Windows Processes: Blue Team Guide for Detection and Analysis
Windows processes are at the heart of everything the operating system does — from system services to user applications. For defenders, analyzing processes is one of the fastest ways to spot anomalies, detect intrusions, and understand attacker activity.
Understanding Windows Processes
A process is an instance of a running program that contains code, data, handles, and allocated system resources. Each process has a PID (Process ID), a parent process, and a security context (user account).
Why Blue Teams Care
- Persistence detection - Attackers often hide backdoors inside legitimate processes.
- Lateral movement - Malicious tools may run under
svchost.exe
orexplorer.exe
to blend in. - Privilege escalation - Suspicious child processes of SYSTEM-owned services can indicate a breach.
Key Tools for Process Analysis on Windows
Task Manager
- Quick view of running processes (
Ctrl + Shift + Esc
). - Useful for initial triage but limited detail.
Process Explorer (Sysinternals)
procexp.exe
- Shows full parent-child relationships.
- Can verify process signatures.
- Flags processes with no valid company name or unsigned binaries.
Command-Line Tools
List processes:
Get-Process
tasklist /v
Detailed process info:
Get-WmiObject Win32_Process | Select-Object ProcessId,ParentProcessId,Name,CommandLine
Show tree view:
Get-Process | Sort-Object -Property Id | Format-Table Id, ProcessName, Path, StartTime
Common Attacker Behaviors to Watch
Process Injection
- Legitimate process running malicious code in memory.
- Example:
rundll32.exe
with a suspicious DLL path.
Detection:
Get-Process | Where-Object { $_.Modules.FileName -like "*Temp*" }
or use Sysmon Event ID 7 (image loaded).
Parent-Child Mismatch
- Example:
powershell.exe
spawned bywinword.exe
. - Common in phishing payloads.
Detection with Sysmon:
- Event ID 1 (process creation)
- Look for:
ParentImage: winword.exe
Image: powershell.exe
Suspicious Command Lines
- Long Base64-encoded strings in PowerShell.
- Unusual flags for
cmd.exe
.
Check recent PowerShell activity:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "-enc" }
Real-World Examples
Example 1: Malicious Word Macro
- User opens a malicious
.docx
. - Word spawns
powershell.exe
with an encoded payload. - Defender sees this chain in Sysmon logs and stops it before C2 connection.
Example 2: Persistence in svchost.exe
- Attacker installs a malicious service.
- Service runs as
svchost.exe
but from a non-standard path. - Process Explorer reveals the binary is unsigned and located in
%APPDATA%
.
Advanced Tools for Blue Teams
- Sysinternals Process Monitor (Procmon) - Detailed file/registry/network activity.
- Sysmon - Persistent logging of process creation, image loading, and network connections.
- Velociraptor - Endpoint visibility for threat hunting.
- Windows Event Viewer - Logs in
Security
andSysmon
channels.
Command & Script Cheat Sheet
List processes with network connections:
Get-NetTCPConnection | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess
[PSCustomObject]@{
ProcessName = $proc.ProcessName
PID = $_.OwningProcess
RemoteIP = $_.RemoteAddress
RemotePort = $_.RemotePort
}
}
Find unsigned binaries:
Get-Process | Where-Object {
-not (Get-AuthenticodeSignature $_.Path).Status -eq 'Valid'
}
Dump suspicious process memory (live forensics):
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full
Pro Tips for Deeper Analysis
- Always correlate process creation with command line arguments.
- Check creation timestamps — a burst of processes at odd hours is a red flag.
- Match PIDs with network connections to find hidden RATs.
- Baseline normal processes for each host and compare regularly.
- Use ELK, Splunk, or Sentinel to hunt process anomalies across the enterprise.
Windows Process Hunting Cheat Sheet
Basic Process Enumeration
tasklist /v # List processes with details
Get-Process # PowerShell equivalent
Get-WmiObject Win32_Process # Full process info (PID, parent, path)
Detect Suspicious Parent-Child Chains
Get-WmiObject Win32_Process |
Select-Object ProcessId,ParentProcessId,Name,CommandLine |
Sort-Object ParentProcessId
Red Flags
winword.exe
→powershell.exe
explorer.exe
spawningcmd.exe
ormshta.exe
Find Encoded PowerShell Commands
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "-enc" }
Check Binary Signatures
Get-Process | Where-Object {
(Get-AuthenticodeSignature $_.Path).Status -ne 'Valid'
}
List Processes with Network Connections
Get-NetTCPConnection | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess
[PSCustomObject]@{
ProcessName = $proc.ProcessName
PID = $_.OwningProcess
RemoteIP = $_.RemoteAddress
RemotePort = $_.RemotePort
}
}
Detect Process Injection
Use Sysmon Event ID 7 (Image Loaded) to spot DLLs in unexpected locations:
%TEMP%
%APPDATA%
- Non-Windows directories
Dump Suspicious Process Memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full
(For offline analysis in tools like Volatility.)
Hunting Mindset
- Baseline first — know what's normal for the system.
- Look for spikes in process creation during off-hours.
- Correlate process events with network, registry, and file changes.
- Use Sysmon for rich telemetry: Event IDs 1 (process create), 7 (image load), 10 (process access).
***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.