How to do I find out process from spawning from svchost.exe sending request to malicious IP addresses

General (Technical, Procedural, Software, Hardware etc.)

Last Post by carpentergravy 3 years ago

2 Posts

2 Users

0 Reactions

2,377 Views

RSS

blason16

(@blason16)

New Member

Joined: 3 years ago

Posts: 1

Topic starter 28/03/2022 8:57 am

Hi Team,

In my network I observed first few desktops are trying to connect to 199[.]59[.]243[.]200 on multiple ports especially on port 445/1433/80/443

After further investigation and captured the logs and processes found that mainly svchost.exe and lsass.exe and sending a connections to this host from all those desktops. There are no processes then getting spawned svchost.exe and lsass.exe.

How do I go further then to find out what exact process is triggering those issues?

Can someone please help?

TIA

Blason R

Quote

carpentergravy

(@carpentergravy)

New Member

Joined: 3 years ago

Posts: 1

12/04/2022 2:42 pm

Further research and collection of logs and processes revealed that the majority of the processes were svchost.exe and lsass.exe, which were sending connections to this host from all of the PCs. The processes svchost.exe and lsass.exe that are launched are the only ones running.

ReplyQuote

Android Forensics

I have conducted a logical and partial extraction of a ...

By SgtAndroid , 20 hours ago
Article: The Balance Between Digital Forensic Examiners And Digital Evidence Technicians: Expertise Vs. Efficiency

Can digital forensic labs cut backlogs without cutting ...

By Zoe , 2 days ago
Prefetch Question

Hello All, I have a question regarding Windows prefet...

By Forensic_Tester , 2 days ago

8 Forums
15.7 K Topics
92.3 K Posts
149 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed