'RE: process tracking'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: process tracking
From:       Joanna Rutkowska <joanna () mailsnare ! net>
Date:       2004-03-28 9:30:51
Message-ID: Pine.WNT.4.58.0403281125180.1328 () bigwin
[Download RAW message or body]

this tool (SNARE), again, seems to treat the 'string' field of the
reported event as one, opaque field, which make the extraction of the
parent PID very difficult for automated parser.

i'm not interested in just finding all process creation events, but rather
in correlation between process creation and termination events (592 and
593), so that it would be possible to see which processes has created
which child. for example, the information that cmd.exe has been started
someday in the past is useless, unless i will know that it was started by
for example inetinfo.exe, which would be the obvious sign of the shellcode
execution.

joanna.


On Sat, 27 Mar 2004, Robert Blackwell wrote:

> This would not help for existing event logs but for future use try using
> Snare to generate syslog messages to feed into KIWI Syslog and set up
> filters from there to trap what you are interested in. Based on that, you
> could generate an email for a critical event or just dump into a SQL
> database for generating reports. This would allow you to monitor all of you
> servers.
>
> Robert
>
> -----Original Message-----
> From: Joanna Rutkowska [mailto:joanna@mailsnare.net]
> Sent: Friday, March 26, 2004 5:21 AM
> To: focus-ms@securityfocus.com
> Subject: process tracking
>
>
> Hi,
>
> does anybody know a good tool for analyzation of process tracking event
> log messages (id 592 and 593) in windows 2000/2003? but please do not tell
> me about:
>
> dumpel -f procs.txt -e 592 593 -m security -l security
>
> since it is very lame (parsing the resulted file in Excel for example is
> very problematic). I would like to have the report, which would display:
>
> 1) the names of all the processes ever run in the system.
>
> 2) for each process form point 1, I would like to see *how* it was
> created, i.e. by which parent processes. this is IMO extremely important
> for discovering things like cmd.exe started by sqlserv.exe for example,
> which is the obvious sign of some simple shellcodes.
>
> I have spent some time researching process hiding techniques (aka
> rootkits), some smart ways of discovering these hidden processes, and
> another methods of better hiding, etc... however, I realized, that maybe
> this all hide and seek game is not necessary, since windows admins seem to
> not have any good tool for accounting even unhidden processes...
>
> regards,
> joanna.
>
>
>
>
> ---------------------------------------------------------------------------
> Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam and other risks with
> Astaro Security Linux, the comprehensive security solution that combines six
> applications in one software solution for ease of use and lower total cost
> of ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
> ---------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, 
wireless security

Protect your network against hackers, viruses, spam and other risks with 
Astaro Security Linux, the comprehensive security solution that combines six 
applications in one software solution for ease of use and lower total cost 
of ownership. 

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
---------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic