{"id":16564654,"url":"https://github.com/samerde/get-riskyprocesses","last_synced_at":"2025-07-19T21:33:52.751Z","repository":{"id":110111323,"uuid":"275129289","full_name":"SamErde/Get-RiskyProcesses","owner":"SamErde","description":"Checks running processes for a list of potentially \"risky\" ones that should not be spawned by certain parent processes. If found, the results could indicate abnormal behavior.","archived":false,"fork":false,"pushed_at":"2023-11-23T23:23:35.000Z","size":32,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-19T08:55:16.122Z","etag":null,"topics":["edr","exchange-server","hacktoberfest","iis","infosectools","powershell","windows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SamErde.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-06-26T10:24:44.000Z","updated_at":"2025-05-15T23:56:10.000Z","dependencies_parsed_at":"2023-03-13T13:58:44.264Z","dependency_job_id":null,"html_url":"https://github.com/SamErde/Get-RiskyProcesses","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SamErde/Get-RiskyProcesses","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamErde%2FGet-RiskyProcesses","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamErde%2FGet-RiskyProcesses/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamErde%2FGet-RiskyProcesses/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamErde%2FGet-RiskyProcesses/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SamErde","download_url":"https://codeload.github.com/SamErde/Get-RiskyProcesses/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamErde%2FGet-RiskyProcesses/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266019657,"owners_count":23864916,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["edr","exchange-server","hacktoberfest","iis","infosectools","powershell","windows"],"created_at":"2024-10-11T20:44:42.289Z","updated_at":"2025-07-19T21:33:52.709Z","avatar_url":"https://github.com/SamErde.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Get-RiskyProcesses\n\nChecks running processes for a list of potentially \"risky\" ones that should not be spawned by certain parent processes. If found, the results could indicate abnormal behavior.\n\nA blog post by the Microsoft Defender ATP Research Team on June 24, 2020 detailed some scenarios in which an attacker might exploit a remote code execution (RCE) vulnerability in the IIS component of an Exchange Server, and thereby gain system privileges. One indication of such an exploit might be a \"cmd.exe\" or \"mshta.exe\" process (among others) that is spawned by \"w3wp.exe\" or the IIS application pool. See: https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/.\n\nWhile Windows Defender ATP or other endpoint detection and response (EDR) products may natively be able to detect such behavior, systems without those protections may not. This script provides a working concept that could notify admins of these potential exploits, when the script is run as a scheduled task or when used in conjunction with a monitoring platform.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamerde%2Fget-riskyprocesses","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamerde%2Fget-riskyprocesses","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamerde%2Fget-riskyprocesses/lists"}