none
Add SilentProcessExit scan RRS feed

  • Question

  • Hi,

    Would you please consider adding SilentProcessExit entry? It might be used to execute malicious process after process closed.

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

    Kind regards

    • Edited by avoidik Wednesday, January 8, 2020 6:54 PM
    Wednesday, January 8, 2020 6:54 PM

All replies

  • Interesting..

    https://msdn.microsoft.com/en-us/data/jj602791(v=vs.90)

    There is more then that key to monitor..

    In any case if you implemented Sysmon you should already get the start of the process.. I'm also noticing that all the involved keys are under HKLM.. you need to be administrator to write there.. if you are already admin it's game over.. Agree that can be used to persist "something" under cover..

    Thanks
    -mario

    Wednesday, January 8, 2020 10:27 PM
  • Gflags create these keys when setting the Silent Process Exit.

    and effectively, when i close Notepad a Cmd is started..

    To create these keys you must already be administrator, so I would not be worried too much, but they can be used to persist some malaware..

    Probably it's worth if Mark can have a look..

    THanks
    -mario

    Thursday, January 9, 2020 8:44 AM
  • This is a great suggestion and something I wasn't aware of. I have added it to the backlog and will review with Mark R. at the next backlog review in two weeks.

    MarkC(MSFT)

    Tuesday, January 14, 2020 12:23 PM