Process hierarchy

Both Windows and Unix/Linux systems have a hierarchy of processes

• Every process but the root process is the child of some other process

Looking for irregularities in this hierrchy can help detect impersonators

• Any svchost.exe that isn't a direct child of services.exe is malicious

Knowledge of the hierarchy for common processes on Windows and Linux is a valuable tool for a threat hunter

Process hijacking

Some malware will take over an existing process and execute with its memory space and permissions

This can be accomplished in a variety of ways:

• Function hooks

• Inline modifications/patching

• DLL injection

These malicious processes will have different copies running in memory than are saved on disk

• They may also have unusual dependencies/imports

Checking process info

Windows

Microsoft provides a couple of tools for monitoring processes in Windows:

• Task Manager

• Process Monitor

Process Hacker is another great choice for Windows process analysis

Linux/Unix

On Linux and Unix, the built-in ps command provides information on currently-running processes

• Multiple different flags provide a variety of information

• Can be executed by or have output piped to scripts for analysis

To view the hierarchy of processes on Linux, use pstree