Suspicious Process Id/Process Names for 4648 Expand / Collapse
Author
Message
Posted 3/29/2017 1:59:09 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 12/16/2016 7:40:24 PM
Posts: 2, Visits: 4
I am looking to detect malicious events of Win ID 4648. I read on a forum that if there is Process ID 0x4 or Process names that end with svchost.exe or cscript.exe, it is one of the ways that attacker uses to login to a system. Is it true?
Post #7353
Posted 4/11/2017 1:48:48 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
I don't think any of these are credible indicators. The process ID can change and both of those executable can be legitimate.
Post #7358
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:18pm