When you run the WMI command:<\/p>\n
wmic process get name, creationdate<\/pre>\nyou get a list of process names, and their creation dates.<\/p>\n
When I was testing it on my VM I realized that the results expose my VM as a sandbox. Since I saved the VM snapshot a while ago, the creation dates of many running processes were really old. Only a few processes had today’s date.<\/p>\n
So, if you see any process (or a cluster of processes) that is older than… say… 6-12 months, it is highly possible that the sample is executed inside a sandbox. While the uptimes are much longer now than in the past, systems that run processes for more than a year are suspicious; after all, patching affects all the systems and if there was no restart within last year it’s at least unusual…<\/p>\n","protected":false},"excerpt":{"rendered":"
When you run the WMI command: wmic process get name, creationdate you get a list of process names, and their creation dates. When I was testing it on my VM I realized that the results expose my VM as a … Continue reading