Malware Investigation of Running Processes and AutoRun Modifications

When I look at the Running Processes for an Asset I can see the File Path associated with the Process. This can be very important information when trying to determine if a process is legitimate or malicious. For example if a process is running out of “C:\Program Files” it is very likely to be legitimate but if it is running from a randomly named folder in the user’s App Data folder structure like “C:\Users<username>\AppData\Roaming\xyzabced” then it is probably malicious. Is there a way to look at the running processes for all the assets and do search based on the file paths? Is the Running Process data saved over time so you can look back 30, 60, or 90 days? Can you build and alert for certain file extensions being run from certain folders like a .exe, .dll, .js, or .jar running in AppData\Roaming or the Root of a User’s Home Folder? I would also like to see an alert for persistence that would alert when there is a change to a user’s auto run locations like in the NTUSER.dat Software\Microsoft\Windows\CurrentVersion\Run key or C:\Users<username>\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup. Also the creation of a new Task on a system. These alerts would help detect a malware compromise.

1 Like