Process relationships
Normal patterns
These are the lineages that should not surprise you:
explorer.exe β winword.exeUser-launched document activity.
services.exe β svchost.exeNormal Windows service initiation.
taskeng.exe β <scheduled binary>Scheduled task execution under Task Scheduler.
What to flag
A direct spawn of msdt.exe by winword.exe strongly suggests exploitation of Follina CVE-2022-30190. A vulnerability in the Microsoft Support Diagnostic Tool that allowed a malicious Office document to trigger remote code execution via a crafted URL handler. , where a malicious document triggers the Microsoft Support Diagnostic Tool to run attacker-controlled code.
Common malicious chains
Five chains an analyst should recognize on sight. Each one has a characteristic shape, a typical purpose, and a recognizable telltale that distinguishes it from look-alike legitimate activity.
Rogue script execution
PowerShell downloads a script from a remote location and runs it directly from a public temp directory. The shape is recognizable because legitimate PowerShell almost never sources its code from %TEMP% or %PUBLIC%. The telltale is the chain ending in a user-writable directory.
Registry manipulation for persistence
Trusted binaries (cmd, wmic, reg) used in sequence to drop or modify a registry value that survives reboot. The shape is normal; the destination key is what gives it away. Watch for writes to autorun keys, Run/RunOnce hives, or service definitions.
Unauthorized service creation
sc.exe create registers a new Windows service that auto-starts on boot. Legitimate software installs services this way at install time; adversaries do it post-compromise to survive reboots. Watch for service creation outside an installer process or from an unusual user context.
Process hollowing
Malicious code is injected into a legitimate process (svchost.exe is a favorite) while the outer process keeps its name and digital signature. The chain looks normal in tree view. Memory and behavioral telemetry are how the substitution is caught; signature checks will not.
Token theft and impersonation
A new process is launched under another userβs security context using a stolen authentication Token A Windows credential object that represents an authenticated user session. Tokens let processes run with the rights of the user who started them. Stealing one lets a process behave as that user without ever needing their password. . The activity looks like the impersonated user. Detection depends on cross-correlating the process owner against where the user was actually logged in.
Reconstructing a macro-borne intrusion
An EDR alert reports anomalous child processes spawned by Microsoft Word on a finance team workstation.
Process tree investigation reveals:
winword.exe (PID 3421)
ββ cmd.exe (PID 3422)
ββ powershell.exe (PID 3423)
ββ outbound TLS connection to a recently registered domainThe chain alone is enough to recognize the pattern: macro Execution The attacker successfully runs malicious code on a system, typically using interpreters, scripts, payloads, or legitimate tools. from a document, shell launch, scripted download cradle, command-and-control establishment. The exact IP is not the point. The shape of the chain is.
What an analyst checks next
- The originating email and attachment in the userβs mailbox.
- Other recipients of the same email (lateral exposure).
- The PowerShell A command-line shell and scripting language built on the .NET framework, commonly used for system administration and potentially for malicious purposes. Command Line In SOC analysis, the argument string a process was launched with. Often the load-bearing forensic field on an EDR alert because it reveals what the process was actually told to do. for download cradle patterns.
- DNS queries from the host in the relevant window.
- File system creates in
%TEMP%and%APPDATA%correlated to the PowerShell PID. - Whether the user opened the document themselves or it executed on preview.
Visualization tools
Process tree visualization makes anomalies obvious. Three categories of tooling matter:
Sysinternals Process Explorer
Detailed local tree analysis and thread inspection. Good for ad-hoc investigation on a single host.
System Informer (formerly Process Hacker)
Lightweight alternative for in-depth lineage mapping and thread inspection. Open source; the project was renamed System Informer in 2022 and continues active development.
EDR consoles
CrowdStrike Falcon, SentinelOne, Microsoft Defender XDR all provide real-time tree visualization with historical playback at scale.
Evasion to know about
Adversaries who understand process tree analysis design their tradecraft to look normal in the tree. The four techniques below are the most common evasions an analyst will encounter in real intrusions. Recognizing them by name accelerates the moment of βwait, that is not what it looks like.β
DLL search order hijacking
A DLL Dynamic Link Library. A shared library that Windows loads into a process at runtime to provide functions the process uses. Programs name the DLLs they need; Windows finds them by searching a defined order of directories. is loaded by a legitimate binary from one of several search paths in a defined order. An adversary places a malicious DLL earlier in that order than the real one. The legitimate, signed binary loads the malicious DLL instead of the real one, executing attacker code under the trust of the original program.
The telltale: a process tree that looks normal at the binary level, but with a DLL that was loaded from an unusual location (a writable directory, the user profile, a removable drive). EDRs that track DLL loads can flag this. Tree views that only show processes cannot.
Fileless execution
fileless An execution model that runs the malicious payload entirely from memory, without ever writing it to disk. Common techniques include PowerShell loading code via reflection, WMI event subscriptions that fire compiled MOF, and .NET assemblies loaded straight into memory. attacks run their payload from memory, never landing on disk. Disk-based detections (file hashes, AV scans, file integrity monitoring) see nothing. The process tree shows only legitimate parents (often PowerShell or WMI).
The telltale: a long-running PowerShell or WMI process with a command line that decodes a base64 blob and executes it, or a WMI event subscription that fires at boot. Memory analysis and command-line decoding catch this; surface process inspection does not.
Alternate data streams (ADS)
NTFS supports multiple data streams per file. The default stream is what most tools and users see. An alternate data stream A secondary data stream attached to an NTFS file. The primary stream is what you see in Explorer. The alternate stream is invisible to most tools but can be opened and executed directly. Used historically to hide payloads inside otherwise innocuous files. can hide a payload inside a normal-looking file, and the malicious code can be invoked directly from the stream.
The telltale: a process whose image path includes a colon (C:\Users\victim\readme.txt:hidden.exe). The format file:stream is the giveaway. Most modern EDRs flag ADS execution, but the technique is still seen in older or under-instrumented environments.
LOLBin-only chains
The adversary uses only trusted system binaries ( LOLBin Living Off the Land Binary. A trusted, signed system binary (regsvr32, mshta, wmic, certutil, rundll32) used to perform malicious actions while looking like normal system activity. such as certutil, regsvr32, mshta, rundll32) to download, decode, and execute attacker code. No malicious file is ever written to disk by the adversary, and no signature on any of the binaries is wrong.
The telltale: common system binaries being invoked with command-line flags they almost never use in legitimate operations (certutil -urlcache -split -f, regsvr32 /s /u /n /i:http://β¦). Command-line parsing is what catches this; the process names alone look harmless.
Next up
Network correlation
Tie host activity to outbound traffic. C2 detection through timing, TLS, DNS, and exfiltration indicators.
Read network correlation