#Suspicious Process Creation via Windows Event Logs
Find attacker tools in use
Windows process creation logs (Event 4688 & 592) or equivalent (Carbon Black, Sysmon, etc)
Collect these from every host in the domain.
Search all process creation log entries and look for:
svchost.exeprocesses that are not children of
Processes created by binaries in unsual locations, such as
Known attacker tool names, such as
Processes that launched very few times during a 24 hour period
The following are based on a set of tweets by Jack Crook (@jackcr):
"Attackers need to execute tools. Look at Windows Event ID's 4688/592. Stack and look for outliers. Group by execution time and user."
"Finding webshells: Look at process creations (4688/592) that are spawned from users that own webserver processes."
"One of my favorites is that knowing when attackers bring tools in with them they will likely not execute them very often in a 24hr time period. Looking at precess creations with a hard limit of executing x number of times in a day and ordering by by file path. Can start to weed out, either manually or automated, those processes that have been validated as legit"
Event 4688 is even more valuable if logging policy is set to record the entire command line (some of these suggestions require that info). Review your domain audit policies and/or supplement with additional process logging as necessary. Sysmon is a very good free tool that can do nearly anything you'd need.