Forum

Ultimate Windows Security Forum » Security Log » 4648 - A logon was attempted using explicit... » Suspicious Process Id/Process Names for 4648

Suspicious Process Id/Process Names for 4648 Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
kashish
Posted 3/29/2017 1:59:09 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 11/19/2018 9:59:54 PM
Posts: 3, Visits: 5
I am looking to detect malicious events of Win ID 4648. I read on a forum that if there is Process ID 0x4 or Process names that end with svchost.exe or cscript.exe, it is one of the ways that attacker uses to login to a system. Is it true?
Post #7353
derekthomas
Posted 4/11/2017 1:48:48 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 220, Visits: 0
I don't think any of these are credible indicators. The process ID can change and both of those executable can be legitimate.
Post #7358
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:54pm