RA1412: Prepare Process Activity Profiles
Summary
| ID | RA1412 |
|---|---|
| Brief Description | Prepare process activity profiles |
| Author | @SEC |
| Creation Date | 2023/05/20 |
| References | |
| Response Stage | Preparation |
Description
A good knowledge of the usual services running on the machine can be very helpful. Don't hesitate to ask a Windows Expert for his assistance, when applicable. A good idea is also to have a map of all services/running process of the machine.
It can be a real advantage to work in a huge corporate environment, where all user machines are the same, installed from a master. Have a map of all processes/services/applications. On such environment where users are not allowed to install software, consider any additional process/service/application as suspicious.
The more you know the machine in its clean state, the more chances you have to detect any fraudulent activity running from it.