Windows Processes: Blue Team Guide for Detection and Analysis

Windows processes are at the heart of everything the operating system does — from system services to user applications. For defenders, analyzing processes is one of the fastest ways to spot anomalies, detect intrusions, and understand attacker activity.

Understanding Windows Processes

A process is an instance of a running program that contains code, data, handles, and allocated system resources. Each process has a PID (Process ID), a parent process, and a security context (user account).

Why Blue Teams Care

  • Persistence detection - Attackers often hide backdoors inside legitimate processes.
  • Lateral movement - Malicious tools may run under svchost.exe or explorer.exe to blend in.
  • Privilege escalation - Suspicious child processes of SYSTEM-owned services can indicate a breach.

Key Tools for Process Analysis on Windows

Task Manager

  • Quick view of running processes (Ctrl + Shift + Esc).
  • Useful for initial triage but limited detail.

Process Explorer (Sysinternals)

procexp.exe
  • Shows full parent-child relationships.
  • Can verify process signatures.
  • Flags processes with no valid company name or unsigned binaries.

Command-Line Tools

List processes:

Get-Process
tasklist /v

Detailed process info:

Get-WmiObject Win32_Process | Select-Object ProcessId,ParentProcessId,Name,CommandLine

Show tree view:

Get-Process | Sort-Object -Property Id | Format-Table Id, ProcessName, Path, StartTime

Common Attacker Behaviors to Watch

Process Injection

  • Legitimate process running malicious code in memory.
  • Example: rundll32.exe with a suspicious DLL path.

Detection:

Get-Process | Where-Object { $_.Modules.FileName -like "*Temp*" }

or use Sysmon Event ID 7 (image loaded).

Parent-Child Mismatch

  • Example: powershell.exe spawned by winword.exe.
  • Common in phishing payloads.

Detection with Sysmon:

  • Event ID 1 (process creation)
  • Look for:
ParentImage: winword.exe
Image: powershell.exe

Suspicious Command Lines

  • Long Base64-encoded strings in PowerShell.
  • Unusual flags for cmd.exe.

Check recent PowerShell activity:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | 
Where-Object { $_.Message -match "-enc" }

Real-World Examples

Example 1: Malicious Word Macro

  • User opens a malicious .docx.
  • Word spawns powershell.exe with an encoded payload.
  • Defender sees this chain in Sysmon logs and stops it before C2 connection.

Example 2: Persistence in svchost.exe

  • Attacker installs a malicious service.
  • Service runs as svchost.exe but from a non-standard path.
  • Process Explorer reveals the binary is unsigned and located in %APPDATA%.

Advanced Tools for Blue Teams

  • Sysinternals Process Monitor (Procmon) - Detailed file/registry/network activity.
  • Sysmon - Persistent logging of process creation, image loading, and network connections.
  • Velociraptor - Endpoint visibility for threat hunting.
  • Windows Event Viewer - Logs in Security and Sysmon channels.

Command & Script Cheat Sheet

List processes with network connections:

Get-NetTCPConnection | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess
    [PSCustomObject]@{
        ProcessName = $proc.ProcessName
        PID         = $_.OwningProcess
        RemoteIP    = $_.RemoteAddress
        RemotePort  = $_.RemotePort
    }
}

Find unsigned binaries:

Get-Process | Where-Object { 
    -not (Get-AuthenticodeSignature $_.Path).Status -eq 'Valid'
}

Dump suspicious process memory (live forensics):

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full

Pro Tips for Deeper Analysis

  • Always correlate process creation with command line arguments.
  • Check creation timestamps — a burst of processes at odd hours is a red flag.
  • Match PIDs with network connections to find hidden RATs.
  • Baseline normal processes for each host and compare regularly.
  • Use ELK, Splunk, or Sentinel to hunt process anomalies across the enterprise.

Windows Process Hunting Cheat Sheet

Basic Process Enumeration

tasklist /v                  # List processes with details
Get-Process                  # PowerShell equivalent
Get-WmiObject Win32_Process  # Full process info (PID, parent, path)

Detect Suspicious Parent-Child Chains

Get-WmiObject Win32_Process |
Select-Object ProcessId,ParentProcessId,Name,CommandLine |
Sort-Object ParentProcessId

Red Flags

  • winword.exepowershell.exe
  • explorer.exe spawning cmd.exe or mshta.exe

Find Encoded PowerShell Commands

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "-enc" }

Check Binary Signatures

Get-Process | Where-Object {
    (Get-AuthenticodeSignature $_.Path).Status -ne 'Valid'
}

List Processes with Network Connections

Get-NetTCPConnection | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess
    [PSCustomObject]@{
        ProcessName = $proc.ProcessName
        PID         = $_.OwningProcess
        RemoteIP    = $_.RemoteAddress
        RemotePort  = $_.RemotePort
    }
}

Detect Process Injection

Use Sysmon Event ID 7 (Image Loaded) to spot DLLs in unexpected locations:

  • %TEMP%
  • %APPDATA%
  • Non-Windows directories

Dump Suspicious Process Memory

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full

(For offline analysis in tools like Volatility.)


Hunting Mindset

  • Baseline first — know what's normal for the system.
  • Look for spikes in process creation during off-hours.
  • Correlate process events with network, registry, and file changes.
  • Use Sysmon for rich telemetry: Event IDs 1 (process create), 7 (image load), 10 (process access).