Windows Events - Part 1 of 3 - Process Auditing
Windows Events - Part 1 of 3 - Process Auditing

Windows Events - Part 1 of 3 - Process Auditing

created time
Dec 3, 2022 05:40 AM
last update
Dec 15, 2022 02:33 PM
Tags
Earlier Linux hands-on focuses on 1 process, which is Secure Shell Service SSH-Daemon & we are only looking out for ONE activity, authentication. Now let’s look at Windows, another widely deployed Operating Systems. Please refer to Cyber Security in 7 weeks contents page for other background materials!

What to learn & why it matters…

What
Why
Part 1 - Process (running instance of a program) Auditing using native Windows audit events.
By default, some of these audit events are not enabled. While we may be able to see foreground apps that we use, many processes which include malware like backdoor or trojan horses, are running mostly in the background.
Tell us what a process is doing without the pain of configuring Windows policy. I will also related with the 3 types of Code-Execution as shared in my Mental Model series.
Part 3 - Event Tracing for Windows
Preparation for intermediate (using FreeEDR) & advanced topics like developing your own App-Control agent in C# with free Visual Studio.

Outline of Hands-On Exercises for Part 1

  1. Run notepad, use Task Manager & locate the newly launch process. Can malware files be named as Notepad or any of the names you see in Task Manager?
  1. Use notepad to save a text file, can you see anything from Task Manager to indicate file saving?
  1. Turn on Process Audit, now we have EventID 4688. Is it turned on by default?
  1. Start Event Viewer, make our way to Security Channel. So many events… can we filter?
  1. Start notepad with a path to the text file saved earlier (starting a program with a parameter or CommandLine), can we see the parameter values with 4688 event?
  1. Use another command to enable CommandLine logging
  1. Repeat 5, now look out for the CommandLine parameters
  1. There are MANY types of audit event to configure just to figure out what a process is doing… Next with Sysmon hands-on, you will learn & appreciate that just by installing Sysmon driver, you get a one stop solution to a set of events are related to process activities that matters to finding anomalies.

Running Notepad & Using Task Manager

Search then click Notepad app
notion image
 
Search Task Manager & click
notion image
 
Use Task Manager to locate Notepad, notice how Task Manager groups Apps vs Background processes
notion image
 
Type something, save contents into a file (remember the location, we will use it again)
notion image
 
At most you can see this from Task Manager
notion image
ℹ️
Should be clear by now that there’s not much from Task Manager other than App name. Details tab page will show more but nothing from those columns will tell us about the file operations or any other activities pertaining to resources like network connections, registry settings... Also there’s no clear indication from details columns that a process is Foreground (interactive) App or Background. There are tools like https://processhacker.sourceforge.io which is useful for single host exploration, but you have to actively interact with the tool. Beyond one Windows hosts (> 1), you have to rely on Windows Events & somehow gather events into some backend for centralised processing or analysis. Process Auditing is NOT turned on by default, we have to enable it either locally or through Group Policy Editor to push audit changes to multiple hosts.

Turning On Process Auditing Locally

For this short exercise, we are turning it on with an local-admin Powershell session:
notion image
 
Click YES to the User Access Control prompt to start elevated session.
notion image
Copy the following & paste into your session console:
# EventID 4688 auditpol.exe /set /subcategory:"Process Creation" /success:enable /failure:enable # EventID 4689 auditpol.exe /set /subcategory:"Process Termination" /success:enable /failure:enable
Press enter to run the command above to enable Process Auditing. This configuration change is immediate, NO need to reboot!

Navigate to Security Channel with Event Viewer

You should see something like the following. I highlighted for my case that happened to have Event ID 4688. You may need to scroll to find for your Event View instance.
notion image
 
You will notice that under Event ID column, there may be different numbers (also different Task Category strings).

Filtering with Custom Views

Create a custom view to filter EventID 4688:
notion image

Re-launch Notepad with file path & Find Corresponding 4688

You SHOULD use your own file path that you created earlier… this is equivalent to double-clicking a text file.
notion image
You may need to sort the records & locate the correct entry (you may need to press F5 or locate Refresh button under Actions tab on the right of Event Viewer):
notion image
🔍
Notice there’s a field Create Process Name? Explorer.exe is the default interface we use to interact with Windows. We used Explorer shell to start Notepad, as such, Explorer is the Creator or Parent Process. You will learn in later parts that this relationship can be spoof & it is not necessary “malicious”. Notice Process CommandLine field is empty?! What happened to the file full path?

Enable CommandLine field Logging

Again use admin Powershell console, copy, paste & run the following (adds a registry setting & it takes effect without the need for reboot):
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
Re-launch notepad with file path again & locate the corresponding 4688 event.
notion image
Notice now Process Command Line field is populated!

Recap

  • Task Manager tells us what are the RUNNING processes, if some process exited before you launch Task Manager, you won’t be able to see those without Process Audit (they will have both EventID 4688 AND 4689).
  • Task Manager can somehow group Apps (foreground aka interactive) & background processes BUT the none of the columns from Details tab or even within 4688 fields tell us about this process attribute (there are other forensic indicators but the whole point is figuring it out fast, not after poop-hit-the-fans). Suppose you are the attacker & want to be sneaky, would you run your backdoor as background or foreground? Most likely background but of course we don’t preclude the possibility of a trojan interactive app. It then begs the question: how do we tell that a process is “bad”?
  • Even with 4688 & CommandLine both enabled, we still cannot figure out if Notepad had save a file or not by looking at events. In the next part, I will share how to start invisible Notepad process & observe the differences.
  • Are there other Windows Audit event types that can tell us more about what’s going on? Of course! There are SO MANY AUDIT EVENTS that there are sites like https://www.ultimatewindowssecurity.com dedicated to documenting them.
  • Unfortunately, there’s also SO MANY configuration steps to turn on such audit events that Sys-admins are kinda adverse to configuring them. The fields are also cryptic, too verbose at times but not enough for observing certain indicators.

Next… Sysmon (Part 2)

Windows Events - Part 2 of 3 - Sysmon
Windows Events - Part 2 of 3 - Sysmon

📢
Join my Telegram group https://t.me/+iWZ6l-x5jGE1ZDc9 & be notified of new contents!