Tracking Parent/Child Process Relationship Via BAM Registry Key
otherwindows
Reference: https://twitter.com/nas_bench/status/1661692446231633920 You can indirectly track child processes created by a process by monitoring registry set events for the…
Tracking Parent/Child Process Relationship Via BAM Registry Key
Reference: https://twitter.com/nas_bench/status/1661692446231633920
You can indirectly track child processes created by a process by monitoring registry set events for the following key HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\<SID>\<Binary>
Examples
- Cmd.EXE Creating Rundll32.EXE
- Explorer.EXE Creating Microsoft Paint