RE: process tracking

From: Joanna Rutkowska (joanna_at_mailsnare.net)
Date: 03/28/04

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #182"
    Date: Sun, 28 Mar 2004 11:30:51 +0200 (Central European Daylight Time)
    To: Robert Blackwell <robert@snrdesigns.com>
    
    

    this tool (SNARE), again, seems to treat the 'string' field of the
    reported event as one, opaque field, which make the extraction of the
    parent PID very difficult for automated parser.

    i'm not interested in just finding all process creation events, but rather
    in correlation between process creation and termination events (592 and
    593), so that it would be possible to see which processes has created
    which child. for example, the information that cmd.exe has been started
    someday in the past is useless, unless i will know that it was started by
    for example inetinfo.exe, which would be the obvious sign of the shellcode
    execution.

    joanna.

    On Sat, 27 Mar 2004, Robert Blackwell wrote:

    > This would not help for existing event logs but for future use try using
    > Snare to generate syslog messages to feed into KIWI Syslog and set up
    > filters from there to trap what you are interested in. Based on that, you
    > could generate an email for a critical event or just dump into a SQL
    > database for generating reports. This would allow you to monitor all of you
    > servers.
    >
    > Robert
    >
    > -----Original Message-----
    > From: Joanna Rutkowska [mailto:joanna@mailsnare.net]
    > Sent: Friday, March 26, 2004 5:21 AM
    > To: focus-ms@securityfocus.com
    > Subject: process tracking
    >
    >
    > Hi,
    >
    > does anybody know a good tool for analyzation of process tracking event
    > log messages (id 592 and 593) in windows 2000/2003? but please do not tell
    > me about:
    >
    > dumpel -f procs.txt -e 592 593 -m security -l security
    >
    > since it is very lame (parsing the resulted file in Excel for example is
    > very problematic). I would like to have the report, which would display:
    >
    > 1) the names of all the processes ever run in the system.
    >
    > 2) for each process form point 1, I would like to see *how* it was
    > created, i.e. by which parent processes. this is IMO extremely important
    > for discovering things like cmd.exe started by sqlserv.exe for example,
    > which is the obvious sign of some simple shellcodes.
    >
    > I have spent some time researching process hiding techniques (aka
    > rootkits), some smart ways of discovering these hidden processes, and
    > another methods of better hiding, etc... however, I realized, that maybe
    > this all hide and seek game is not necessary, since windows admins seem to
    > not have any good tool for accounting even unhidden processes...
    >
    > regards,
    > joanna.
    >
    >
    >
    >
    > ---------------------------------------------------------------------------
    > Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    > wireless security
    >
    > Protect your network against hackers, viruses, spam and other risks with
    > Astaro Security Linux, the comprehensive security solution that combines six
    > applications in one software solution for ease of use and lower total cost
    > of ownership.
    >
    > Download your free trial at
    > http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
    > ---------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with
    Astaro Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost
    of ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
    ---------------------------------------------------------------------------


  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #182"

    Relevant Pages

    • Re: Pentester convicted..
      ... and thus politely forcing them take responsibility for the protection of privacy of the data they carry. ... and ignored the first 2 reports. ... A security pro notices a flaw, checks to make sure he is not on crack ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)
    • Some over-classified al Qaeda files left on a train in England.
      ... The two reports were assessments made by the government's Joint ... According to the BBC's security correspondent, Frank Gardner, ... intelligence assessment on al-Qaeda is so sensitive that every ... Police are investigating a "serious" security breach after a civil ...
      (sci.military.naval)
    • RE: The Linksys WRT54G "security problem" doesnt exist
      ... several security lists and Internet news outlets, ... Just because no one else ever reports a problem does not mean it does not ... to my amendments and that he planned a follow-up to clarify. ... I *know* what I saw on the original units, but like I told Maggie, just one ...
      (Bugtraq)
    • In Asia Security Monitor
      ... HOMELAND SECURITY, THAI STYLE; ... government to resort to a new homeland defense tactic: ... The International Herald Tribune reports that government-run schools ... teachers, who are considered high-profile members of the community, ...
      (soc.culture.cambodia)
    • [NT] Multiple Vulnerabilities in SuperScout Web Reports Server
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Contains the usernames and passwords for each user of the reports server. ... an attacker can access any reports available on the ...
      (Securiteam)