:
Process ID: 0xed0
Process Name: C:\Windows\System32\notepad.exe
Exit Status: 0x0
|
Win7/2008
|
4689
|
Trying to determine what a user did after logging on to
Windows can be difficult to piece together.
These events are valuable on workstations because they are often the
most granular trail of activity left by end-users. You can tell for instance that Bob opened
Outlook, a few minutes later opened Word, opened Excel and then closed
Word.
As you can see the process start event tells you the name of
the program and when it started. It also
tells you who ran the program and the ID of their logon session with which you
can correlate backwards to the logon event and thus further determine what kind
of logon session in which the program was run and where the user (if remote)
was on the network using the IP address and/or workstation name provided in the
logon event.
Process start events also document the process that started
them using Creator Process ID which can be correlated backwards to the process
start event for the parent process. This
can be invaluable when you are trying to figure out how a suspect process was
started. If the Creator Process ID
points to Explorer.exe, after tracking down the process start event, then it’s
likely that the user simply started the process from the start menu.
These same events, when logged on servers, also provide a
degree of auditing over privileged users but be aware that many Windows
administrative functions will all show up as process starts for mmc.exe since
all Microsoft Management Console apps run within mmc.exe.
But beyond privileged and end-user monitoring, process
tracking events help you track possible change control issues and to trap
advanced persistent threats. When new
software is executed for the first time on a given system it’s important to know
that, since it implies a significant change to the system or it could alert you
to a new unauthorized and even malicious program running for the first time.
The key to this seeing this kind of activity is to compare
the executable name in a recent event 592/4688 to executable names in a
whitelist - and thereby recognizing new executables.
Of course this method isn’t full proof because someone could
replace an existing executable (on your whitelist) with a new program but with
the same name and path as the old. Such
a change would “fly under the radar” with process tracking. But my experience with unauthorized changes
that bypass change control and APTs indicates that while certainly possible,
the methods described here-in will catch their share of offenders and
attackers.
Of course to do this kind of correlation you need to enable
process tracking on applicable systems (all systems if possible, including
workstations) and then you need a SIEM solution that can compare the executable
name in the current event to a “whitelist” of executables.
How you build that whitelist is important because it
determines if your criteria for a new executable is unique to “that” system, or
if it is based on a “golden” system, or your entire environment. Of course the more unique your whitelist is
to each system or type of system the better.
You can build the whitelist by either scanning for all the EXE files on
a given system or by analyzing the 592/4688 events over some period of time. I prefer the latter because there are many
EXE files on Windows computers that are never actually executed and I’d like to
know the first time any new EXE is run – whether it came with Windows and
installed applications out of the box or whether it is a new EXE recently
dropped onto the system. On the other
hand if you only want to detect when EXEs run which were not present on system
at the time the whitelist was created, then a list built from simply running
“dir *.exe /s” will suffice.
If you opt to analyze a period of system activity make sure
that the period is long enough cover the full usage profile and business
process profile for that system – usually a month will do it. Take some time to
experiment with Process Tracking events and I think you’ll find that they are
valuable for knowing what running on your system and who’s running it.