Part 1: The Art of Process Behavior Analysis - Know Your Windows!
The Detective’s Guide to Process Anomalies 🔍
Understanding Windows process behavior is crucial for detecting malicious activity. Windows is designed to run code as process threads, and both legitimate activities and malicious persistence techniques generate predictable process trees. When you understand these normal patterns, abnormal activity becomes much easier to identify.
Let me walk through the key analysis techniques and illustrate each with real-world attack examples.
The “Is This Process Normal?” Checklist
Process Name Analysis 📛
Technique: Examine process names for misspellings, incorrect capitalization, or unexpected processes. Attackers often try to mimic legitimate system processes with slight variations that might go unnoticed during casual inspection.
Real-world example: In the HAFNIUM Exchange Server attacks (2021), attackers deployed web shells with names like “iisweb.exe” and “exchange.exe” - legitimate-sounding names that didn’t belong on those systems. Similarly, the Emotet malware has used “svhost.exe” (missing a ‘c’) to mimic the legitimate “svchost.exe” process.
File Path Verification 📁
Technique: Check if processes are running from their expected locations. System processes should execute from standard directories like System32, while applications have their designated program folders. Processes running from temp directories, user profiles, or other unusual locations often indicate malicious activity.
Real-world example: The Qakbot banking trojan commonly places its main executable in unusual locations like “C:\ProgramData[random folder][random].exe” rather than standard program directories. The Conti ransomware group has been observed dropping their payloads in “C:\Windows\Temp” with random filenames - a system location that shouldn’t contain executable applications.
Parent-Child Relationship Analysis 👪
Technique: Verify if processes have the expected parent processes. Windows has predictable process hierarchy patterns; deviations from these norms often indicate compromise. This is one of the most reliable detection methods since attackers find it difficult to launch their code with the correct parent process.
Real-world example: During the SolarWinds SUNBURST attack, investigators discovered the malware created unusual process chains where rundll32.exe was spawning PowerShell, which then launched net.exe - a highly unusual parent-child relationship that stood out from normal system behavior. Also, APT29 (Cozy Bear) operations have shown explorer.exe spawning unusual children like odbcconf.exe for DLL execution.
Command Line Inspection 💻
Technique: Analyze the command-line arguments used to launch processes. Suspicious indicators include obfuscation techniques (base64 encoding), security bypass flags, unusual parameter combinations, or extremely long command lines designed to hide malicious intent.
Real-world example: The Trickbot banking trojan typically uses highly distinctive command lines with specific switches like “cmd.exe /c timeout 3 && del [filepath]” for cleaning up after itself. In another case, NOBELIUM’s post-compromise activities frequently included PowerShell commands with -enc flags followed by large base64-encoded payloads to evade detection.
Temporal Analysis 🕒
Technique: Investigate when processes started in relation to system events or time of day. Legitimate system processes often start at boot or login, while user applications start during working hours. Processes launching at unusual times, especially during off-hours, can indicate compromise.
Real-world example: During the Colonial Pipeline ransomware attack by DarkSide, analysis revealed the initial compromise occurred at 4:30 AM local time on a Friday - a time specifically chosen by the attackers when IT staff would be minimal. Similarly, the BlackMatter ransomware group typically deploys their encryption routines between 11 PM and 3 AM local time.
Security Context Evaluation 🔐
Technique: Check if processes are running with appropriate privilege levels. System processes should run as SYSTEM or service accounts, while user applications should run in user context. Mismatched privilege levels often indicate compromise or privilege escalation.
Real-world example: The PrintNightmare vulnerability (CVE-2021-34527) exploitation was detected when a print spooler service was observed spawning child processes with SYSTEM privileges, allowing attackers to escalate privileges. In another case, FIN7 attacks showed evidence of notepad.exe running with SYSTEM privileges - a clear indicator of inappropriate elevation.
Common Process Patterns: Know Your Normal! 👀
Windows executes code as process threads, and persistence mechanisms create distinctive process trees. Understanding these normal patterns is crucial for identifying malicious activity that attempts to blend in with legitimate processes.
Task Scheduling Process Pattern
Technique: Legitimate scheduled tasks follow a specific process chain: services.exe → svchost.exe (with “-k netsvcs -p -s Schedule” parameters) with taskhostw.exe as a sibling process. The scheduled task executable runs as a direct child of this svchost.exe process, not under taskhostw.exe. Unexpected processes appearing as scheduled tasks or deviations from this pattern may indicate persistence mechanisms.
