Comparison of ODB console
Wordpad.exe:
Notepad.exe:
Not much difference when it comes to ODB console. Spoofing occurs first when I ran as administrator for both wordpad.exe and wordpad.exe. consent.exe is created before the creation of wordpad.exe and notepad.exe. consent.exe is a file that launches the user interface for the User Account Control (UAC), an authorization layer for Windows. consent.exe will be created whenever we run a process as an administrator. After consent.exe was created, we see the creation of audiodg.exe, which is the alert sound when you try to run a process as an administrator. Lastly, we then see the creation of wordpad.exe/notepad.exe.
Order: Spoof → consent.exe → audiodg.exe → wordpad.exe/notepad.exe
consent.exe:
No UserActionTracking edge that is linked to consent.exe. No UAT edges because it is unreachable to UAT. By default, all process is BG until we can link a UAT event to it. By right consent.exe should be a foreground process.
Comparison of OrientDB graph
Wordpad.exe:
Notepad.exe:
There is only one difference when comparing the two graphs. The only difference is the Image path. wordpad.exe is stored in Program Files\Windows NT\Accessories while notepad.exe is stored in Windows\System32. Not much difference since the process lineage sequence is very similar.
Â