Forum

Ultimate Windows Security Forum » Security Log » 4648 - A logon was attempted using explicit... » Suspicious Process Id/Process Names for 4648

Suspicious Process Id/Process Names for 4648

Rate Topic

Display Mode

Topic Options

Author

Message

kashish

Posted 3/29/2017 1:59:09 PM

Forum Newbie

Group: Forum Members
Last Login: 11/19/2018 9:59:54 PM
Posts: 3, Visits: 5

I am looking to detect malicious events of Win ID 4648. I read on a forum that if there is Process ID 0x4 or Process names that end with svchost.exe or cscript.exe, it is one of the ways that attacker uses to login to a system. Is it true?

Post #7353

derekthomas

Posted 4/11/2017 1:48:48 PM

Supreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0

I don't think any of these are credible indicators. The process ID can change and both of those executable can be legitimate.

Post #7358

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 11:56pm

Upcoming Webinars

Threat Hunting: Real Intrusions by State-Sponsored and eCrime Groups

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.