Process Investigation

Find the rogue process. Malware hides in plain sight among legitimate services.

ANOMALY DETECTED

System monitoring flagged unusual CPU activity. A process snapshot has been captured. Your mission: analyze the running processes and identify the suspicious one that doesn't belong.

Understanding Linux Processes

Every program running on Linux is a process with a unique Process ID (PID). Malware, backdoors, and crypto miners all run as processes - and they can't hide from ps, top, and htop.

The key to finding malicious processes is knowing what's normal. Legitimate system processes have recognizable names, run from standard locations, and consume expected resources.

Process Investigation Commands

Command	Purpose
`ps aux`	List all processes with details (user, CPU, memory, command)
`ps aux --sort=-%cpu`	Sort by CPU usage (highest first)
`top`	Real-time process monitor (q to quit)
`htop`	Enhanced process viewer with colors
`pstree`	Show process hierarchy (parent/child relationships)
`lsof -p [PID]`	List files opened by a process
`kill -9 [PID]`	Force terminate a process

analyst@system:~$ ps aux --sort=-%cpu | head -5
USER       PID %CPU %MEM    VSZ   RSS COMMAND
root        11  8.2  5.1  16432  9760 /usr/bin/unknown_process
user         9  2.4  1.3   8764  4236 /usr/lib/firefox/firefox
user        10  3.1  1.8  11236  6344 /usr/lib/libreoffice/program/soffice.bin
root         8  5.2  2.1  12348  5692 /usr/bin/apt-get update

# Wait... what is "unknown_process"? That's not normal!

Red Flags in Process Lists

Unknown Names

Processes with generic names like "update", "system", "unknown_process" that aren't standard.

High Resource Usage

Crypto miners and malware often consume excessive CPU/memory with no apparent purpose.

Unusual Paths

Legitimate binaries run from /usr/bin, /usr/sbin. Watch for /tmp, /dev/shm, or hidden directories.

Wrong User

Web servers shouldn't run as root. User processes shouldn't spawn system services.

LAB: Find the Anomaly

A system administrator captured this process snapshot. One process doesn't belong. Use the terminal to investigate and identify the suspicious process.

TIME	PROCESS	PID	%CPU	%MEM	COMMAND
14:26:45	systemd	1	0.0	0.1	/lib/systemd/systemd
14:26:45	sshd	6	0.0	0.0	/usr/sbin/sshd
14:28:33	apt-get	8	5.2	2.1	/usr/bin/apt-get update
14:29:12	firefox	9	2.4	1.3	/usr/lib/firefox/firefox
14:29:15	libreoffice	10	3.1	1.8	/usr/lib/libreoffice/...
14:30:00	unknown_process	11	8.2	5.1	/usr/bin/unknown_process
14:30:02	update-manager	12	1.3	0.7	/usr/bin/update-manager

process-hunter

Process Investigation Lab ========================== Process snapshot loaded. Find the anomaly. Commands available: ps aux ps aux --sort=-%cpu ps aux | grep [name] kill -9 [PID] file /usr/bin/[process]

hunter$

THREAT NEUTRALIZED!

You identified and killed the malicious process:

Process: unknown_process (PID 11)
Red flags: Generic name, high CPU (8.2%), unknown origin
Action: Terminated with kill -9 11

Ready to Test Your Skills?

Complete the quiz to prove your process hunting abilities.

Take the Quiz → Back to Script House

Completing CLH-004 to CLH-006 earns: CLI Analyst