LiveProcessMonitor - Baseline-Driven Historical Process and Network Monitoring on Windows - Overview

Описание: Other content:    • Michał Sołtysik - Cybersecurity content  

Official website: https://michalsoltysik.com/

Michał Sołtysik is a Cybersecurity Consultant and Blue Team, Purple Team, and Red Team Analyst, bringing a broad and in-depth range of expertise to his cybersecurity practice.

He is also a Digital and Network Forensics Examiner, Cyber Warfare Organizer, and SOC Trainer, specializing in SOC operational capability and maturity development, network edge traffic profiling, and adversary emulation in EDR testing.

GitHub repository: https://github.com/MichalSoltysikSOC/...

0:00 - In this video, I demonstrate Windows GUI tools for baseline-driven endpoint process and network monitoring that capture a snapshot of running processes and connections, then continuously track post-baseline changes without discarding history. They correlate data in a unified view, with an extended version integrating optional Sysmon telemetry for deeper timeline visibility.

0:36 - Live Process Monitor:

(1) Creates a baseline snapshot of running processes using Windows-native mechanisms (WMI and system APIs).
(2) Collects detailed process metadata, including parent-child relationships, executable paths, command lines, and SHA-256 file hashes.
(3) Monitors process lifecycle events in real time, including process start and process termination.
(4) Enumerates active TCP and UDP network endpoints and correlates them with owning processes (PID-based ownership).
(5) Tracks network connection history per process, including first seen time, last seen time, and end time for TCP connections.
(6) Performs optional reverse DNS resolution for public remote IP addresses to provide basic contextual information.

1:54 - When Sysmon is installed, running, and properly configured, Live Process Monitor Plus enriches process and network data with additional low-level telemetry:

(1) Correlates Sysmon Event ID 1 (Process creation) with existing process rows.
(2) Correlates Sysmon Event ID 5 (Process terminated) to record precise termination times.
(3) Correlates Sysmon Event ID 3 (Network connection detected) with existing or newly observed network connections.
(4) Displays all observed Sysmon Event IDs (1, 3, 5) per process in a dedicated column.
(5) Adds explicit Sysmon-based timestamps for process creation and termination.

2:19 - To enable Sysmon-based enrichment features in Live Process Monitor Plus, Sysmon must be installed, running, and configured with a compatible configuration file that enables logging of Sysmon Event ID 1, 3, and 5.
SysmonConfigurator.exe can be used to configure Sysmon automatically.

The suite supports optional reputation enrichment using VirusTotal and AbuseIPDB, allowing analysts to quickly enrich findings while maintaining a baseline-first workflow.

In this demo, I walk through:

2:46 - (1) The use of widely adopted tools for monitoring system resources, including process execution and network connections (Process Hacker, System Informer, Process Explorer, and Process Monitor).
6:24 - (2) The use of SysmonConfigurator to automatically configure Sysmon for Live Process Monitor Plus.
8:14 - (3) Initial usage of Live Process Monitor and Live Process Monitor Plus.
10:27 - (4) Executing processes and generating network connections using a pseudo-malware sample.
16:16 - (5) Advanced usage of Live Process Monitor.
21:50 - (6) Advanced usage of Live Process Monitor Plus.
24:11 - (7) Exporting collected evidence and logs to CSV for further analysis and reporting.

26:35 - This tool is designed to assist with threat hunting, malware analysis, and broader Blue Team operations by preserving short lived executions and correlating them with network activity.

All tools shown in this video are free for personal and commercial use.

Contact:
Mail: [email protected]
LinkedIn:   / michal-soltysik-ssh-soc  
GitHub: https://github.com/MichalSoltysikSOC
Accredible: https://www.credential.net/profile/mi...
Credly: https://www.credly.com/users/michal-s...