Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

N-Able: Practical Threat Hunting with Process Execution Analysis

N-able
07/14/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


of some like activities that you can do in threat hunting. Again, these aren't things that rise to the level of detection, like you'll see that you can't like, you know, programmatically do this easily, you know, to where you could say like, if you see this, flag it because... For example, detections are typically very specific. You're looking for something very specific. For an example here, if you said, you know what, I want to know, give me a detection every time explore.exe launches command line exec. And if you create a detection for that, then you'd get lots and lots and lots of alerts that would show up in your console. Or for any one of these, you would get detection alerts, which you didn't go, but this doesn't mean anything. So, Kevin, you're showing this as a hunting? Yeah, yeah. So, we'll get into this. I'll show you how to do the query. But something to look at right now. So, I'll explain what we're going to do first. So, we're going to go into AdLumen, we're going to export all the process execution logs from across our environment. And I'll show you how you can limit it to maybe specific hosts, if you're just looking at one host, or how you can limit it to like a specific domain or something like that. And then what we're going to do is we're going to take that data, we're going to use AdLumen to get it as a CSV, and then we're going to apply that expertise analysis in a way we can go through it really fast, right? The old easy way for hunting is literally to just go through every result and just see if it's something or nothing. But I'll tell you when you're dealing with 5 million results, you can't do that. So, you do have to sort of do like, you know, some heavy lifting, there's some scripting and stuff that's involved in it, just that makes your life a lot easier and makes it more effective and faster. But the first thing we're going to do is so we're going to go through and we're going to get all those process executions from throughout the environment, right? And then we're going to do a count of how many, how many hosts have less than have seen less than 10 executions of this parent child process pair. So for when a process runs, like something ran that process, right? Unless you're process zero. Kevin, are you showing a demo of the AdLumen portal? I'm super... It's a process support. Got it. Yeah. So when you run a process, it's spawned by its parent, unless you're process zero, right? The God process. So what we're doing is we're looking at what are the processes that are being spawned from other processes? And we're counting them, right? So if we see less than a large number of occurrence, which like here, we've decided 10 is where we're going to start at. We want to take that and save it, right? And then we're going to look across the hosts in our environment and see how many hosts are doing that execution, right? So what we know... So let's look at the bottom, right? Outlook.exe to PowerShell.exe. Top of your head, that's super duper suspicious, right? Because like what's Outlook.exe running PowerShell.exe for, right? Like was it because there was some exploit or some hook or something like that? But when you start digging into these actual process executions and you look at the command line, you'll see that it's actually an Outlook add-on that uses PowerScript or PowerShell, and it actually gets run by Outlook.exe. And that's why, you know, even though that sounds super malicious, you go through, what is this, like 17 results or something like that, and you got nothing. And they're all different, right? And you can do this for each one of these, right? And some of these are more suspicious than others. Some of them are definitely suspicious, right? In this case, right? A CEC host shouldn't directly be calling the installUtil, right? That's just not how it works. Things like Chrome to command.exe can be suspicious, export notepad is okay, right? That kind of stuff. You would pour through each one of these. So you'd look at them and first answer the other question, does this look weird? And you'd pour through each one of them, trying to then investigate, if you will, whether or not, or research whether or not it maps back to something that is anomalous. Yep. And this is like, again, a really basic way anybody can apply to their environment, any environment pretty much. It's going to be more difficult, the larger your environment is. So that's why I recommend you can limit by host or if you have multiple domains or networks or something like that, right? But this doesn't require you to have anything special, right? Other than a tool that can get you the logs you need and the process execution logs for Windows, which is like most tools should do that for you these days.

TL;DR

  • Threat hunting focuses on manual investigation of anomalies that don't warrant automated detection rules, using analyst expertise to identify patterns that would generate too many false positives if automated.
  • Parent-child process relationship analysis examines which processes spawn other processes, with low-frequency pairs (under 10 occurrences) flagged for investigation as potentially suspicious behavior.
  • The demonstrated workflow exports process execution logs from AdLumen, applies frequency filtering via scripting, and requires manual review of each flagged relationship to determine if it represents legitimate software or malicious activity.

