Spoofing Commands - Can You Trust Process Creation Logs?
2024-09-28 , Main Track

Typically, we trust what is written to the security logs on Windows servers and workstations to be accurate, even just viewing these logs requires local administrator rights.

More importantly log based detections as well as some Endpoint Detection & Response products will utilize process creation events written to Windows Security to either enrich detections and show an analyst exactly what was run, or they will be part of the detection itself.

Unfortunately, there has existed a technique for some time now which allows an attacker to stop what is really being run on the command line from being logged. This works for process creation logs generated by Windows itself, Sysmon and even Defender XDR Device logs.

This presents attackers with an opportunity to evade some types of detection and if they pair EDR/logging bypass techniques with this technique it makes the job of an analyst trying to deconstruct what has actually occurred.

In certain circumstances an attacker could even change the command to something which occurs often within an environment get basically trick an analyst into thinking certain detections are likely false positives.

In this presentation we will go through the following;
- Understanding how a process log is created under normal circumstances.
- How useful process creation logs can be to analysts and security teams
- Showing how an attacker can use a previously discovered technique to mask the true command which is run.
- A breakdown of the code used to produce the incorrect logs and why this cannot currently be fixed.
- A number of scenarios demonstrating how both logging detections and EDR detections can be impacted by this technique.

Included in this session will be either live demonstration or pre-recorded attack where we can clearly see the malicious commands run and the resultant logs within the Windows system.

Tristan has over a decade of experience in the cyber security operations space with the last 5 years being dedicated to detection engineering and SOC operations. In 2018 Tristan co-founded Seamless Intelligence which is dedicated to providing managed SOC services to customers around Australia.

As head of detection engineering Tristan spends too many hours each week dissecting and analysing logs and opportunities to detect attack techniques and tools.

Delving ever deeper into logs and how to detect various attack tools has led to a various CVE/Bug Bounties being awarded.