17Ara
Would monitoring for unusual process execution help identify intrusions on a web server?
I have a web server with each web application running as it's own machine level account.
The server only hosts the web applications, no other services, dbs, etc.
Apart from the web server processes, nothing else should execute as these accounts.
I keep thinking that if I triggered an alert should any other process be created under one of these accounts it would be a good indication of suspicious activity.
I understand it wouldn't cover system accounts that run a lot of different processes, but if there was an attempt at privilege escalation from the web app - its likely to run as the web app user.
Is this a good approach? Are there obvious flaws?