Windows Process Monitoring
- Steve Challans
The Windows Process Monitoring dashboard helps to see an overview of all the commands being used on the Windows systems. Some commands can be expected and others not. So understanding the types or applications being used and the commands they run is good practice for cyber hygiene on the network. The presents of unauthorized software or staff running commands that would not normally be run can be a sign the system has been compromised and the hacker is using whats called “Living of the Land” techniques to obfuscate whats being done on the network as many AV tools wont see this as a threat. Some XDR tools can pick up on this activity but some can slip past the detection. Some parts of the dashboard only show data for the last 4 hours as some Windows systems can generate massive events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.
This page provides the following details.
Windows Process Monitoring - this graph shows the rate processes are being run on the network. Spikes in activity may indicate some new threat has appeared on the network.
Process Monitoring by System - seeing spikes on specific systems may indicate unusual activity occurring on that system, If the activity starts to spread to other systems then it can be an indicator of compromise on the network.
Process by log Type - understanding the nature and types of the logs and where they are coming from can assist with the investigation.
Process Monitoring by Application - this will show the actual process or command being run, was it a standard windows tool or some other tool thats been copied to the system. This will show the general rate these commands have been run for today.
Process Monitoring by User - This will show the users running the specific commands and if there is a spike for a specific account then it may also be an indicator of compromise of that account as that user is also laterally moving around the network. This is very important for any admin type user that has larger unrestricted access on a network.
Process Monitoring by Target User - this tracks the privilege escalation of actions attempted to be taken on the target user using runas type functions.
