Let’s open a cmd and start a hidden powershell by typing the following command:<\/p>\n Now a powershell process is running on our machine, but without a window. Process Explorer shows us a cmd.exe with a childprocess called conhost.exe<\/p>\n Let’s doubleclick conhost.exe and explore some usefull functionalities of process explorer.<\/p>\n In the Image tab we can see useful informations like the full path of the executable, the command line field which exactly shows the previous command we’ve typed in and the parent process. Another cool feature is the VirusTotal field. After clicking on submit a hashvalue of the binary will be created and checked against the virustotal database.\u00a0 The value 0\/68 means that the binary hash value is known and was checked with 68 different Antivirus Engines. 0 means that none of them sees a potential danger. A return value of n\/a would imply\u00a0 that the hash value isn’t known yet by virustotal and the binary should be uploaded for further analysis.<\/p>\n Another interessting function is the TCP\/IP and the Strings tab. If the binary should do any network connections we would see them there. With help of the strings it’s possible to read out which strings are stored in the memory of a specific process. In case of a cmd.exe we can find which commands where typed.<\/p>\n Next thing we want to have a short look on ist the Threads tab. Everytime a process needs some CPU power we will see activity there. From that tab we have also the possibility to suspend or kill a task. Forexample if we open a notepad and suspend that task, notepad will be in a frozen state.<\/p>\n If we suspend a task there is always a way back. Forexample we can suspend a task and then create a memory dump and reactivate it by clicking on Resume. If we kill the task, there’s no way back! Another tool that was slightly covered was procmon from sysinternals. With help of that tool you can monitor the system and get specific traces of certain processes.<\/p>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/30d_01.png\")
<\/a><\/p>\npowershell -w hidden -c dir c:\\ -recurse<\/code><\/p>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/30d_03.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/30d_04.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/30d_05.png\")
<\/a><\/p>\n