The process tracker
Complimenting forensic analysis with monitoring...
What is the point of Forensics?
- Forensics is used to reconstruct past events from artifacts left on the system.
- We are at the mercy of lucky accidents and side effects of system behavior!
- When Velociraptor is running permanently on the endpoint, we can deliberately monitor the endpoint and record a more accurate timeline of events!
Tracking processes
One of the critical questions we ask is
Where did this process come from?Context of where the process came from is important in establishing initial access vector!
We could collect all process execution from all endpoints, but:
- This will generate a large volume of events.
- Vast majority of events are not interesting.
- Often we determine which process is interesting is determined by context.
The process tracker
- Velociraptor can track processes locally on the endpoint at runtime.
- If the need arises, we can enrich with process execution information.
- This can be done EVEN IF THE PROCESS EXITED
Exercise: Enable the process tracker
Emulate a typical attack
psexec.exe /s powershell
ping.exe www.google.com
curl.exe -o script.ps1 https://www.google.com/
notepad.exeInspect the notepad process
Using Generic.System.Pstree
View process tree
Inspect the process call chain
The process tracker Complimenting forensic analysis with monitoring...