5.8 Identify these elements used for server profiling
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
Server Profiling
When cybersecurity analysts profile a server, one key thing they look at is running processes. A process is essentially a program or application that is currently executing on the server. This includes everything from system services to applications installed by users.
1. What Are Running Processes?
- A running process is any active program that the server’s operating system is executing.
- Each process has a unique Process ID (PID), which the OS uses to manage it.
- Processes can be:
- System processes – essential for the server to run (like the OS kernel, networking services, authentication services).
- User processes – started by users or applications (like a database service, web server process, or backup program).
Why it matters: Understanding which processes are running helps you detect abnormal behavior or potential threats. Malicious software often shows up as unusual processes.
2. How Running Processes Are Used in Server Profiling
During server profiling, analysts collect information about running processes to:
- Identify baseline activity
- Know which processes normally run on a server (like
httpdfor web servers orsshdfor SSH access).
- Know which processes normally run on a server (like
- Detect anomalies or suspicious activity
- Unexpected processes could indicate malware, ransomware, or unauthorized software.
- Determine resource usage
- Processes consume CPU, memory, and disk I/O. Profiling helps optimize performance and identify bottlenecks.
- Map service dependencies
- Some processes support others. For example, a web application process may depend on a database process running.
3. Key Attributes of a Process
When profiling, you should gather these details about each process:
| Attribute | Description |
|---|---|
| Process ID (PID) | Unique identifier for each process. |
| Parent Process ID (PPID) | Shows which process started this process. |
| Process Name | Name of the application or service. |
| User/Owner | The account running the process. System vs. user account. |
| Memory Usage | Amount of RAM the process is using. |
| CPU Usage | How much processing power the process consumes. |
| Start Time | When the process started. Helps detect unusual processes that start at odd times. |
| Path/Location | Where the process executable resides. Malicious processes often run from unusual locations. |
4. Common Commands to View Running Processes
Depending on the server’s operating system, you can profile running processes using:
Linux/Unix Servers
ps aux– Lists all running processes with details like PID, user, CPU, memory, etc.toporhtop– Shows real-time CPU and memory usage for all processes.pstree– Displays processes in a tree format, showing parent-child relationships.systemctl list-units– Shows running services (daemons).
Windows Servers
tasklist– Lists all running processes.Get-Process(PowerShell) – Detailed view of processes with resource usage.Task Manager– GUI tool showing processes, CPU, and memory usage.Get-WmiObject Win32_Process– Advanced query for process information.
5. Indicators of Compromise in Running Processes
While profiling, some running processes might signal security issues:
- Unknown process names – Names that don’t match standard system or application processes.
- Processes running from unusual locations – For example, a process running from
C:\Users\Public\instead ofC:\Windows\System32\. - High resource usage by non-critical processes – Could indicate malware or a crypto-mining operation.
- Processes without an owner or started by unusual accounts – Legitimate processes usually run under system or known service accounts.
6. Tips for Profiling Running Processes
- Always maintain a baseline – Know what a normal server looks like.
- Automate monitoring using tools like:
- Linux:
ps,top,htop,systemd-analyze - Windows: PowerShell scripts, Task Manager, or Sysinternals tools like
Process Explorer
- Linux:
- Investigate any process that doesn’t match your baseline or known server functions.
✅ Key Takeaways for the Exam
- Processes are programs running on a server, each with a PID.
- Profiling running processes helps you identify normal activity and spot malicious or unusual behavior.
- Important attributes: PID, user, CPU/memory usage, path, start time.
- Use commands like
ps aux,top,tasklist, or PowerShellGet-Processto analyze processes. - Look for anomalies like unknown names, odd locations, unexpected resource usage, and suspicious owners.
