client monitoring artifacts for process creation and high privileged logons

[Herbert-Karl]

Hi,

at the blog post https://sec-consult.com/blog/detail/c2-powered-by-dinosaurs/, three Velo artifacts for Client Monitoring were published. I saw that these were not yet added to the Artifact Exchange, so I want to remedy this.

Two artifacts add further options for process creation monitoring on clients, one via ETW on Windows, another based on the generic VQL plugin "pslist".
The third artifact allows monitoring for logins on Windows systems that are assigned high privileges.

I think these artifacts could be good additions for monitoring activity while investigating an active cyber attack with Velociraptor.

Kind Regards

[scudette]

This is basically what the process tracker does a lot better :-)

[Herbert-Karl]

Is the process tracker available for all supported operating systems? Ive only seen it for Windows.

[scudette]

yes it is available always - you can read more about it here

https://docs.velociraptor.app/blog/2022/2022-08-17-process-tracker/

https://docs.velociraptor.app/artifact_references/pages/linux.events.trackprocesses/

This artifact is most similar to your idea since it only uses pslist
https://docs.velociraptor.app/artifact_references/pages/windows.events.trackprocessesbasic/

This one uses sysmon events as well
https://docs.velociraptor.app/artifact_references/pages/windows.events.trackprocesses/

[scudette]

Consider using the Microsoft-Windows-Kernel-Process provider instead - the kernel provider is very chatty and can result in higher CPU loads.

https://sigma.velocidex.com/docs/models/windows_etw_base/#etwwindowsprocess

Also this artifact is better used with the process tracker.

[scudette]

This one is probably better implemented as a sigma rule

https://sigma.velocidex.com/docs/artifacts/windows.hayabusa.monitoring/