Windows Event Logs

• Shows fie version number, timestamp information, and digital signature details (including certificate chains)

• Also has an option to check VirusTotal

Use: Check for unsigned files in C:\Windows\System32

If there are any results, an investigation is necessary.

Every file has at least one data stream ($DATA). Windows Explorer does not display alternate data streams (ADS) to the user. PowerShell can!

Malware writers use ADS to hide data in an endpoint.

Use: When you download a file from the internet, there are identifiers written in ADS to identify that it was downloaded via internet

streams C:\Users\<Username>\Desktop\SysinternalsSuite.zip - accepteula

Return: :Zone.Identifier:$DATA [number]

Use: Finding streams inside file

streams C:\Users\Administrator\Desktop -accepteula

Output: :ads.txt:$DATA 26

Input: notepad C:\Users\Administrator\Desktop\file.txt:ads.txt

Output: Notepad with streams

Allows you to delete one or more files and/or directories or to cleanse the free space on a logical disk

(Implemented the Department of Defense clearing and sanitizing protocol)

Used by adversaries [MITRE Technique T1485] (Data Destruction)

Shows detailed listings of all TCP and UDP endpoints on you system

More convenient than Netstat

Shows what programs are configured to run during system bootup or login

(Good tool to search for many malicious entries created to establish Persistence)

Monitors an application for CPU spikes

• Generates crash dumps during a spike

Top Window: Show list of activity running processes

Bottom Window: Depends on the mode (Handle & DLL)

Verifies Signatures

Colors:

• Purple: Indication that files may be packed

• Red: Process is exiting

• Green: Process was freshly spawned

• Light Blue: Processes are ran by the same account that started Process Explorer

• Dark Blue: Process is selected

• Pink: Process is a service

• Dark Grey: Process that is suspended

(ProcMon)

Shows real-tine file system, registry, and process/thread activity

When launched, ProcMon will capture thousands of events occurring within the operating system.

Telnet-replacement that allows for the execution of processes on other systems without having to install software

Used by adversaries

• MITRE Technique T1570, T1021.002, T1569, S0029

System Monitor

Driver that remains resident across system reboots to monitor and log system activity into the Windows event log

• Provides detailed information about process creations, network connections, and changes to file creation time

Uses the native Windows NT API to access and display information on the NT object manager’s name space

Displays relevant information about a Windows computer on the desktop’s background

Takes a egstry path and makes Regedit open to that past

Accepts root keys in standard and abbreviated form

Scans he file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more characters

Use: strings .\file.exe | findstr hi

Output:

Hi my name is

My name is Hi

name Hi is my

etc.

• Runs only in Kernel mode.

• Is a system thread. (Have all attributes of regular user-mode threads but only run in kernel-mode and execute code in system space)

PID: 4

Image Path: N/A

Parent Process: <None>

User Account: Local System

Start Time: Boot

Session Manager Subsystem (Windows Session Manager)

• Responsible for creating new sessions

• First user-mode process started by the kernel

• Responsible for creating environment variables, virtual memory paging files, and starts winlogon.exe

• Includes win32k.sys (kernel mode), winsrv.dll (user mode), and csrss.exe (user mode)

• Starts csrss.exe and and wininit.exe in Session 0

• Starts another csrss.exe and winlogon.exe in Session 1

Image Path: %SystemRoot%\System32\smss.exe

Parent Process: System

Number of Instances: One master instance and child instance per session

User Account: Local System

Start Time: Boot

Client Server Runtime Process

• User-mode side of the Windows Subsystem

• If terminated, system will fail

• Responsible for the Windows32 console window and process thread creation and deletion

• Loads many dls including (csrsv.dll, bassrv.dll, and winserv.dll)

• Responsible for making the Windows API available to other processes

• Responsible for handling the Windows shutdown process and mapping drive letters

• Session 0

Image Path: %SystemRoot%\System32\csrss.exe

Parent Process: Created by smss.exe

Number of Instances: Two or more

User Account: Local System

Start Time: Boot/Start times for additional instances occur when new sessions are created

Windows Initialization Process

• Responsible for launching service.exe, lsass.exe, and lsaiso.exe in Session 0

• Critical windows process

Image Path: %SystemRoot%\System32\wininit.ex

Parent Process: Created by smss.exe

Number of Instances: One

User Account: Local System

Start Time: Boot

Service Control Manager

• Handles system services

  • Loading services

  • Interacting with services

  • Ending service

• Maintains a database that can be quired using sc.exe

• When a user logs in, the process sets the value of the Last Known Good Configuration to the same as the CurrentControlSet

• Parent to svchost.exe, spoolsv.exe, msmpeng.exe, and dllhost.exe

Image Path: %SystemRoot%\System32\services.exe

Parent Process: winit.exe

Number of Instances: One

User Account: Local System

Start Time: Boot

Service Host

• Responsible for hosting and managing Windws services

• -k is how a genuine svchost.exe is called

• Target for malicious actors

Image Path: %SystemRoot%\System32\svchost.exe

Parent Process: services.exe

Number of Instances: Multiple

User Account: Varies (SYSTEM, Network Services, Local Service, sometimes logged in user)

Start Time: Boot/Other instances can be started

Local Security Authority Subsystem Service

• Responsible for enforcing the security policy on system

• Verifies user logons, handles password changes, creates across tokens

• Writes to the Windows Security Log

• Also a common target. Used to dump credentials or hide in plain sight.

Image Path: %SystemRoot%\System32\lsass.exe

Parent Process: wininit.exe

Number of Instances: One

User Account: Local System

Start Time: Boot

Windows Logon

• Responsible for handling the Secure Attention Sequence (ALT+CTRL+DEL)

• Responsible or loading user profile

Image Path: %SystemRoot%\System32\winlogon.exe

Parent Process: smss.exe (usually exits)

Number of Instances: One or more

User Account: Local System

Start Time: Boot/Start times for additional instances occur when new sessions are created (RD or switching logons)

Windows Explorer

• Gives the user access to their folders and files

• Provides functionality for Start Menu, Taskbar & more

Image Path: %SystemRoot%\explorer.exe

Parent Process: userinit.exe (usually exits)

Number of Instances: One or more

User Account: Logged in user(s)

Start Time: User logon session begins