What to look for when trying to identify suspicious processes running in a system?
1. Known process running from a different path or having a different parent process than the default
If you see a common windows process not running under its parent process or not running from its default path, for ex. svchost.exe not running under services.exe (parent process for svchost.exe) or running from a path other than its usual default path: C:\Windows\System32, this is something that could be suspicious, and you should investigate more about it.
2. Tools being run outside the scope of non-technical or normal user activity
If you see the Reconnaissance Tools like ping.exe, ipconfig.exe, netstat.exe, whoami.exe, or Administrative Tools like wmic.exe, psexec.exe, tasklist.exe, netcat.exe, then you may want to check if it is a usual activity for the user to run such a tool or is it a one-time activity. These tools are often leveraged by adversaries for malicious purpose and hence should be looked into, especially if the user is not aware of running them.
3. PowerShell Usage
PowerShell is an extremely powerful command-line interface and scripting language included in Windows Operating System. Adversaries can exploit PowerShell to download and execute malicious code on the system. Hence, if you see PowerShell running any encoded commands or being downloaded, then you should confirm what it is being used for.
4. Process running from Unusual File Paths
Processes generally should not be executing from User Profile Paths (C:\Users\<username>\AppData\Local\Temp; C:\Users\<username>\AppData\Roaming\Temp) or from Recycle Bin. If you observe any process running from these locations, make sure that you know what that process is about.
5. Process showing Persistence Mechanism
Adversaries often need to maintain access to systems through interruptions such as system restart, or other failures . This requires them to make system configuration changes which will cause malware to execute, each time system reboots. So, any process, which is adding any entry to “run keys” in the
Registry or initiating any scheduled tasks, could be suspicious and should be analyzed.
6. Process that stops Security Related Services
While looking for suspicious processes, you should also search for any process that is stopping key services like Windows Firewall, because adversaries may do so to evade detection.
7. Process that show Suspicious Network Behavior
Any process that show suspicious network behavior like make web requests direct to an IP address and not a domain name, make RDP connections (port 3389), not a browser but communicating over port 443/80, send outbound network traffic on non-standard ports, make DNS requests for unusual domain names, is a suspicious process that should be investigated.