- Product
   - Product Overview Sophisticated security with unmatched simplicity
- Cloud SIEM Pre-configured detections across your environment
- Honeypots Deception technology to detect lateral movement
- Endpoint Visibility Real-time monitoring with added detection & response
- Security Reports Data visualizations, compliance reports, and executive summaries
- Automated Response Detect, prioritize, and neutralize threats around the clock
- Integrations Cloud, on-prem, and open API connections
- XDR Platform A complete view to identify risk, and things operational
 
- Pricing
- Why Blumira
   - Why Blumira The Security Operations platform IT teams love
- Watch A Demo See Blumira in action and how it builds operational resilience
- Use Cases A unified security solution for every challenge
- Pricing Unlimited data and predictable pricing structure
- Company Our human-centered approach to cybersecurity
- Compare Blumira Find out how Blumira stacks up to similar security tools
- Integrations Cloud, on-prem, and open API connections
- Customer Stories Learn how others like you found success with Blumira
 
- Solutions
- Partners
- Resources
While most organizations have antivirus and firewall solutions, modern attacks such as those seen in the SolarWinds campaign and large-scale ransomware attacks delivered by commodity malware will continue to be a blindspot in a company’s security posture if the organization is not able to detect adversarial actions on process behavior.
From the use of novel deployment techniques like supply chain compromise to malware authors refactoring malware code to defeat static signatures, having the ability to monitor and detect obscure processes in your environment will give you ample opportunity to catch threat actors when other tools have failed.
Case 1: SolarWinds/UNC2452
In a blog post, Microsoft detailed the behavior of how the group behind the SolarWinds campaign made an effort to maintain operational security to evade detection of the origin of the malware that may have been later detected during follow through actions.
We see the threat actors took advantage of many legitimate tools to complete the objectives of their campaign, such as Windows Management Instrumentation (WMI), a file archiving utility called 7zip, and a tool to query Active Directory, Adfind. All of these tools can be used for legitimate, non-malicious reasons in an organization, so they will never be added to a virus definition database.
However, you can easily detect malicious use of these utilities by monitoring the invocation of these tools for patterns observed in current threat actor’s campaigns.
Here are WMI patterns for behavior-based detection from UN2452 activity:
| When executed during lateral movement, rundll32.exe ran through WMIC or Invoke-WMIMethod with "High" integrity level and spawned by WmiPrSE.exe, which is a rare combination. The Cobalt Strike DLL was likely deleted after completed execution to avoid forensic recovery. | Variant1 (executed from PowerShell as a result of issuing the "remote-exec" Cobalt Strike command): Invoke-WMIMethod win32_process-name create -argumentlist 'rundll32c:\Windows\[folder]\[beacon].dll[export]'-ComputerName [target] Variant2 (executed from rundll32.exe): wmic /node:[target] process call create "rundll32 c:\windows\[folder]\[beacon].dll[export]" | T1047 | Windows Management Instrumentation (WMI) | 
Case 2: Ransomware Operators
It’s likely the greatest and most impactful threat faced by many organizations today is big-game ransomware. ‘Big game’ means these ransomware operators are looking for large organizations that they can gain access to and elevate privileges to a high-enough position to encrypt large sections of an enterprise network and exfiltrate high-value data.
While antivirus software may focus on detecting the presence of actual ransomware in your environment, that is often a futile endeavor as the threat actors usually have enough permissions to disable the security tools by the time they’re deploying ransomware. Rather, it is much more effective to detect the behaviors leading up to the ransomware deployment and stopping the threat actor before they can achieve that stage of the intrusion. Previously, we mentioned the use of the Adfind utility by the UNC2452 threat actors. They are not the only threat group using the tool; in multiple reports, Ryuk, Egregor, Nefilim, and others have been seen using this tool as well.
Being able to detect the following command invocations using process monitoring would identify many of these actors long before they can act to deploy ransomware:
adfind.exe -f (objectcategory=person) > FILE.txt
 adfind.exe -f objectcategory=computer > FILE.txt
 adfind.exe -f (objectcategory=organizationalUnit) > FILE.txt
 adfind.exe -subnets -f (objectCategory=subnet) > FILE.txt
 adfind.exe -f "(objectcategory=group)" > FILE.txt
 adfind.exe -gcb -sc trustdmp > FILE.txt
Likewise, most of the ransomware gangs – and the malware they use to access many networks – also use the built-in Windows utility “nltest.” Being able to monitor and alert on the following invocations will translate to a high-fidelity alert to stop early activity of many of these threat actors.
nltest /dclist:"DOMAINNAME"
 nltest /domain_trusts /all_trusts
How to Get Process Monitoring
Hopefully, the cases presented have provided some insight on why you need to monitor processes in your environment. So, the next logical question is – how do I do that? Well, there are a few approaches you can take.
One option can be to deploy what is known as an endpoint detection and response solution (EDR). The benefits of an EDR deployment include access to vendor support and additional capabilities beyond just the process monitoring, but the capital expense can be high.
You can also enable process monitoring in Windows logs. This is a free feature inherent in the Windows operating system. But the trade-off is that it is much more limited than EDR, and can miss malicious activity that EDR can detect. Additionally, you need to be logging these to a SIEM. Traditional SIEMs come with a downside of the user needing to write their own rules and maintain these as new threats emerge. This can be mitigated by using a cloud SIEM like Blumira that manages rules and detections so that customers always have detections covering the latest threats.
Finally, another free option is Sysmon, which extends the capabilities of logging in Windows far beyond the built-in log sources. This can give you EDR-like coverage without the upfront capital expenditure of additional security software.
Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity. Download our Guide to Microsoft Security.
Brian Laskowski
Brian has 5 years of experience in IT, with prior work including linux systems administration to most recently leading the threat intelligence program at the State of Michigan security operations center. Other areas of focus have included, incident response, threat hunting, memory analysis, adversary emulation, and...
More from the blog
View All Posts
                      
             
            Manufacturing
                  
        
        
              
             6 min read
            
                | September 3, 2025
            
        
        How Manufacturers Can Secure Themselves Against Cyber Threats
Read More 
    
                                
             
            Security Trends and Info
                      
        
        
              
             13 min read
            
                | May 1, 2025
            
        
        SocGholish Coming Into Focus for Blumira
Read More
                      
             
            Security Trends and Info
                  
        
        
              
             7 min read
            
                | September 30, 2024
            
        
        Implementing Tabletop Exercises for Supply Chain IT and Cybersecurity Management
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.