Memory Examination – Live

Memory Examination – Live

Information about running processes can be obtained using Windows built-in tools or third party tools. Examples of built in tools include Task Manager a GUI based program or PowerShell a command line (console) tool. An image of Task Manager is detailed below:

It can be seen that many processes are currently running including 3 instances of cmd.exe. Additional columns can be selected to enhance the information about running processes. Although such columns can be selected, much more granular information is available via PowerShell and third party tools.

A total of 45 metadata fields (columns) are available for selection in Task Manager

Using PowerShell Get-Process commandlet will obtain more yet metadata fields. Type Get-Process cmd* | Format-List * to display a total of 68 metadata fields per cmd.exe process.

We can also select specific information to be displayed per process. Typing: Get-Process cmd* | Format-List name, path, starttime,mainwindowtitle,parent,id will display the following information:

Note the filtered metadata fields. It can be seen that each process now has an executed date and time and a parent process. This above display again indicates that 3 cmd.exe processes are running. However, only 2 Command Prompts are running, one running as a normal user and the other running with Administrator privileges. The other cmd.exe is being executed via PowerShell.

Using third party GUI based tools may be the preferred option for some users. Below is an example of the same processes using the Sysinternals Process Explorer program:

The graphical view clearly indicates the parent processes of the 3 cmd.exe processes and the image path from which they were executed.

Remember during a malware investigation that any process being executed from a user area should be deemed suspicious until it’s provenance can be proved. Any process with a non-standard parent process is also worthy of scrutiny to ensure that malware is not responsible.

Note only running processes will be identified using the above methods. Terminated processes (that could still exist in memory) may only be identified via static analysis of a memory (RAM) dump.

Additional information…

Running processes can also be obtained via a Get-CimInstance commandlet in Powershell, via WMIC or indeed via a Command Prompt.

Some other console commands are also understood by PowerShell. Copy and paste each of the following different commands into your Windows PowerShell console to obtain a generic list of running processes:

Get-Process

Get-CimInstance Win32_Process

Get-WmiObject Win32_Process (Depreciated in PowerShell 6 onwards)

WMIC Process list brief

Tasklist

Depending on the organisation, creation of a known good configuration of running processes should be considered. This can then be used in the event a malware investigation is required and will assist in the identification of erroneous process activity. Remember to keep any known good configuration up to date!