Advanced Windows Events

 

LimaCharlie offers great cross-platform events. We strive to have events fired with the same meaning whether they are from a MacOS, Windows or Linux host. There is a time however where we put focus on very platform-specific events in order to facilitate in-depth detections. The following are specialized Windows events.

Remote Thread

The NEW_REMOTE_THREAD event indicates that a process created a thread remotely into another process. This is often used by malware to inject code into another process to make the malicious activity look like it's coming from a different process. In fact, we've written another blog article about it here.

Registry Operations

Windows has a unique system called the Registry. It is responsible for storing most of the configuration for the Operating System and applications installed. This makes it system of great interest for malware authors who use it to extract sensitive information or to set their malware to start covertly during Windows startup.

LimaCharlie supports 3 events, REGISTRY_CREATE, REGISTRY_DELETE and REGISTRY_WRITE. The CREATE event is generated whenever a process creates a new registry key while the DELETE is generated whenever a process deletes a registry key or value. The WRITE is generated whenever a process writes a new value to an existing key. Put together, these events give you a great insight into any registry usage by a process. Each of those events includes the unique process identifier that performed the action as well as the path to the relevant registry key.

Remote Process Handles

In Windows, a process (with the appropriate privileges) can open a Handle to another process. A Handle allows its owner to perform actions that were requested at Handle creation time. Many actions are possible, but the core ones of interest are Reading memory, Writing memory and Creating Threads.

Whenever a process creates a Handle with one of those access rights to another process, a REMOTE_PROCESS_HANDLE event is created. This event contains the unique process identifier of the creating process as well as the target process. Although this event is not an indicator of bad behavior in and of itself, it is a core part of better understanding malware behavior like lateral movement or credentials theft on Windows.

Example Usage

There has been great articles written on the subject which is linked below. Most use Sysmon as a reference event nomenclature. If you'd like to see the mapping of Sysmon events to LimaCharlie events, we have you covered here.

Serverless Endpoint Detection and Response