Setting Up Monitoring for Suspicious Processes
This scenario is based on a Security log event that was enhanced in Windows Server 2016 and Windows 10. It will not work on earlier Windows versions, which do not have the enhancement. It uses a rule that incorporates knowledge about the following indications of common attacks that involve Windows processes:
- When someone runs a program that is named to pose for a well-known system application such as lsass.exe or svchost.exe; the giveaway is that such an impostor program doesn't have the right creator process
- When a process is started from a location where no programs are normally run, such as the system Fonts folder or a temporary folder in a user profile
- When someone launches specialized command-line administrative software such as vssadmin.exe; such occurrences can mean a script is at work, because manual use of such programs is uncommon
- Specific keywords that command-line hacking tools customarily use, such as "sekurlsa:"; these checks are process-independent
To watch out for these threats, configure the following:
- A site that encompasses the Windows Server 2016 (or later) and Windows 10 computers that you want to monitor
- A rule that defines the notification message and is matched when the specified event occurs
- A policy that binds the site and the rule together, and specifies e-mail as the notification method
The rule and policy are predefined in InTrust. However, you'll need a new custom site. Take the following steps to get these objects ready and associate them with one another:
- In InTrust Manager, create a new site under Configuration | Sites | Microsoft Windows Network and include in it all the computers relevant to your scenario.
- Double-click Real-Time Monitoring | Rules | Advanced Threat Protection | Windows/AD Suspicious Activity | Backdoors, right-click the Suspicious process was started (Security log on Windows 10 / Windows Server 2016 and later) rule.
- Select Properties from the rule’s shortcut menu. Click the Notifications tab and check that an email message is listed. Edit the message if necessary, as described in the Message Templates section of the Notification topic.
- If you want InTrust to additionally log an event whenever the rule is matched, add Event Log to the list. For details about logging of rule match events, see Configuring Notification Groups and Recipients and Example: Emulating InTrust Real-Time Alerts in SIEM.
- Switch to the Matching tab and decide if you need to make any changes to the matching parameters. The Unusual Locations parameter lists the folders from which processes are not normally supposed to be launched. You may also want to add your own exceptions in the following parameters:
- Whitelisted Creators
Creators in this case are parent processes, not users. If the predefined set of creator processes gives you too many alerts that you consider false alarms, you can whitelist specific parent processes.
- Whitelisted Processes
Add the processes that you think are safe and should not cause alerts.
- Whitelisted Users
Specify your administrators whom you trust to make responsible changes.
- Click the General tab and select the Enabled option to activate the rule. After you close rule properties, commit the changes.
- Double-click Real-Time Monitoring | Policies. You can use the predefined Windows/AD Security: Detecting Common Attacks policy, but it is recommended that you make a copy of it and use your copy instead. Right-click the policy and select Properties.
- Click the Sites tab. In the site list, remove the default item and add the site you created earlier.
- Click the Rules tab. The Windows/AD Suspicious Activity rule group is specified in the list by default. This group includes the required rule. If you want to select just this rule rather than the entire group, open the group and select the rule.
- Select the E-mail tab, and click Add to specify who will receive the messages. For detailed instructions, see the Notification Groups section of the Real-Time Monitoring Overview topic.
- If you added the Event Log notification option for the rule earlier, go to the Event Log tab and add Event Log Recipient to the list. For the logging to work, both this recipient in the policy and the Event Log option in the rule must be enabled.
- Select the General tab and select the Activate option.
- After you close the properties dialog box, commit the changes.
The configuration is now finished; InTrust agents will be installed automatically to the site computers to perform the monitoring.
Setting Up Monitoring for Suspicious PowerShell Activity
See the dedicated Preparing for Auditing and Monitoring PowerShell Activity guide for details about PowerShell activity tracking.