Process

Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.

Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior. Analysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups.

Monitor process API calls to AddMonitor.^[5]

Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory.

Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence.

Monitor for Keychain Services API calls, specifically legacy extensions such as SecKeychainFindInternetPassword, that may collect Keychain data from a system to acquire credentials.^[6]

Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.^[7]

Consider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.^[8][9]

Monitor for API calls that may search for common password storage locations to obtain user credentials.

Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.

Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.

Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. ^[13]

Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, ^{[14] [15]} and consider regularly scanning for the presence of modified information. ^[16]

Monitor for Windows API calls that may clear Windows Event Logs to hide the activity of an intrusion.

Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.^[17] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

Monitor for API calls to the SetWindowsHookEx and SetWinEventHook functions, which install a hook procedure.^[18][19] Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools^[19][20][21] or by programmatically examining internal kernel structures.^[22][23]

Monitor for API calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller

Monitor for API calls that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

Monitor for API calls associated with the use of device drivers and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) ^{[29] [30]} disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.^[13]

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.^[13]

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.^[13]

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.^[13]

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.^[13]

Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.^{[31] [32] [33] [34]}

Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong ^[35] and SetWindowLong ^[36]. Malware associated with this technique have also used SendNotifyMessage ^[37] to trigger the associated window procedure and eventual malicious injection. ^[13]

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.^[13]

Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. ^{[38] [39]}

Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.^{[31][32][33][34]}

Consider monitoring for excessive use of SendMessage and/or PostMessage API functions with LVM_SETITEMPOSITION and/or LVM_GETITEMPOSITION arguments.

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as FindWindow, FindWindowEx, EnumWindows, EnumChildWindows, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be abused for this technique.

Monitor for API calls that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

Monitor for API calls that may forge web cookies that can be used to gain access to web applications or Internet services.

Monitor for API calls that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Monitor for API calls that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Monitor for processes being accessed that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.

Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

Monitor process being accessed that may acquire user credentials from third-party password managers.^[44]

Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service.^[45]

Monitor for unexpected processes interacting with the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Monitor for unexpected processes interacting with LSASS.exe.^[46] Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Monitor for process being viewed that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for processes being viewed that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for processes being viewed that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for processes being viewed that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for processes being viewed that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for processes being viewed that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for processes being viewed that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.

Monitor newly executed processes, such as eventvwr.exe and sdclt.exe, that may bypass UAC mechanisms to elevate process privileges on system.

Monitor newly executed processes that may perform sudo caching and/or use the suoders file to elevate privileges.

Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.

Monitor for newly constructed processes and/or command-lines that may abuse mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.^[47] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor for processes that can be used to enumerate domain accounts and groups, such as net.exe and net1.exe, especially when executed in quick succession.^[47] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor for newly executed processes, such as Windows Management Instrumentation and PowerShell , with arguments that can be used to enumerate email addresses and accounts.

Monitor for suspicious processes modifying the authorized_keys or /etc/ssh/sshd_config files.

Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip.

Monitor newly executed processes, such as the W32tm.exe utility. ^[48] The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. ^[49]

Monitor for newly created processes that may modify the kernel to automatically execute programs on system boot.

Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login.

Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot.

Monitor newly executed processes that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

Monitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior, such as establishing network connections.

Monitor for newly constructed processes and/or command-lines that execute logon scripts

Monitor for processes and/or command-lines to install or modify login hooks, as well as processes spawned at user login by these hooks.

Monitor for newly constructed processes and/or command-lines that execute logon scripts

Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present.

Monitor for newly constructed processes and/or command-lines that execute during the boot up process to check for unusual or unknown applications and behavior

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution.

Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Monitor for newly executed processes that may abuse the Windows command shell for execution.

Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution.

Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor newly executed processes that may abuse Python commands and scripts for execution.

Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts

Monitor newly executed processes associated with account creation, such as net.exe

Monitor newly executed processes associated with account creation, such as net.exe

Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Monitor for newly executed processes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.

Monitor processes spawned by command line utilities to manipulate keychains directly, such as security, combined with arguments to collect passwords, such as dump-keychain -d.

Monitor newly executed processes of vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:"Windows Credentials").^[50]

Monitor newly executed processes that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor newly executed processes that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor for newly executed processes that may establish persistence by executing malicious content triggered by a file type association.

Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity.

Monitor newly executed processes that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).

Monitor newly executed processes that may establish persistence through executing malicious commands triggered by a user’s shell.

Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal.

Monitor processes for those that may be used to modify binary headers.

