top of page

Detect Thread and Process Notifications using VQL (Part 3)

Updated: Mar 1, 2024

Monitor Process Activity, Creation, Termination, and Access

In this blog post, we'll explore how to use Elastic EDR, Windows Defender, and Velociraptor to detect thread and process notifications for various activities. We'll provide VQL queries and settings for monitoring process activity, creation, termination, and access.

Know how EDR knows threads in a process.
Process Thread Injection Feature of EDR

How to investigating unusual process threads ?

  • Monitoring Process Activity

  • Detect Unusual Process Creation

  • Detecting Unusual Process Termination

  • Monitoring Unusal Process Access


Tip #1: Monitor Process Activity

Velociraptor VQL query:


SELECT *
FROM watch_monitoring(
    Query={
        SELECT *
        FROM Wmi(
            Namespace="root\\CIMV2",
            Class="Win32_Process"
        )
    },
    MaxWait=60
)

Windows Defender settings:

  • Enable real-time monitoring

  • Enable behaviour monitoring

  • Enable network protection

Tip #2: Detect Process Creation

Velociraptor VQL query:


SELECT *
FROM EventLog(
    event_logs=["Security"],
    event_id=4688,
    rows=50
)

Windows Defender settings:

  • Enable process creation monitoring (Event ID 4688)

Detect Remote Thread Creation in Processes:


VQL query:


sqlCopy code
SELECT *FROM Artifact.Windows.Sys.MonitoredProcesses()
WHERE RemoteThreadCount > 0

To interpret the output of the VQL query for detecting remote thread creation in processes, you need to understand the columns returned in the results. Here's a brief explanation of the output:

  • ProcessId: The process ID (PID) of the process in which remote threads are created.

  • Name: The name of the process.

  • CommandLine: The command line used to start the process.

  • RemoteThreadCount: The number of remote threads created in the process.

When you see the output, if RemoteThreadCount is greater than 0 for a process, it means that remote threads have been created in that process. You should investigate such processes further for potentially malicious activity.


Here's another example to detect process injection using Velociraptor:

Tip: Detect Process Injection Using VirtualAllocEx and WriteProcessMemory

VQL query:


SELECT *FROM Artifact.Windows.Sys.MonitoredProcesses()
WHERE VirtualAllocExCount > 0 AND WriteProcessMemoryCount > 0

In the output of this query, you'll see the following columns:

  • ProcessId: The process ID (PID) of the process where VirtualAllocEx and WriteProcessMemory functions have been called.

  • Name: The name of the process.

  • CommandLine: The command line used to start the process.

  • VirtualAllocExCount: The number of times the VirtualAllocEx function has been called in the process.

  • WriteProcessMemoryCount: The number of times the WriteProcessMemory function has been called in the process.

If both VirtualAllocExCount and WriteProcessMemoryCount are greater than 0 for a process, it might indicate a process injection attempt. You should investigate such processes further for potentially malicious activity.



Tip #3: Monitor Process Termination

To detect process termination notifications we can use below

Velociraptor VQL query:


SELECT *
FROM EventLog(
    event_logs=["Security"],
    event_id=4689,
    rows=50
)

Windows Defender settings:

  • Enable process termination monitoring (Event ID 4689)

To Detect Unusual Process Termination

VQL query:


SELECT Termination.ProcessId, Process.Name, Process.CommandLine, Termination.ExitStatus
FROM Artifact.Windows.Sys.MonitoredProcesses() AS Process
JOIN (
  SELECT *
  FROM Artifact.Windows.Sys.ProcessTermination()
) AS Termination
ON Process.ProcessId = Termination.ProcessId
WHERE Termination.ExitStatus NOT IN ("0", "259")

In the output of this query, you'll see the following columns:


  • ProcessId: The process ID (PID) of the terminated process.

  • Name: The name of the terminated process.

  • CommandLine: The command line used to start the terminated process.

  • ExitStatus: The exit status code of the terminated process.

When you see the output, if the ExitStatus is not "0" (normal termination) or "259" (still active), it indicates an unusual process termination. You should investigate such processes further for potentially malicious activity.



Tip #4: Observe Process Access

Velociraptor VQL query:


SELECT *
FROM EventLog(
    event_logs=["Security"],
    event_id=4663,
    rows=50
)

Windows Defender settings:

  • Enable process access monitoring (Event ID 4663)

Detect Unusual Process Access

VQL query:


SELECT Opened.ProcessId AS AccessedProcessId, Opened.Name AS AccessedProcessName, Process.ProcessId AS AccessingProcessId,        Process.Name AS AccessingProcessName, Process.CommandLine AS AccessingProcessCmdLine FROM Artifact.Windows.Sys.MonitoredProcesses() AS Process JOIN (   SELECT *   FROM Artifact.Windows.Sys.ProcessAccess()   WHERE GrantedAccess NOT IN (0x0010, 0x0020, 0x0040, 0x0080) ) AS Opened ON Process.ProcessId = Opened.SourceProcessId

In the output of this query, you'll see the following columns:

  • AccessedProcessId: The process ID (PID) of the process being accessed.

  • AccessedProcessName: The name of the process being accessed.

  • AccessingProcessId: The process ID (PID) of the process accessing the other process.

  • AccessingProcessName: The name of the process accessing the other process.

  • AccessingProcessCmdLine: The command line used to start the process accessing the other process.

This query filters out common access rights (0x0010, 0x0020, 0x0040, 0x0080) and focuses on unusual process access. When you see the output, investigate the processes further for potentially malicious activity.

Book your Incident Response Free Consultation today.



By using the VQL queries and settings provided, you can effectively monitor and detect various thread and process notifications using Elastic EDR, Windows Defender, and Velociraptor. Customize the queries and settings to meet your specific needs and always test them thoroughly before implementing them in a production environment.


 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating

Cyber Security Services

           CynorSense Solution Pvt. Ltd. is your dedicated partner in the ever-evolving domain of cybersecurity. We are committed to delivering cutting-edge cybersecurity solutions, tailored to meet the unique needs of each client. Our comprehensive suite of services includes Penetration Testing, SOC & SIEM Services, Incident Response, and Cyber Security Consultation.

Our expertise extends across Secure Code Review, Vulnerability Assessment and Penetration Testing (VAPT) Services, Security Audits, Risk and Threat Assessment, and Vulnerability Scanning. In addition, we offer services in Malware Analysis, Phishing Simulation, Social Engineering Testing, Web Application Testing, Mobile Application Testing, Network Security Testing, Infrastructure Security Testing, Application Security Testing, and Data Security Testing. 

We understand the importance of compliance in today's regulatory environment. Our Compliance Testing services are designed to help your organization navigate the complex landscape of regulations such as ISO 27001, PCI DSS, HIPAA, SOX, GLBA, NERC CIP, FISMA, and the NIST Cybersecurity Framework. 

At CynorSense, we blend innovative technology with a robust understanding of the cybersecurity landscape to provide you with the tools and knowledge needed to safeguard your digital assets. Let us be your trusted guide in the realm of cybersecurity, providing the assurance you need in an increasingly interconnected world.

ISO 27001 and ISO 9001 certified company

TELEPHONE:

 +91 4046007719

 +91 8179245139

 ADDRESS: 

 Cynor Sense Solutions Pvt. Ltd.

 Vijay Krishna Towers,   Nanakramguda, Hyderabad,

 Telangana, India - 500032

© 2023 Cynorsense Pvt. Ltd. All rights reserved.

bottom of page