What server processes have recently been active? Have any previously unseen new processes started? These are questions that may be asked by security analysts or server administrators - a new process could indicate the execution of unapproved and potentially malicious software.
FortiSIEM can gather Windows new process creation event logs, either Event ID 4688 or Sysmon, and build a watchlist of observed process names. FortiSIEM can then check future new process creation events against the watchlist and generate an incident if a new process name is not in the watchlist, indicating it hasn’t been seen before.
This blog examines how FortiSIEM does this. Note that this example is provided for informational purposes only, always perform your own evaluation and testing before deploying in a live environment.
Windows Process Logging in FortiSIEM
Windows provides two mechanisms for logging process creation on servers. Both event types can be collected by the FortiSIEM Windows Server Agent
- Windows audit policy
- Sysmon
Windows Audit Policy
Windows Audit Policy can be configured to log process creation without requiring additional software.
Audit Process Creation is enabled either in the Local Security Policy on a standalone computer or the Group Policy on a Domain, under 'Advanced Audit Policy Configuration\ Detailed Tracking\ Audit Process Creation'
Sysmon
Sysmon is an optional service available from Sysinternals that provides more detailed auditing of a wide range of Windows system activity, including process creation. For detail of Sysmon, check the Microsoft page
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon can log the process hash as well as the process name, which allows us to be more confident the process is genuine and not a renamed malicious executable.
Here we can see a comparison of the two events gathered by the FortiSIEM Server Agent. In both cases the Process Name attribute is available. The Sysmon process creation log also includes the Hash Code attribute. The hash format is configurable in the sysmon configuration file. In the examples here we have used SHA256
Creating a Baseline of Running Processes with Watchlists
Once either Sysmon Create Process or Windows Event ID 4688 events are being received by FortiSIEM, we can monitor these and create a baseline watchlist of seen processes. The basic process is
- Create a rule that will populate a watchlist with the Process Name from Windows Event ID 4688 or Sysmon events
- Create another rule that will generate an incident if the Process Name is not already present in the watchlist, indicating a previously unseen process
The first step is to create a new watchlist in 'Resources > Watchlists'. Set the 'Expired in' value to a value that meets your requirements, so the list is kept up to date:
Next, create a new rule in 'Resources > Rules':
Configure the filter to match either the Windows Audit Log or Sysmon processes we saw in the last section. Group on Process Name and Host Name:
Configure the rule actions:
- Set the severity to LOW (this is just the baseline rule)
- Define the rule actions
- Change the notification period to 12 hours
- Add the 'Process Name' attribute to the new 'Processes' watchlist
Add the process name to our process watchlist by clicking the 'Watch List' icon in the Define Action screen above.
Consider an auto clear system on this rule to clear the new process incidents, which will be repetitive and not interesting in many cases.
Save the rule and check it's active
Soon the watchlist should be populated with processes seen in logs
Alerting on New Processes
Now create another new rule to alert if a new process is seen that is not present in the watchlist. This will be based on the previous rule that we created. Locate the rule in 'Resources > Rules' and clone it. Save the cloned rule as 'New Server Process Seen':
Edit the new rule as shown
- Add in Process Name NOT IN Group:Processes (Select the watchlist group from the CMDB via the popup menu)
- Check the parentheses and OR statement as shown
Save the filter and move on to the last step of rule configuration, Step 3 : Define Action
- Change the severity from LOW to MEDIUM or HIGH
- Check the Watch List is Undefined, we don't need this rule to add to the watchlist
- Modify other rule action settings as needed
Save the rule and again check it's enabled
Now FortiSIEM will generate a higher severity Incident when it receives a process creation log where the process name hasn’t been seen in any other server logs before.
Advanced Configuration with Sysmon and Process Hashes
Sysmon process hashes can be used to populate a second watchlist to help identify malicious software masquerading as legitimate processes.
First, create another watchlist called 'Process Hashes'
Then configure an additional rule as shown
Edit the rule actions as before, but this time add the 'Hash Code' attribute to the Incident Attributes
And add the Hash Code to the new ‘Process Hashes’ watchlist. Also consider an auto-clear condition on this rule.
Enable the rule
In a few minutes new watchlist should start to be populated
Finally, create a new rule that will identify Sysmon Create Process events where the Process Name is in known processes watchlist, but the Process Hash has not been seen before.
Configure the Rule Actions and enable the rule
Now if a process that has been seen before starts with a previously unseen hash, the following incident should be generated
There are a few points to note here, including
- There may be false positives when genuine software updates are installed
- This won't detect one previously seen process being renamed to another, e.g. renaming PowerShell or tasksche.exe to notepad.exe
