Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
8 views41 pages

EDR Originating Processes

Uploaded by

wibateam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views41 pages

EDR Originating Processes

Uploaded by

wibateam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Common originating

processes on an EDR

/in/halilbaris/ https://infoseclabs.io
Core System Processes

/in/halilbaris/ https://infoseclabs.io
explorer.exe

Description: Windows file manager process, typically


initiates user-launched files or applications.
Suspicious Activity: Launching executables from unknown
directories may indicate malware.

/in/halilbaris/ https://infoseclabs.io
services.exe

Description: Manages system services.


Suspicious Activity: If it starts unusual
executables, it could indicate privilege
escalation or persistence.

/in/halilbaris/ https://infoseclabs.io
svchost.exe

Description: Hosts Windows services.


Suspicious Activity: Unusual instances in
non-standard directories may indicate a
process injection

/in/halilbaris/ https://infoseclabs.io
lsass.exe

Description: Manages security policies and


user sessions.
Suspicious Activity: Memory dumps or
access by unknown processes suggest
credential harvesting.

/in/halilbaris/ https://infoseclabs.io
csrss.exe

Description: Handles system tasks like


console and thread management.
Suspicious Activity: If an attacker
manipulates it, it could indicate malware
trying to disable security features.

/in/halilbaris/ https://infoseclabs.io
Scripting & Shell Processes

/in/halilbaris/ https://infoseclabs.io
cmd.exe

Description: Windows Command Prompt,


often used for administrative tasks.
Suspicious Activity: Abnormal commands or
scripts might indicate malware or lateral
movement.

/in/halilbaris/ https://infoseclabs.io
powershell.exe

Description: Scripting language used for


system management.
Suspicious Activity: Obfuscated scripts or
unusual parameters are common in phishing
and ransomware.

/in/halilbaris/ https://infoseclabs.io
wscript.exe/cscript.exe

Description: Hosts for executing VBScript or


JScript files.
Suspicious Activity: These are often used to
run malicious scripts or automate attacks.

/in/halilbaris/ https://infoseclabs.io
wmiprvse.exe

Description: Windows Management


Instrumentation provider, used for
management tasks.
Suspicious Activity: Remote WMI
commands or unusual instances often
suggest lateral movement.

/in/halilbaris/ https://infoseclabs.io
rundll32.exe

Description: Executes functions from DLLs.


Suspicious Activity: Loading unknown or
suspicious DLLs can indicate malware.

/in/halilbaris/ https://infoseclabs.io
mshta.exe

Description: Hosts HTML applications (HTA).


Suspicious Activity: Often used in phishing
attacks to execute remote scripts or payloads.

/in/halilbaris/ https://infoseclabs.io
Office and Application Processes

/in/halilbaris/ https://infoseclabs.io
winword.exe

Description: Microsoft Word, commonly used


in document handling.
Suspicious Activity: If it spawns scripts or
executables, it may indicate a malicious
macro.

/in/halilbaris/ https://infoseclabs.io
excel.exe

Description: Microsoft Excel, also commonly


used in document handling.
Suspicious Activity: Macro-based malware
frequently uses Excel to spawn malicious
processes.

/in/halilbaris/ https://infoseclabs.io
outlook.exe

Description: Microsoft Outlook, used for


email.
Suspicious Activity: Launching executables
may indicate an email-based malware
infection.

/in/halilbaris/ https://infoseclabs.io
acrobat.exe

Description: Adobe Acrobat, used for PDFs.


Suspicious Activity: PDFs with embedded
malware often try to launch other processes.

/in/halilbaris/ https://infoseclabs.io
System Utilities

/in/halilbaris/ https://infoseclabs.io
taskeng.exe

Description: Task Scheduler engine.


Suspicious Activity: Unexpected tasks may
indicate persistence mechanisms.

/in/halilbaris/ https://infoseclabs.io
schtasks.exe

Description: Command-line tool to create


scheduled tasks.
Suspicious Activity: Tasks running at odd
times or with high privileges may signal
persistence.

/in/halilbaris/ https://infoseclabs.io
regsvr32.exe

Description: Used to register and unregister


DLLs.
Suspicious Activity: Attackers may use it to
bypass defenses and execute malicious
DLLs.

/in/halilbaris/ https://infoseclabs.io
msiexec.exe

Description: Microsoft installer for handling


.msi files.
Suspicious Activity: Unfamiliar installations
could indicate unauthorized software or
malware.

/in/halilbaris/ https://infoseclabs.io
cmdkey.exe

Description: Manages stored credentials.


Suspicious Activity: Used by attackers to
steal stored credentials.

/in/halilbaris/ https://infoseclabs.io
Web & Browser Processes

/in/halilbaris/ https://infoseclabs.io
chrome.exe/firefox.exe/iexplore.ex
e/msedge.exe
Description: Web browsers.
Suspicious Activity: Launching unexpected
processes may indicate a drive-by download
or exploitation.

/in/halilbaris/ https://infoseclabs.io
java.exe/javaw.exe

Description: Executes Java applications.


Suspicious Activity: Often targeted in
attacks, especially if Java apps download
executables.

/in/halilbaris/ https://infoseclabs.io
python.exe

Description: Executes Python scripts.


Suspicious Activity: Unexpected Python
scripts might signal custom malware or
scripts by attackers.

/in/halilbaris/ https://infoseclabs.io
javaw.exe

Description: Executes Java without a


console window.
Suspicious Activity: Silent execution may be
used for stealthy malicious code.

/in/halilbaris/ https://infoseclabs.io
Remote Access Tools

/in/halilbaris/ https://infoseclabs.io
mstsc.exe

Description: Microsoft Remote Desktop


Client.
Suspicious Activity: Frequent or unexpected
use may indicate lateral movement.

/in/halilbaris/ https://infoseclabs.io
anydesk.exe/teamviewer.exe

Description: Third-party remote desktop


tools.
Suspicious Activity: Installation without
authorization suggests unauthorized remote
access.

/in/halilbaris/ https://infoseclabs.io
psexec.exe

Description: Sysinternals tool for executing


processes on remote systems.
Suspicious Activity: Often used in lateral
movement by attackers.

/in/halilbaris/ https://infoseclabs.io
putty.exe

Description: SSH client for remote access.


Suspicious Activity: Unexpected use may
indicate unauthorized remote management.

/in/halilbaris/ https://infoseclabs.io
Miscellaneous Tools

/in/halilbaris/ https://infoseclabs.io
conhost.exe

Description: Console window host, used by


command-line applications.
Suspicious Activity: Unusual instances may
indicate attempts to hide command
executions.

/in/halilbaris/ https://infoseclabs.io
dpinst.exe

Description: Driver installer.


Suspicious Activity: Loading malicious
drivers is a tactic for gaining kernel access.

/in/halilbaris/ https://infoseclabs.io
dism.exe

Description: Deployment Image Servicing


and Management tool, often used for image
maintenance.
Suspicious Activity: Unauthorized use might
suggest persistence or tampering attempts.

/in/halilbaris/ https://infoseclabs.io
wininit.exe

Description: Initializes core system services.


Suspicious Activity: Rarely, malware tries to
masquerade as or hijack this process.

/in/halilbaris/ https://infoseclabs.io
fontdrvhost.exe

Description: Manages font rendering for


apps.
Suspicious Activity: Malicious actors
occasionally target font rendering as an
exploit vector.

/in/halilbaris/ https://infoseclabs.io

You might also like