Website: info about...
 
Notifications
Clear all

Website: info about known good/suspicious Windows Processes

5 Posts
3 Users
0 Likes
266 Views
(@defaultpwguy)
Posts: 4
New Member
Topic starter
 

Hello all,

I'm new here. I'm trying to learn about all the well known Windows Processes so that I can pull up a list of running processes and identify any that stand out or that require further investigation.

My question is Are there any good reputable websites that I can use to research about known good processes, maybe lists for different Windows Versions? Also. where would you guys recommend to research suspicious processes on the web?

So I'm capable of searching on Google myself, I'm more curious about what others use and recommendations.

Thanks for any info!

~ Defaultpwguy

 
Posted : 20/04/2016 2:25 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

If you download Process Explorer from Microsoft, you can use it to submit the hashes for all of the executables to VirusTotal. It won't catch malicious DLLs loaded through svchost or any low-level rootkits, but it's a good way to identify low-hanging fruit.

The process names can sometimes help to identify malware but they are easy to change.

 
Posted : 20/04/2016 3:21 am
(@defaultpwguy)
Posts: 4
New Member
Topic starter
 

Thanks for the comment. I'm actually familiar with Process Explorer and VirusTotal, love the sysinternals tool set.

I guess I'm more concerned with learning more about the "known good" processes. Anything that is named otherwise or that I don't recognize I can research about, and the ones that are named correctly (ex svchost.exe), I can confirm that they are running from correct folder, have correct ppid, number of instances, etc.

Are there any online sites you use to research or look into processes that are unknown to you to try to identify what they are, etc?

I guess I'm trying to find some good online resources.

Thanks for the reply!

 
Posted : 20/04/2016 5:52 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

It might sound a bit arrogant, but i have written the article "Standard Processes in Windows 10" here at ForensicFocus.com. It wil give you an answer for your questions regarding Windows 10 and particularly Win 8.1 and 7.

SANS at sans.org has several "Posters" with very valuable content you might find useful. Especially this one https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf has all the infos you look for at page 2.

You should know all standard processes and their logical and chronological dependencies and orders if you want to work in the IR business. Based on this knowledge if often takes me only a few seconds to detect malicious processes, if it is a "lower" threat like a typical RAT "hiding in plain sight".

best regards,
Robin

 
Posted : 20/04/2016 1:01 pm
(@defaultpwguy)
Posts: 4
New Member
Topic starter
 

Thanks for the post, I will definitely give your article a look over. I actually had the opportunity to attend the GCFA SANS course and own that actual poster lol.

Great course and cert; funny though, we were taught that svchost was never supposed to run under the user account, although on Windows 10 there is an svchost under the users account. First time I saw it, I thought I for sure had a virus, but then a few of my coworkers had the same thing, so I figured it was just a Windows 10 thing. when I googled this, I couldn't find any documentation to it.

I guess this situation kind of led to my post on this forum, because my google skills are not that good and I can't even find a reference to this svchost running under a user account on Windows 10.

 
Posted : 21/04/2016 6:00 am
Share: