RA2401: List Processes Executed
Summary
| ID | RA2401 |
|---|---|
| Brief Description | List processes being executed at the moment or at a particular time in the past |
| Author | Alex@Cyberok |
| Creation Date | 2023/03/22 |
| References | |
| Response Stage | Identification |
Description
Processes start every time you launch an application or run a command. While each command creates one process, applications create and run multiple processes for different tasks. By default, each new process starts as a foreground process. This means it must finish before a new process can begin. Running processes in the background allows you to perform other tasks at the same time.
This can be done with different ways : built in tools, administrative tools, automated tools (siem, log management) and etc...
Windows
Use the built in Windows tasklist command from a command prompt to display all processes, their PIDs, and a variety of other details.
C:\>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 8 K
System 4 Services 0 7,428 K
Secure System 104 Services 0 40,344 K
Registry 164 Services 0 146,596 K
smss.exe 592 Services 0 1,176 K
csrss.exe 896 Services 0 6,224 K
wininit.exe 980 Services 0 6,572 K
...
Linux
To list currently running processes, use the ps, top, htop, and atop Linux commands. You can also combine the ps command with the pgrep command to identify individual processes.
Automation
Having centralized log collection "to list processes" is a common task, you have an ability to search, filter, compare any content to find interested artifacts.