← Back

Windows Processes: Blue Team Guide for Detection and Analysis

Windows processes are at the heart of everything the operating system does — from system services to user applications. For defenders, analyzing processes is one of the fastest ways to spot anomalies, detect intrusions, and understand attacker activity.

Understanding Windows Processes

A process is an instance of a running program that contains code, data, handles, and allocated system resources. Each process has a PID (Process ID), a parent process, and a security context (user account).

Why Blue Teams Care

  • Persistence detection - Attackers often hide backdoors inside legitimate processes.
  • Lateral movement - Malicious tools may run under svchost.exe or explorer.exe to blend in.
  • Privilege escalation - Suspicious child processes of SYSTEM-owned services can indicate a breach.

Key Tools for Process Analysis on Windows

Task Manager

  • Quick view of running processes (Ctrl + Shift + Esc).
  • Useful for initial triage but limited detail.

Process Explorer (Sysinternals)

procexp.exe
  • Shows full parent-child relationships.
  • Can verify process signatures.
  • Flags processes with no valid company name or unsigned binaries.

Command-Line Tools

List processes:

Get-Process
tasklist /v

Detailed process info:

Get-WmiObject Win32_Process | Select-Object ProcessId,ParentProcessId,Name,CommandLine

Show tree view:

Get-Process | Sort-Object -Property Id | Format-Table Id, ProcessName, Path, StartTime

Common Attacker Behaviors to Watch

Process Injection

  • Legitimate process running malicious code in memory.
  • Example: rundll32.exe with a suspicious DLL path.

Detection:

Get-Process | Where-Object { $_.Modules.FileName -like "*Temp*" }

or use Sysmon Event ID 7 (image loaded).

Parent-Child Mismatch

  • Example: powershell.exe spawned by winword.exe.
  • Common in phishing payloads.

Detection with Sysmon:

  • Event ID 1 (process creation)
  • Look for:
ParentImage: winword.exe
Image: powershell.exe

Suspicious Command Lines

  • Long Base64-encoded strings in PowerShell.
  • Unusual flags for cmd.exe.

Check recent PowerShell activity:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | 
Where-Object { $_.Message -match "-enc" }

Real-World Examples

Example 1: Malicious Word Macro

  • User opens a malicious .docx.
  • Word spawns powershell.exe with an encoded payload.
  • Defender sees this chain in Sysmon logs and stops it before C2 connection.

Example 2: Persistence in svchost.exe

  • Attacker installs a malicious service.
  • Service runs as svchost.exe but from a non-standard path.
  • Process Explorer reveals the binary is unsigned and located in %APPDATA%.

Advanced Tools for Blue Teams

  • Sysinternals Process Monitor (Procmon) - Detailed file/registry/network activity.
  • Sysmon - Persistent logging of process creation, image loading, and network connections.
  • Velociraptor - Endpoint visibility for threat hunting.
  • Windows Event Viewer - Logs in Security and Sysmon channels.

Command & Script Cheat Sheet

List processes with network connections:

Get-NetTCPConnection | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess
    [PSCustomObject]@{
        ProcessName = $proc.ProcessName
        PID         = $_.OwningProcess
        RemoteIP    = $_.RemoteAddress
        RemotePort  = $_.RemotePort
    }
}

Find unsigned binaries:

Get-Process | Where-Object { 
    -not (Get-AuthenticodeSignature $_.Path).Status -eq 'Valid'
}

Dump suspicious process memory (live forensics):

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full

Pro Tips for Deeper Analysis

  • Always correlate process creation with command line arguments.
  • Check creation timestamps — a burst of processes at odd hours is a red flag.
  • Match PIDs with network connections to find hidden RATs.
  • Baseline normal processes for each host and compare regularly.
  • Use ELK, Splunk, or Sentinel to hunt process anomalies across the enterprise.

Windows Process Hunting Cheat Sheet

Basic Process Enumeration

tasklist /v                  # List processes with details
Get-Process                  # PowerShell equivalent
Get-WmiObject Win32_Process  # Full process info (PID, parent, path)

Detect Suspicious Parent-Child Chains

Get-WmiObject Win32_Process |
Select-Object ProcessId,ParentProcessId,Name,CommandLine |
Sort-Object ParentProcessId

Red Flags

  • winword.exepowershell.exe
  • explorer.exe spawning cmd.exe or mshta.exe

Find Encoded PowerShell Commands

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "-enc" }

Check Binary Signatures

Get-Process | Where-Object {
    (Get-AuthenticodeSignature $_.Path).Status -ne 'Valid'
}

List Processes with Network Connections

Get-NetTCPConnection | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess
    [PSCustomObject]@{
        ProcessName = $proc.ProcessName
        PID         = $_.OwningProcess
        RemoteIP    = $_.RemoteAddress
        RemotePort  = $_.RemotePort
    }
}

Detect Process Injection

Use Sysmon Event ID 7 (Image Loaded) to spot DLLs in unexpected locations:

  • %TEMP%
  • %APPDATA%
  • Non-Windows directories

Dump Suspicious Process Memory

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\dump.dmp full

(For offline analysis in tools like Volatility.)


Hunting Mindset

  • Baseline first — know what's normal for the system.
  • Look for spikes in process creation during off-hours.
  • Correlate process events with network, registry, and file changes.
  • Use Sysmon for rich telemetry: Event IDs 1 (process create), 7 (image load), 10 (process access).

***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.