Detections
- Home
- - Detections
- -DT043
- ID: DT043
- Created: 02nd June 2024
- Updated: 17th June 2024
- Platform: Windows
- Contributor: The ITM Team
Sysmon Process Create Event
This detection is not enabled by default and requires additional configuration.
System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system.
Sections
ID | Name | Description |
---|---|---|
PR017 | Archive Data | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
PR003 | Software Installation | A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies. |
ME003 | Installed Software | A subject can leverage software approved for installation or software that is already installed. |
ME006 | Web Access | A subject can access the web with an organization device. |
PR019 | Private / Incognito Browsing | Private browsing, also known as 'incognito mode' among other terms, is a feature in modern web browsers that prevents the storage of browsing history, cookies, and site data on a subject's device. When private browsing is enabled, it ensures any browsing activity conducted during the browser session is not saved to the browser history or cache.
A subject can use private browsing to conceal their actions in a web browser, such as navigating to unauthorized websites, downloading illicit materials, uploading corporate data or conducting covert communications, thus leaving minimal traces of their browsing activities on a device and frustrating forensic recovery efforts. |
AF017 | Use of a Virtual Machine | The subject uses a virtual machine (VM) to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations. By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities. |
PR017.001 | Archive via Utility | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
PR017.002 | Archive via Library | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
PR017.003 | Archive via Compression | A subject uses utilities to compress collected data prior to exfiltration. |
PR017.004 | Archive via Encryption | A subject uses utilities to encrypt collected data prior to exfiltration. |
IF005.001 | Exfiltration via Installed Messaging Application | A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system. |
PR003.011 | Installing Screen Sharing Software | A subject installs screen sharing software which can be used to capture images or other information from a target system. |
PR003.010 | Installing RDP Clients | A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network. |
PR003.009 | Installing FTP Clients | A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network. |
PR003.008 | Installing SSH Clients | A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network. |
PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
PR003.006 | Installing Note-Taking Applications | A subject installs an unapproved note taking application with the ability to sync notes across the Internet. |
PR003.005 | Installing Cloud Storage Applications | A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet. |
PR003.003 | Installing Browsers | A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction. |
PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
PR003.001 | Installing Virtual Machines | A subject installs a hypervisor that allows them to create and access virtual environments on a device. |
IF009.004 | Intentionally Introducing Malware | A subject intentionally introduces and attempts to execute malware on a system. |
IF009.003 | Unintentionally Introducing Malware | A subject unintentionally introduces and attempts to execute malware on a system. This is can be achieved through various methods, such as phishing, malvertising, torrented downloads, and social engineering. |
IF009.002 | Inappropriate Software | A subject installs software that is not considered appropriate by the organization. |
IF009.001 | Unwanted Software | A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”. |
IF002.006 | Exfiltration via USB to USB Data Transfer | A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment. |
IF004.004 | Exfiltration via Screen Sharing Software | A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer. |
PR006.004 | Security Enumeration via Network Activity | A subject attempts to identify security software by monitoring network traffic. |