|
|
Forum Newbie
      
Group: Forum Members
Last Login: 11/19/2018 9:59:54 PM
Posts: 3,
Visits: 5
|
|
I am looking to detect malicious events of Win ID 4648. I read on a forum that if there is Process ID 0x4 or Process names that end with svchost.exe or cscript.exe, it is one of the ways that attacker uses to login to a system. Is it true?
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 220,
Visits: 0
|
|
I don't think any of these are credible indicators. The process ID can change and both of those executable can be legitimate.
|
|
|
|