Process Tree
TL;DR
The interactive process tree Get-ProcessTree.ps1 shows you a hierarchical view of the processes running on the Windows system at the point of the memory snapshot. It ingests proc.csv created by MemProcFS-Analyzer, which itself is an enriched process list from MemProcFS. This advanced tree form is much more tangible than a simple process table, visualizing the relationships between all processes of your memory snapshot.
Fig 1: Process Tree uses Process IDs (PID) and Parent Process IDs (PPID) to create an interactive tree.
The root node of this tree is the System process with PID 4.
Tip: You can expand and collapse all tree view nodes by pressing the +/- buttons in the top left corner.
Sometimes you will have processes where the parent process is not existing in the memory snapshot anymore. Process entries, whose Parent Process IDs does not match any existing PID, will be listed under the Orphan Processes node.
You can view the properties of every process via two different methods:
| Mouse Hover | Double Click |
|---|---|
 |
 |
| Hovering over an entry shows it's details via tooltip. | Double-Clicking an entry brings up the properties window. You can open multiple windows to compare them or use hotkeys to copy it's entries in a unified format. |
Tip: Select the rows you want to copy from the properties view and press Ctrl+C to copy the text to your clipboard. Press Ctrl+A and Ctrl+C to copy all metadata.
Fig 2: Process Tree includes in-depth search and filter capabilities
You can filter for:
- CommandLine
- Device Path
- Parent Name
- PID
- PPID
- Process Name
- User
- and much more
Searching feature w/ 3 different modes:
- Plaintext: 1:1 text matching
-
Extended: Allows the use of wildcards, like
*,?and[ ] - RegEx: Regular Expression Syntax
You can search Everywhere or filter specific property entries via Filter dropdown menu. All search hits will be highlighted with yellow background color. The process tree will be auto-expanded to show your search hits including their child processes.
When inspecting a process tree, you may notice some entries being marked in red. These marked entries should be your first points of interest when inspecting a process tree. The red color indicates that this entry is in some way notable and/or indicates signs of malware, attackers, or advanced TTPs.
These indicators/anomalies are also added to the properties view of the process and flagged with a Suspicious tag. If a process triggers multiple threat detections, all of them will be listed and separated with semicolon.
As with all analytics there can be false-positives. As shown in the screenshot above Sysinternals Zoomit is running from a user's temp folder which is a common place for malware.
The root tag Alert Messages lists all these unusual occurrences all in one place. A quick look through these alert messages helps you to find low hanging fruits without digging through the whole process tree. A process called lsas.exe should definitely get your full attention. ;-)
Get-ProcessTree.ps1 is automatically launched by MemprocFS-Analyzer's workflow. If you would like to inspect the process tree afterwards, you can simply navigate to the script and launch it via the following command:
cd <MemProcFS-Analyzer-Directory>\Scripts\Get-ProcessTree\
.\Get-ProcessTree.ps1 -CSVPath <path-to-proc.csv>
Tip: Check out Get-Help .\Get-ProcessTree.ps1 for more options.
If you have known false-positives on your work environment that always appear in the alert messages, you can whitelist your exceptions via parameter, or add additional ones you deem suspicious for your environment.
Last updated: 2023-01-06