Common Security Forensics System Fail to Detect Attacker's Behaviors

It is common for security teams to use IT monitoring tools when performing incident investigation. However, most of these tools were not designed for real-time forensics or to be used for security research. As a result, they display inaccuracies and often miss suspicious attacker behaviors, thus hindering the investigation without the researcher being aware of the limitation of these tools.

The Microsoft Sysinternal suite is commonly used by digital forensics and incident response teams as a cheap and easy to use approach for incident investigation and forensics in Windows systems. Amit Serper, Senior Researcher at Cybereason Labs found that commonly used traditional Microsoft monitoring tools are not well suited for security investigation as they miss common attacker behavior such as privilege escalation. Privileges escalation is a common attacker techniquethat was believed to be used in the Home Depot breach.

We were interested to assess the ability to of commonly used sysinternal tools to identify common attacker behavior of privilege escalation. Below are common use cases for privilege escalation, in which we compared our performance againt three commonly used Microsoft monitoring tools: Sysinternals Process Monitor (procmon), Sysinternals Process Explorer (procexplor) and the lately launched Sysinternals System Monitor (sysmon).

We ran two different tests in which we took enterprise scenarios, and ran some exploits that successfully escalated privileges. We then showed what each Sysinternal tool showed, versus what we found, with all important findings – gaps, bugs, mistakes, etc - called out appropriately. There is no shortage of tools for security incident investigation. Whether you use ours or someone else’s…we encourage you to use them.

Checkout our the report with our full test results here.