Summary

This demonstration walks through accessible threat hunting techniques that security practitioners can apply without advanced tooling or automation. The focus is on analyzing process execution logs to identify anomalous parent-child process relationships — a fundamental method for detecting suspicious activity that doesn't rise to the level of automated detection rules. Using N-able's AdLumen platform, the presenter shows how to export process execution data across an environment, filter for low-frequency parent-child pairs (those occurring fewer than 10 times), and manually investigate whether these relationships represent legitimate software behavior or potential threats. The approach emphasizes that while some combinations like Outlook.exe spawning PowerShell.exe appear immediately suspicious, investigation often reveals benign explanations such as legitimate add-ons. The technique is scalable to environments of varying sizes by limiting scope to specific hosts or domains, making it practical for teams without dedicated threat hunting resources.

Chapters

0:00 - Introduction to Threat Hunting Basics
0:26 - Detection vs. Hunting Explained
0:59 - Process Execution Analysis Workflow
2:50 - Investigating Suspicious Process Pairs

Key Quotes

0:14 "These aren't things that rise to the level of detection, like you'll see that you can't like, you know, programmatically do this easily, you know, to where you could say like, if you see this, flag it because..."
1:58 "We're going to do a count of how many, how many hosts have less than have seen less than 10 executions of this parent child process pair."
2:50 "Outlook.exe to PowerShell.exe. Top of your head, that's super duper suspicious, right? Because like what's Outlook.exe running PowerShell.exe for, right? ..."

FAQ

Why can't these parent-child process relationships be turned into automated detection rules?

Many suspicious-looking process pairs occur legitimately in enterprise environments — for example, Outlook.exe spawning PowerShell.exe can be caused by legitimate add-ons. Creating automated alerts for these patterns would generate excessive false positives, which is why they require manual threat hunting with analyst expertise to distinguish malicious from benign activity.

How do you make this technique practical for large environments with millions of process execution events?

The key is filtering for low-frequency occurrences (processes seen fewer than 10 times) and limiting scope to specific hosts, domains, or network segments. This reduces the dataset to anomalous patterns that warrant investigation, rather than attempting to manually review every process execution across the entire environment.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Threat Intelligence
  • Technical Deep Dive
  • How-To
  • Best Practices
  • Threat Hunting
  • Process Execution Analysis
  • Parent-Child Process Relationships
  • Anomaly Detection
  • Log Analysis
  • SIEM Investigation
  • Windows Process Monitoring
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: N-Able: Practical Threat Hunting with Process Execution Analysis

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    14

                    Crafting a Championship-Caliber Security Team for Lasting Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                      07/14/202602:00 PM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events

                        Upcoming Webinar Calendar

                        • 07/14/2026
                          01:00 PM
                          07/14/2026
                          Crafting a Championship-Caliber Security Team for Lasting Defense
                          https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-caliber-security-team-for-lasting-defense/
                        • 07/14/2026
                          02:00 PM
                          07/14/2026
                          Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                          https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
                        • 07/21/2026
                          04:00 AM
                          07/21/2026
                          Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                          https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                        • 07/22/2026
                          06:30 AM
                          07/22/2026
                          Insights and Strategies in Data Protection and Privacy Management
                          https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-in-data-protection-and-privacy-management/
                        • 07/22/2026
                          01:00 PM
                          07/22/2026
                          Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                          https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                        • 07/28/2026
                          01:00 PM
                          07/28/2026
                          Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                          https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                        • 07/29/2026
                          04:00 AM
                          07/29/2026
                          Real-Time Strategies for Safeguarding Against Prompt Injections
                          https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                        • 07/29/2026
                          01:00 PM
                          07/29/2026
                          Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                          https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                        • 08/19/2026
                          12:00 PM
                          08/19/2026
                          Becoming Agent Ready: Insights from Cyera's Expertise
                          https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                        • 09/02/2026
                          12:00 PM
                          09/02/2026
                          Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                          https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                        • 09/30/2026
                          04:00 AM
                          09/30/2026
                          AI Command Center: Optimizing Visibility and Control in Your Operations
                          https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version