4.9 Interpret common artifact elements from an event to identify an alert
📘AWS Certified Solutions Architect – (SAA-C03)
1. What is a Process?
A process is essentially an instance of a running program. For example:
notepad.exeis a process for Notepad.powershell.exeis a process for PowerShell.
Each process has a process ID (PID), memory usage, CPU usage, and sometimes parent processes (the process that started it).
Understanding processes helps you see what is running, who started it, and whether it is behaving normally or suspiciously.
2. Types of Artifacts Related to Processes
When analyzing events, you may see artifacts related to files or registry keys. These help you determine if a process is malicious.
a) File-based Artifacts
File artifacts are files associated with processes. Things to check include:
- File name and path – e.g.,
C:\Windows\System32\cmd.exe.
Suspicious example: A process namedsvchost.exerunning fromC:\Users\Publicinstead ofC:\Windows\System32. - File hash – A unique digital fingerprint of the file.
- Hash types: MD5, SHA-1, SHA-256.
- You can check if the file is malicious using threat intelligence sources.
- File creation/modification times – Helps determine if a file appeared unexpectedly.
- File permissions – Suspicious if a low-privilege user created a file in a system folder.
- Execution history – Some processes leave logs showing when they were executed.
b) Registry-based Artifacts
The Windows registry stores configuration information for processes, startup programs, and system settings.
Key registry locations often checked for process artifacts:
- Run keys – Programs that start automatically with Windows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Example: If a malicious process adds a registry key here, it will run every time the user logs in.
- Services keys – Processes that run as services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- Example: Malware may install a rogue service to run in the background.
- File associations – Some malware modifies file-type associations to execute malicious code when a certain file type is opened.
3. How Processes Are Used in Incident Detection
Security tools like SIEMs or EDRs generate alerts based on process artifacts. Here’s how it works:
- Process Monitoring – Security tools check all running processes and compare them with known safe/unsafe lists.
- Behavior Analysis – They look for suspicious activity like:
- Processes creating files in system folders unexpectedly
- Processes connecting to unusual network addresses
- Processes injecting code into other processes
- Correlation with Other Artifacts – Alerts often include:
- Source/Destination IPs
- Ports
- Process name, path, and PID
- File hash or registry key changes
Example Alert Components for a Process:
| Artifact Type | Example Value |
|---|---|
| Process Name | powershell.exe |
| PID | 4508 |
| File Path | C:\Windows\Temp\script.ps1 |
| File Hash | SHA256: ABCD1234... |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malware |
From this, an analyst can identify what process ran, where it came from, and whether it’s suspicious.
4. Practical IT Environment Notes
- Processes are normal in any system, but unusual paths, unexpected parent processes, or abnormal file creation often indicate malware.
- Automated attacks often use processes to:
- Download additional files
- Maintain persistence via registry keys
- Execute scripts without user interaction
- By checking process artifacts, you can quickly identify alerts and decide if further investigation or containment is needed.
5. Key Exam Takeaways
For the 200-201 CBROPS exam, remember:
- Definition: A process is a running program on a computer.
- Artifacts: Can be file-based or registry-based.
- File artifacts: Name, path, hash, creation/modification time, permissions.
- Registry artifacts: Run keys, services, startup locations.
- Analysis purpose: Detect suspicious activity, malware execution, and persistence mechanisms.
- Common alerts: Look for unusual paths, new registry keys, or unexpected parent-child relationships between processes.
✅ Tip for Students: Always connect the process artifacts with who ran it, where it came from, and what it did. That’s the core skill for this section of the exam.
