Process hierarchy

Both Windows and Unix/Linux systems have a hierarchy of processes

  • Every process but the root process is the child of some other process

Looking for irregularities in this hierrchy can help detect impersonators

  • Any svchost.exe that isn't a direct child of services.exe is malicious

Knowledge of the hierarchy for common processes on Windows and Linux is a valuable tool for a threat hunter

Process hijacking

Some malware will take over an existing process and execute with its memory space and permissions

This can be accomplished in a variety of ways:

  • Function hooks

  • Inline modifications/patching

  • DLL injection

These malicious processes will have different copies running in memory than are saved on disk

  • They may also have unusual dependencies/imports

Checking process info

Windows

Microsoft provides a couple of tools for monitoring processes in Windows:

  • Task Manager

  • Process Monitor

Process Hacker is another great choice for Windows process analysis

Linux/Unix

On Linux and Unix, the built-in ps command provides information on currently-running processes

  • Multiple different flags provide a variety of information

  • Can be executed by or have output piped to scripts for analysis

To view the hierarchy of processes on Linux, use pstree

PreviousHunting for irregular processesNextDetecting lateral movement

Last updated