3. -Sysinternal’s Tool (released 8/14, current v3.1)
-Installed as a Windows Service, logs:
-Process creation with full command line
-Parent Process with full command line
-Hash of process image file (SHA1 + more)
-Network Connections, tied to process
-Loaded Drivers & DLLs (sigs & hashes)
-File Creation Time
+More!
Sysmon
9. -Image Location
svchost.exe System32/syswow64
-Run As
svchost.exe Local System, Network Service, Local Service
-Parent Process
svchost.exe Services.exe
-How many instances?
svchost.exe 5+
-Other
svchost.exe -k “param”
Detection:
Process Abnormalities