PowerShell Quick Guide: Process Investigation

0 Comments 10 min read

PowerShell Quick Guide: Process Investigation
Hey there, fellow threat hunters! 👋 Today we're diving into process investigation with PowerShell. Whether you're hunting malware or troubleshooting system issues, understanding processes is crucial. Let's dig in!

Basic Process Information

Let's start with the basics:

# Get all running processes
Get-Process | Select-Object Name, Id, Path, Company, CPU, StartTime | Sort-Object CPU -Descending

# Get specific process details
Get-Process notepad | Select-Object *

# Find processes by name (supports wildcards)
Get-Process *chrome* | Select-Object Name, Id, Path

Process Relationships

Understanding parent-child relationships is crucial for threat hunting:

# Get process with parent info (Windows 10+)
Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, 
    CommandLine, @{Name='ParentProcess';
    Expression={(Get-Process -Id $_.ParentProcessId).Name}},
    @{Name='CreationDate';Expression={$_.CreationDate}} |
    Sort-Object CreationDate -Descending

# Find children of a specific process
$parentId = (Get-Process explorer).Id
Get-CimInstance Win32_Process | 
    Where-Object { $_.ParentProcessId -eq $parentId } |
    Select-Object Name, ProcessId, CommandLine

Command Line Investigation

While these PowerShell commands are useful for basic investigation and learning, it's important to note that real-world threat hunting is much more complex. Professional security teams typically use dedicated tools and platforms like:

  • Security Information and Event Management (SIEM) systems
  • Endpoint Detection and Response (EDR) solutions
  • Advanced threat hunting platforms
  • Machine learning-based anomaly detection

This guide is meant to demonstrate basic concepts and help you understand what's happening under the hood. For production environments and serious security monitoring, always invest in proper security tools and professional training.

Command lines can reveal suspicious behavior:

# Get processes with command line info
Get-CimInstance Win32_Process | 
    Select-Object ProcessId, Name, CommandLine, CreationDate |
    Where-Object { $_.CommandLine -ne $null } |
    Sort-Object CreationDate -Descending

# Look for suspicious PowerShell commands
Get-CimInstance Win32_Process | 
    Where-Object { $_.CommandLine -like '*powershell*' -and $_.CommandLine -like '*encoded*' } |
    Select-Object Name, ProcessId, CommandLine, CreationDate

Memory Analysis

Check memory usage patterns:

# Get top memory consumers
Get-Process | Sort-Object WorkingSet64 -Descending | 
    Select-Object -First 10 Name, Id, @{
        Name='MemoryUsage(MB)';
        Expression={[math]::Round($_.WorkingSet64/1MB, 2)}
    }

# Find memory leaks (basic)
$samples = 1..3 | ForEach-Object {
    Get-Process | Select-Object Name, WorkingSet64
    Start-Sleep -Seconds 30
}
$samples | Group-Object Name | 
    Where-Object { $_.Count -eq 3 } |
    ForEach-Object {
        $name = $_.Name
        $growth = ($_.Group.WorkingSet64 | Measure-Object -Minimum -Maximum)
        [PSCustomObject]@{
            Name = $name
            Growth = [math]::Round(($growth.Maximum - $growth.Minimum)/1MB, 2)
        }
    } |
    Where-Object Growth -gt 10 |
    Sort-Object Growth -Descending

Startup Location Tracking

Find where processes are launching from:

# Get process paths and signatures
Get-Process | Where-Object Path | Select-Object Name, Path,
    @{Name='Signature';Expression={
        Get-AuthenticodeSignature $_.Path | 
        Select-Object -ExpandProperty Status
    }}

# Check startup locations
Get-CimInstance Win32_StartupCommand | 
    Select-Object Name, Command, Location, User

Network Connections

See what processes are communicating:

# Get processes with network connections
Get-NetTCPConnection | 
    Where-Object State -eq 'Established' |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort,
        @{Name='ProcessName';Expression={
            (Get-Process -Id $_.OwningProcess).Name
        }}

# Look for listening ports
Get-NetTCPConnection | 
    Where-Object State -eq 'Listen' |
    Select-Object LocalPort,
        @{Name='ProcessName';Expression={
            (Get-Process -Id $_.OwningProcess).Name
        }}

Pro Tips

  • Watch for encoded commands: Base64 encoded PowerShell commands might be suspicious
  • Check digital signatures: Unsigned executables in unusual locations warrant investigation
  • Monitor parent-child: Unusual parent processes might indicate process injection
  • Track remote connections: Processes with unexpected network connections need attention

Common Investigation Scenarios

Here's a quick script for basic malware hunting:

# Quick malware hunt
$suspiciousProcesses = Get-Process | Where-Object {
    $_.Path -and (
        # Unusual locations
        $_.Path -like "$env:TEMP\*" -or
        $_.Path -like "$env:APPDATA\*" -or
        # No signature
        (Get-AuthenticodeSignature $_.Path).Status -eq 'NotSigned' -or
        # High CPU with network
        ($_.CPU -gt 70 -and (Get-NetTCPConnection |
            Where-Object OwningProcess -eq $_.Id))
    )
} | Select-Object Name, Id, Path, CPU,
    @{Name='Connections';Expression={
        (Get-NetTCPConnection | 
        Where-Object OwningProcess -eq $_.Id).Count
    }}

Wrapping Up

Remember to baseline your normal system behavior to better identify anomalies.

PowerShell with obvious false positive suspicious processes

Stay safe, and happy hunting! 🕵️‍♂️

P.S. For more details, check out the official documentation:

  • Get-Process Documentation
  • Get-CimInstance Documentation
  • Get-NetTCPConnection Documentation

0 comments:

Post a Comment