Real-world example: The Wizard Spider threat group (responsible for Ryuk ransomware) is known to use scheduled tasks for persistence, creating unusual patterns where legitimate system binaries like regsvr32.exe appeared as scheduled tasks but were loading malicious DLLs at unusual times.
Services Process Pattern
Technique: Services are one of the most common ways code is executed in Windows. Legitimate services appear as direct children of services.exe, and this area is worth thorough investigation due to the large number of services that typically run. Any unexpected or oddly-named service deserves investigation, even if the process relationship follows the correct pattern.
Real-world example: The infamous NotPetya attack registered a fake service named “Windows Update” that appeared as a direct child of services.exe but actually initiated the encryption routine. The Winnti Group has been observed using services with names like “Windows Performance” that, while appearing under services.exe correctly, were running malicious payloads.
Registry Run Keys Process Pattern
Technique: Registry run keys are designed to run during user login, and therefore processes launched via this method appear as children of explorer.exe. Most applications running under a user context will be child processes here, making it an excellent location to find many kinds of attacks beyond those of registry run key persistence. While many legitimate applications use this startup method, it’s also frequently abused by attackers. The key is knowing which applications normally start this way in your environment.
Real-world example: APT41 has frequently used registry run keys for persistence, resulting in explorer.exe spawning unusual processes like rundll32.exe loading obscure DLLs at user login. This appeared in the correct process tree position but with abnormal children.
Remote Access Process Patterns
PsExec Pattern
Technique: When the SysInternals PsExec tool runs code remotely, it creates a service called “PSEXESVC.exe” on the target system. The process pattern appears as: services.exe → PSEXESVC.exe → [executed command]. While PsExec is commonly used with default settings, remember that the “PSEXESVC.exe” service name can be modified using the “-r” parameter. This pattern is specific to the SysInternals version of PsExec—not other remote execution tools that share the “psexec” name.
Real-world example: The Lazarus Group has been observed using modified versions of PsExec for lateral movement, where the service name was changed from PSEXESVC to “Windows NT Service” but still exhibited the telltale services.exe → custom service name → command execution pattern.
WMI Remote Execution Pattern
Technique: When WMI is used for remote execution, WmiPrvSE.exe appears on the target machine and spawns the executed process. When that child process is PowerShell or cmd.exe, it’s particularly suspicious as this combination is rarely used for legitimate purposes and frequently indicates lateral movement or fileless malware. Many “psexec” copycat tools, including Cobalt Strike’s psexec payloads, actually use WMI rather than the service-based approach of the original SysInternals tool.
Real-world example: The PLATINUM APT group has used WMI for fileless persistence, resulting in WmiPrvSE.exe spawning PowerShell processes that executed encoded commands to contact command and control servers - a clear example of the dangerous WmiPrvSE → PowerShell pattern.
PowerShell Execution Pattern
Technique: Analyze PowerShell’s parent process to identify suspicious execution chains. When a user launches PowerShell normally, you’ll see explorer.exe as the parent process. If svchost.exe is the parent, this typically indicates administrative account usage. PowerShell with cmd.exe as its parent deserves attention—it might simply mean a user switched from command prompt to PowerShell, but could also signal activity from backdoors or command shells. Most concerning are PowerShell processes with unusual parent processes like winword.exe, mshta.exe, or wscript.exe—these combinations are abnormal and require immediate investigation.
Real-world example: During MAZE ransomware attacks, detection teams observed Microsoft Word spawning PowerShell (winword.exe → powershell.exe) - a highly unusual parent-child relationship that indicated successful phishing exploitation. The FIN7 group has frequently used Excel as a parent process for PowerShell, another relationship that almost never occurs legitimately.
Conclusion
Windows is designed to run code as process threads, and most persistence and lateral movement techniques generate predictable process trees on the victim system. By learning these patterns for common activities, SOC analysts gain a powerful advantage in spotting malicious activity.
Services running under services.exe, scheduled tasks under the specific svchost.exe process, applications launched at login under explorer.exe, and various remote execution methods all create distinctive parent-child relationships that serve as a baseline for normal behavior.
By understanding these process behavior patterns and recognizing their manifestations in real-world attacks, security teams can move beyond signature-based detection to behavior-based identification of threats, even when facing previously unknown malware variants. Process analysis remains one of our most powerful tools for detecting sophisticated attacks that evade traditional signature-based defenses.
Remember - sometimes what matters most isn’t what you see, but what you know shouldn’t be there at all!