process tracking

From: Joanna Rutkowska (joanna_at_mailsnare.net)
Date: 03/26/04

Next message: Tomasz Onyszko: "Re: process tracking"

Previous message: Jean-Baptiste Marchand: "Re: Hardening TCP/IP Stack; conflicting sources"
Next in thread: Tomasz Onyszko: "Re: process tracking"
Reply: Tomasz Onyszko: "Re: process tracking"
Reply: Robert Blackwell: "RE: process tracking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 26 Mar 2004 13:20:41 +0100 (Central European Standard Time)
To: focus-ms@securityfocus.com

Hi,

does anybody know a good tool for analyzation of process tracking event
log messages (id 592 and 593) in windows 2000/2003? but please do not tell
me about:

dumpel -f procs.txt -e 592 593 -m security -l security

since it is very lame (parsing the resulted file in Excel for example is
very problematic). I would like to have the report, which would display:

1) the names of all the processes ever run in the system.

2) for each process form point 1, I would like to see *how* it was
created, i.e. by which parent processes. this is IMO extremely important
for discovering things like cmd.exe started by sqlserv.exe for example,
which is the obvious sign of some simple shellcodes.

I have spent some time researching process hiding techniques (aka
rootkits), some smart ways of discovering these hidden processes, and
another methods of better hiding, etc... however, I realized, that maybe
this all hide and seek game is not necessary, since windows admins seem to
not have any good tool for accounting even unhidden processes...

regards,
joanna.

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
---------------------------------------------------------------------------

Next message: Tomasz Onyszko: "Re: process tracking"

Previous message: Jean-Baptiste Marchand: "Re: Hardening TCP/IP Stack; conflicting sources"
Next in thread: Tomasz Onyszko: "Re: process tracking"
Reply: Tomasz Onyszko: "Re: process tracking"
Reply: Robert Blackwell: "RE: process tracking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: blocking p2p traffic
... Network Security Specialist ... firewall with virus/spam protection, ... the comprehensive security solution that combines six ...
(Focus-IDS)
RE: A new technique to disguise a target URL in spam
... I have seen the same technique used in other emails, ... firewall with virus/spam protection, URL filtering, VPN, ... Security Linux, the comprehensive security solution that combines six ...
(Incidents)
RE: help with exchange
... Subject: help with exchange ... firewall with virus/spam protection, URL filtering, VPN, ... Security Linux, the comprehensive security solution that combines six ...
(Security-Basics)
Re: help with exchange
... You can download an evaluation copy to see if its any use. ... Security Linux, the comprehensive security solution that combines six ... firewall with virus/spam protection, URL filtering, VPN, ...
(Security-Basics)
RE: process tracking
... Snare to generate syslog messages to feed into KIWI Syslog and set up ... firewall with virus/spam protection, URL filtering, VPN, ... Astaro Security Linux, the comprehensive security solution that combines six ...
(Focus-Microsoft)