It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior.

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

Monitor newly executed processs for sdbinst.exe for potential indications of application shim abuse. There are several public tools available that will detect shims that are currently available ^[51]: Shim-Process-Scanner - checks memory of every running process for any shim flags Shim-Detector-Lite - detects installation of custom shim databases Shim-Guard - monitors registry for any shim installations ShimScanner - forensic tool to find active shims in memory* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)

Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. ^[52]

Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.

Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).

Monitor newly executed processes that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of environmental keying may be difficult depending on the implementation.

Monitor for newly executed processes when removable media is mounted

Monitor for newly constructed processes and/or command-lines that can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders.

Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.^[53][54]

Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms.

Monitor newly executed processes for actions that could be taken to add a new user and subsequently hide it from login screens.

Monitor newly executed processes that may use hidden windows to conceal malicious activity from the plain sight of users.

Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V).

Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs.

Monitor for newly constructed processes to match an existing service executables.

Monitor for newly executed processes for unusual activity (e.g., a process that does not use the network begins to do so).

Monitor for newly executed processes for process executable paths that are named for partial directories.

Monitor for newly executed processes for process executable paths that are named for partial directories.

Monitor for newly executed processes that may execute their own malicious payloads by hijacking vulnerable file path references.

Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services.

Monitor suspicious programs execution through services. These processes may show up as outlier processes that have not been seen before when compared against historical data.

Monitor for newly executed processes, such as setx.exe, that may abuse of the COR_PROFILER variable, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.^[55]

Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits.

Monitor newly executed processes that may abuse Windows safe mode to disable endpoint defenses.

Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.

Monitor for newly constructed processes and/or command line execution that can be used to remove network share connections via the net.exe process.

Monitor for newly executed processes

Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on.

Monitor for newly executed processes that may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands.

Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.

Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Outlook forms to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Outlook rules to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Monitor newly executed processes that may attempt to find local system groups and permission settings.

Monitor newly executed processes that may attempt to find domain-level groups and permission settings.

Monitor newly executed processes that may attempt to find cloud groups and permission settings.

Monitor newly executed processes that may hijack a legitimate user's SSH session to move laterally within an environment.

Consider monitoring processes for tscon.exe usage

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.

Monitor for newly executed processes associated with DCOM activity, especially those invoked by a user different than the one currently logged on. Enumeration of COM objects, via Query Registry or PowerShell, may also precede malicious use.^[56][57]

Monitor for newly executed processes that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on macOS systems log show --predicate 'process = "sshd"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' can be used to review outgoing SSH connection activity.^[58]

Monitor for newly executed processes that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems the screensharingd process may be related to VNC connection activity.^[58]

Monitor for newly executed processes that may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM), as well as service processes such as wmiprvse.exe on destination hosts.

Monitor for newly constructed processes with command-lines that create/modify or are executed from tasks. For example, on Windows tasks may spawn from svchost.exe or the Windows Task Scheduler taskeng.exe for older OS versions. ^[59] Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.

Monitor for newly constructed processes and/or command-lines that executed through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. ^[59] If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete.

Monitor for newly constructed processes and/or command-lines that will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: ^[60]<?php @eval($_POST['password']);>Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.^[61]

Monitor processes with arguments that may potentially highlight adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

Monitor newly executed processes that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Monitor for processes, such as certmgr.exe (macOS) or certutil.exe (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. ^[62] Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. ^[62] The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. ^[63]

Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON. ^[64]

Monitor and analyze the execution and arguments of hh.exe. ^[65] Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.

Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.^[66]

Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: ^[67] To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).

Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity

Use process monitoring to monitor the execution and arguments of mshta.exe.

Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files.

Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.

Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.

Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.

Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.

Monitor processes for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious.

Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Monitor for executed processes (such as tracert or ping) that may check for Internet connectivity on compromised systems.

Monitor script processes, such as `cscript that may be used to proxy execution of malicious files.

Monitor for newly executed daemons that may abuse launchctl to execute commands or programs.

Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads.

Monitor for newly executed processes of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.

Monitor newly executed processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Monitor for newly constructed processes and/or command-lines for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system.

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may perform sudo caching and/or use the suoders file to elevate privileges.

Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.^[71]

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.^[72]

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for changes made to processes that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for changes made to processes that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for changes made to processes that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for changes made to processes that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for changes made to processes that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.

Monitor for changes made to processes that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Analyze process behavior to determine if a process is performing unusual actions, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

Monitor processes for unexpected termination related to security tools/services.