Suspicious Process Execution Investigation

When You See This

1. 1

   XDR alert for unusual parent-child process relationships (e.g., Word spawning PowerShell)

2. 2

   Encoded PowerShell command execution (Base64 encoded, -EncodedCommand flag)

3. 3

   Process execution from temporary directories, user profile folders, or recycle bin

4. 4

   LOLBAS/LOLBin abuse: legitimate tools used in unusual ways (certutil downloading files, mshta running scripts)

Investigation Steps

1. 1

   Analyze the full process tree

   Examine the complete process ancestry: grandparent → parent → suspicious process → child processes. The parent process is critical context. Word spawning PowerShell is highly suspicious. Explorer spawning PowerShell is less concerning. Document the entire chain.

   XDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint dest_host="affected_host" process_id="suspicious_pid" | table _time, parent_process_name, parent_process_id, process_name, process_id, command_line, user

2. 2

   Check binary reputation and hash

   Look up the process hash (SHA256) against threat intelligence. Check if the binary is signed, and if so, by whom. Verify the binary location matches where it should be installed. Legitimate system tools in unusual locations are a red flag.

   XDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint process_hash="suspicious_hash" | stats count by dest_host, process_path, is_signed, signer

   Decision Point

   If: Hash matches known malware in threat intelligence

   Yes → Confirmed malicious. Isolate the endpoint immediately and escalate. Search all endpoints for the same hash.

   No → Not in threat intel; does not mean it is safe. Continue analyzing the command line and behavior.

3. 3

   Decode and analyze command-line arguments

   If the command line is encoded (Base64 PowerShell, obfuscated batch scripts), decode it to understand the actual intent. Look for download cradles, reverse shells, credential access tools, or reconnaissance commands.

   XDRSIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint process_name="powershell.exe" command_line="*-enc*" OR command_line="*-EncodedCommand*" | table _time, dest_host, user, command_line

4. 4

   Determine context: what happened before and after

   Look at what triggered the process (email delivery? web download? scheduled task?) and what it did next (network connections? file creation? registry modifications?). This context determines whether this is isolated or part of an attack chain.

   XDRSIEM
5. 5

   Triage and respond

   Based on your analysis, classify as true positive (malicious), false positive (legitimate), or suspicious (needs further investigation). For true positives, isolate the endpoint, block the hash environment-wide, and escalate. For false positives, tune the detection rule to reduce noise.

   XDR

Common Mistakes

1. 1

   Looking at the process in isolation without examining the parent process and full tree

2. 2

   Assuming a signed binary is safe; attackers abuse legitimate signed tools (living-off-the-land)

3. 3

   Not decoding obfuscated command lines, missing the actual malicious intent

4. 4

   Closing an alert as false positive without checking if the same process ran on other endpoints

Escalation Criteria

• Process hash matches known malware in threat intelligence

• Decoded command line reveals credential harvesting, reverse shell, or data exfiltration

• Process is part of a chain that includes lateral movement or privilege escalation

Frequently Asked Questions

What are the most common false positives for process execution alerts?

Software updates that spawn PowerShell or command prompt, IT admin tools running scheduled maintenance scripts, and developer tools that create unusual process trees. Document known-good patterns and work with your detection engineering team to tune rules.

What is living-off-the-land (LOTL)?

Living-off-the-land is when attackers use legitimate system tools (PowerShell, certutil, mshta, wmic) for malicious purposes instead of dropping custom malware. It is harder to detect because the tools themselves are trusted; you must analyze HOW they are being used.

How do I practice process execution investigations?

SOCSimulator XDR training console generates realistic process execution alerts with full process trees. Practice analyzing parent-child relationships and decoding obfuscated commands. Start free forever.