Say you have the ability to spin up new ready-to-go workstations and login with a representative user account. Do that, then dump the memory and save it as a baseline. Then do this to compare it to that of a breached machine of the same kind:
volatility -f /path/to/memory/dump.001 --profile= -B /path/to/baseline.img processbl -U 2>/dev/null
The -U gives you processes that are in the breached dump but were NOT in the baseline dump.