Processes
List running processes on a system using the ps command. Can provide clues as to any custom applications and AV solutions that may be running.
beacon> ps
[*] This Beacon PID: YELLOW 7480
PID PPID Name Arch Session User
--- ---- ---- ---- ------- ----
0 0 [System Process]
4 0 System
88 4 Registry
364 4 smss.exe
1532 4 Memory Compression
464 456 csrss.exe
540 532 csrss.exe
564 456 wininit.exe
680 564 services.exe
448 680 svchost.exe
2812 448 taskhostw.exe x64 2 DEV\bfarmer
4632 448 mmc.exe
4796 448 sihost.exe x64 2 DEV\bfarmer
6048 448 taskhostw.exe x64 2 DEV\bfarmer
7896 448 powershell.exe x64 2 DEV\bfarmer
2252 7896 conhost.exe x64 2 DEV\bfarmer
8088 7896 powershell.exe x64 2 DEV\bfarmer
460 680 svchost.exe
1036 460 rdpclip.exe x64 2 DEV\bfarmer
756 680 svchost.exe
812 680 svchost.exe
820 680 svchost.exe
664 820 SearchApp.exe x64 2 DEV\bfarmer
3244 820 unsecapp.exe
3848 820 WmiPrvSE.exe
5408 820 RuntimeBroker.exe x64 2 DEV\bfarmer
6000 820 StartMenuExperienceHost.exe x64 2 DEV\bfarmer
6068 820 RuntimeBroker.exe x64 2 DEV\bfarmer
6612 820 RuntimeBroker.exe x64 2 DEV\bfarmer
6672 820 smartscreen.exe x64 2 DEV\bfarmer
7172 820 TextInputHost.exe x64 2 DEV\bfarmer
7244 820 dllhost.exe x64 2 DEV\bfarmer
7744 820 PhoneExperienceHost.exe x64 2 DEV\bfarmer
8044 820 RuntimeBroker.exe x64 2 DEV\bfarmer
952 680 svchost.exe
1032 680 spoolsv.exe
1104 680 svchost.exe
5196 1104 ctfmon.exe x64 2 DEV\bfarmer
1176 680 svchost.exe
1208 680 svchost.exe
1212 680 svchost.exe
1224 680 svchost.exe
1284 680 svchost.exe
1336 680 svchost.exe
1508 680 svchost.exe
1588 680 svchost.exe
1672 680 svchost.exe
1800 680 svchost.exe
1804 680 svchost.exe
1884 680 svchost.exe
2108 680 SgrmBroker.exe
2340 680 svchost.exe
2492 680 MsMpEng.exe
2500 680 Service 1.exe
2508 680 Service 3.exe
2588 680 VGAuthService.exe
2640 680 Service 2.exe
2668 680 Sysmon64.exe
2740 680 elastic-endpoint.exe
2748 680 elastic-agent.exe
4356 2748 filebeat.exe
4404 4356 conhost.exe
3408 680 svchost.exe
3856 680 WUDFHost.exe
3924 680 svchost.exe
4544 680 svchost.exe
4548 680 SearchIndexer.exe
4556 680 uhssvc.exe
4756 680 svchost.exe
4900 680 svchost.exe x64 2 DEV\bfarmer
4996 680 svchost.exe
5696 680 svchost.exe x64 2 DEV\bfarmer
6760 680 SecurityHealthService.exe
700 564 lsass.exe
852 564 fontdrvhost.exe
636 532 winlogon.exe
8 636 dwm.exe
60 636 LogonUI.exe
856 636 fontdrvhost.exe
3896 1984 csrss.exe
4872 1984 winlogon.exe
3096 4872 dwm.exe
5040 4872 fontdrvhost.exe
5344 5300 explorer.exe x64 2 DEV\bfarmer
6724 5344 SecurityHealthSystray.exe x64 2 DEV\bfarmer
6752 5344 vm3dservice.exe x64 2 DEV\bfarmer
6868 5344 msedge.exe x64 2 DEV\bfarmer
2756 6868 msedge.exe x64 2 DEV\bfarmer
3256 6868 msedge.exe x64 2 DEV\bfarmer
4644 6868 msedge.exe x64 2 DEV\bfarmer
7040 6868 msedge.exe x64 2 DEV\bfarmer
7480 5344 powershell.exe x64 2 DEV\bfarmer
7488 7480 conhost.exe x64 2 DEV\bfarmer\
There are several interesting processes here including Sysmon64, MsMpEng, elastic-endpoint, and elastic-agent. When running in medium integrity (i.e. a standard user), you will not be able to see arch, session and user information for processes that your current user does not own.
The indentation represents parent/child relationships.
Last updated