Ever wondered what remediating a malicious process looks like? Below is a short explanation of how Huntress analysts pick specific processes for partners to terminate
Huntress monitors all processes on machines with Huntress’ Process Insights installed (Beta). Each process is reviewed by our automated detections to determine if it is something anomalous. If flagged as possibly malicious with Huntress’ detections, a ThreatOps Analyst begins an investigation to examine if this process belongs to malware or even a hands-on threat actor.
The ideal method to terminate a process on a machine is to target the unique Process ID. This ensures we do not terminate important, known-good processes that are important to the machine and your business. Processes may be similarly named, but the ProcessID will not be shared at any one time.
For our example, if Huntress ThreatOps analysts have concluded that Calcuator.exe is a malicious process, we can leverage the ProcessID to surgically force that specific process to stop.
Malicious processes may be persistent and long-term (such as cryptominers) but they can also be ephemeral and short-lived (such as a credential dumping process). If you receive a Huntress report with Process Insights, you will get more security value by responding quickly to terminate the malicious process(es) we have identified.
Process - The discrete name a computer gives a specific task it is executing and running
Process Insights - Huntress’s beta feature that allows granular insight into the processes running on a machine
Remediating a Process - A Huntress report that has designated a process as malicious and terminates it surgically via its unique ProcessID.