Unknown Processes

Process whitelisting and blacklisting is one of the greatest defenses against modern attackers. Many different types of exploits and attacks require the target operating system to run a custom script or process that the attacker created. Knowing which processes may be running in an environment that have not been authorized, greatly reduces risk and attack surface.

Popular avenues of attack against Microsoft operating systems are phantom processes, temporary executables, and hidden files and scripts. Microsoft works with software developers to identify and tag legitimate processes related to the software developed for the Windows family of operating systems. Attackers can still execute attacks by changing those legitimate processes to run malicious code, and to execute commands hidden elsewhere on the filesystem.

Administrators can use this report to investigate potentially malicious or unauthorized processes and files found while scanning. This report assists organizations in discovering those processes, and provides guidance on what those processes may be when found. Organizations can use this information to reduce attack risk, while also monitoring the process changes made across their entire attack surface.

The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Security Industry Trends. The report requirements are:

      • SecurityCenter 5.2.x

      • Nessus 6.11.x

SecurityCenter CV provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Nessus is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. By integrating with Nessus, SecurityCenter CV provides the most comprehensive view of network security data.

Chapters

Executive Summary: This chapter contains 2 matrices grouping the counts of systems with unknown processes together.  The group is based on the number of unknown processes discovered, and starts with less than 50 and ends with over 10,000.  There are two additional matrices, one provides indicators for the Windows Autoruns and the other provides the count of systems with unknown processes based on the location and file type.  The final component is a table that provides a summary of networks with hosts that have been identified to have unknown processes. 

Software Installed on Systems Identified with Unknown Processes:  This chapter provides a detailed software inventory of systems with unknown processes. 

Windows Unknown Process Count Indicator: This chapter provides a detailed list of systems with unknown processes, grouped by the number of processes.  The grouping is based on the number of unknown processes discovered, and starts with less than 50 and ends with over 10,000. 

Windows Temp Unknown Process Count Indicator: This chapter provides a detailed list of systems with unknown processes located in the “TMP” folder, grouped by the number of processes.  The grouping is based on the number of unknown processes discovered, and starts with less than 50 and ends with over 10,000. 

Number of Systems and Locations/Types of Unknown Files:  This chapter provides a detailed list of systems with unknown processes based on the location of the unknown processes or the executable file type.