Detect Thread and Process Notifications using VQL (Part 3)
Monitor Process Activity, Creation, Termination, and Access
Introduction: In this blog post, we'll explore how to use Elastic EDR, Windows Defender, and Velociraptor to detect thread and process notifications for various activities. We'll provide VQL queries and settings for monitoring process activity, creation, termination, and access.
How to investigating unusual process threads ?
Monitoring Process Activity
Detect Unusual Process Creation
Detecting Unusual Process Termination
Monitoring Unusal Process Access
Tip #1: Monitor Process Activity
Velociraptor VQL query:
SELECT *
FROM watch_monitoring(
Query={
SELECT *
FROM Wmi(
Namespace="root\\CIMV2",
Class="Win32_Process"
)
},
MaxWait=60
)
Windows Defender settings:
Enable real-time monitoring
Enable behaviour monitoring
Enable network protection
Tip #2: Detect Process Creation
Velociraptor VQL query:
SELECT *
FROM EventLog(
event_logs=["Security"],
event_id=4688,
rows=50
)
Windows Defender settings:
Enable process creation monitoring (Event ID 4688)
Detect Remote Thread Creation in Processes:
VQL query:
sqlCopy code
SELECT *FROM Artifact.Windows.Sys.MonitoredProcesses()
WHERE RemoteThreadCount > 0
To interpret the output of the VQL query for detecting remote thread creation in processes, you need to understand the columns returned in the results. Here's a brief explanation of the output:
ProcessId: The process ID (PID) of the process in which remote threads are created.
Name: The name of the process.
CommandLine: The command line used to start the process.
RemoteThreadCount: The number of remote threads created in the process.
When you see the output, if RemoteThreadCount is greater than 0 for a process, it means that remote threads have been created in that process. You should investigate such processes further for potentially malicious activity.
Here's another example to detect process injection using Velociraptor:
Tip: Detect Process Injection Using VirtualAllocEx and WriteProcessMemory
VQL query:
SELECT *FROM Artifact.Windows.Sys.MonitoredProcesses()
WHERE VirtualAllocExCount > 0 AND WriteProcessMemoryCount > 0
In the output of this query, you'll see the following columns:
ProcessId: The process ID (PID) of the process where VirtualAllocEx and WriteProcessMemory functions have been called.
Name: The name of the process.
CommandLine: The command line used to start the process.
VirtualAllocExCount: The number of times the VirtualAllocEx function has been called in the process.
WriteProcessMemoryCount: The number of times the WriteProcessMemory function has been called in the process.
If both VirtualAllocExCount and WriteProcessMemoryCount are greater than 0 for a process, it might indicate a process injection attempt. You should investigate such processes further for potentially malicious activity.
Tip #3: Monitor Process Termination
To detect process termination notifications we can use below
Velociraptor VQL query:
SELECT *
FROM EventLog(
event_logs=["Security"],
event_id=4689,
rows=50
)
Windows Defender settings:
Enable process termination monitoring (Event ID 4689)
To Detect Unusual Process Termination
VQL query:
SELECT Termination.ProcessId, Process.Name, Process.CommandLine, Termination.ExitStatus
FROM Artifact.Windows.Sys.MonitoredProcesses() AS Process
JOIN (
SELECT *
FROM Artifact.Windows.Sys.ProcessTermination()
) AS Termination
ON Process.ProcessId = Termination.ProcessId
WHERE Termination.ExitStatus NOT IN ("0", "259")
In the output of this query, you'll see the following columns:
ProcessId: The process ID (PID) of the terminated process.
Name: The name of the terminated process.
CommandLine: The command line used to start the terminated process.
ExitStatus: The exit status code of the terminated process.
When you see the output, if the ExitStatus is not "0" (normal termination) or "259" (still active), it indicates an unusual process termination. You should investigate such processes further for potentially malicious activity.
Tip #4: Observe Process Access
Velociraptor VQL query:
SELECT *
FROM EventLog(
event_logs=["Security"],
event_id=4663,
rows=50
)
Windows Defender settings:
Enable process access monitoring (Event ID 4663)
Detect Unusual Process Access
VQL query:
SELECT Opened.ProcessId AS AccessedProcessId, Opened.Name AS AccessedProcessName, Process.ProcessId AS AccessingProcessId, Process.Name AS AccessingProcessName, Process.CommandLine AS AccessingProcessCmdLine FROM Artifact.Windows.Sys.MonitoredProcesses() AS Process JOIN ( SELECT * FROM Artifact.Windows.Sys.ProcessAccess() WHERE GrantedAccess NOT IN (0x0010, 0x0020, 0x0040, 0x0080) ) AS Opened ON Process.ProcessId = Opened.SourceProcessId
In the output of this query, you'll see the following columns:
AccessedProcessId: The process ID (PID) of the process being accessed.
AccessedProcessName: The name of the process being accessed.
AccessingProcessId: The process ID (PID) of the process accessing the other process.
AccessingProcessName: The name of the process accessing the other process.
AccessingProcessCmdLine: The command line used to start the process accessing the other process.
This query filters out common access rights (0x0010, 0x0020, 0x0040, 0x0080) and focuses on unusual process access. When you see the output, investigate the processes further for potentially malicious activity.
Book your Incident Response Free Consultation today.
Closing Statement: By using the VQL queries and settings provided, you can effectively monitor and detect various thread and process notifications using Elastic EDR, Windows Defender, and Velociraptor. Customise the queries and settings to meet your specific needs and always test them thoroughly before implementing them in a production environment.