-
Notifications
You must be signed in to change notification settings - Fork 84
Processes
Persistence, Privilege Escalation
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
SELECT Path, ProcessName
COUNT BY ProcessName
Execution, Persistence, Privilege Escalation
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows.
SELECT Path, ProcessName
WHERE SERVICES != null
COUNT BY Path, ProcessName
Defense Evasion, Privilege Escalation
Look for inconsistencies such as user owned processes impersonating the local SYSTEM account.
Persistence, Privilege Escalation
Monitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.
Review Paths under system directories
SELECT *
WHERE Path STARTSWITH "c:\windows\"
Path strings, blacklisting those that should never have executables in them; have unexpected drive letters; have unexpected shares or environment variables
SELECT *
WHERE Path ENDSWITH ".exe" AND Path STARTSWITH c:\users
SELECT *
WHERE Path STARTSWITH "c:\windows\fonts\"
SELECT *
WHERE Path !STARTSWITH "c:\"
SELECT *
WHERE Path CONTAINS "$", "\\", "..", "%"
Path strings and userid, whitelisting c:\windows and c:\program files
SELECT *
WHERE UserName CONTAINS "Administrator" OR UserName STARTSWITH "NT AUTHORITY"
- System names, without HBSS & other protection processes running
- Filenames and Shannon entropy scores
- Path strings and Shannon entropy scores
- Filenames and Levenshtein score against system filenames
- Filenames and path strings, blacklisting common system filenames
- Processes with high resource consumption on CPU/Memory/Disk
- Strings analysis
- Processes with names similar to system processes or matching, but in a different directory.
- Anomalous processes from users "SYSTEM" or the local administrators
- Unusual DLL loading