# Windows basics 101
###### tags: `cybersecurity` `windows` `blueteam`
## Core Windows Processes
The location of all the executables is C:\Windows\System32, except for Explorer.exe (which is C:\Windows)
### smss.exe
Session Manager Subsystem (smss.exe) - responsible for creating new sessions.
is the first user-mode process started by the kernel.
starts the kernel mode and user mode of the windows sub system including:
* win32k.sys (kernel mode)
* winsrv.dll (user mode)
* csrss.exe (user mode)
Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session.
The first child instance creates child instances in new sessions. This is done by smss.exe copying itself into the new session and self-terminating.
Smss.exe is also responsible for creating env vars, virtual memory paging files and starting winlogon.exe
Unusual stuff to look out for:
* A different Parent process other than system ( 4).
* Image path is different from C:\Windows\System32.
* More than 1 running process.
* User is not SYSTEM.
* Unexpected registry entries for Subsystem.
### csrss.exe
Client Server Runtime Process - user mode side of the windows subsys.
Always running and is sys critical. Process termination would lead to sys failure.
Responsible for the Win 32 console window and process thread creation and deletion.
For each instance: csrsrv.dll, basesrv.dll, and winsrv.dll are loaded.
Responsible for making the Windows API available to other processes, mapping drive letters, and handling the Windows shutdown process.
Unusual stuff to look out for:
* An actual parent process (smss.exe calls this process then self-terminates)
* Image file path other than C:\Windows\System32
* Subtle mispellings to hide rogue processes masquerading as csrss.exe
* User is not SYSTEM
### wininit.exe
Runs in the background along with its child processes:
- services.exe -Service control manager
- lsass.exe - Local Security Authority
- lsaiso.exe - associated with Credential Guard and key guard and can only be seen if Credential Guard is enabled.
Unusual stuff to look out for:
* An actual parent process. (smss.exe calls this process and self-terminates)
* Image file path other than C:\Windows\System32
* Subtle misspellings to hide rogue process in plain sight
* Multiple running instances
* Not running as SYSTEM
### wininit.exe > services.exe
Service Control Manager is primarily responsible for loading services, and interacting with services.
It maintains a db that can be queried using a windows built-in utility 'sc.exe'
Information regarding services is stored in the registry HKLM\System\CurrentControlSet\Services
It loads device drivers marked as auto-start into memory.
Upon successful user logon, the process sets the value of the last known good control set configuration - HKLM\System\Select\LastKnownGood
Is the parent process to: svchost.exe, spoolsv.exe, msmpeng.exe, dllhost.exe
Unusual stuff to look out for:
* A parent process other than wininit.exe
* Image file path other than C:\Windows\System32
* Subtle misspellings to hide rogue process in plain sight
* Multiple running instances
* Not running as SYSTEM
### wininit.exe > services.exe > svchost.exe
Host process for windows services is responsible for hosting and managing windows services.
services running in this process are implemented as DLLs.
The dll to implement is stored in the registry for the service under the Parameters subkey in ServicesDLL.
The full path is HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters
Unusual stuff to look out for:
* A parent process other than services.exe
* Image file path other than C:\Windows\System32
* Subtle misspellings to hide rogue process in plain sight
* The absence of the -k parameter in the Command line or Binary path
### lsass.exe
Local Security Authority Subsystem Service is responsible for enforcing the security policy on the system.
Verifies users logging into a Windows computer or server, handles password changes, and creates access tokens.
Writes to the windows security log.
Creates security tokens for the SAM - Security Account Manager, AD, and NETLOGON.
It's authentication packages are specified in HKLM\System\CurrentControlSet\Control\Lsa
Unusual stuff to look out for:
* A parent process other than wininit.exe
* Image file path other than C:\Windows\System32
* Subtle misspellings to hide rogue process in plain sight
* Multiple running instances
* Not running as SYSTEM
### winlogon.exe
Windows logon is responsible for handling the Secure Attention Sequence (SAS) - the CTRL + ALT + DEL key combination users press to enter their username and password.
Is responsible for loading the user profile - done by loading the user's NTUSER.dat file into HKCU and via userinit.exe loads the user's shell.
Unusual stuff to look out for:
* An actual parent process. (smss.exe calls this process and self-terminates)
* Image file path other than C:\Windows\System32
* Subtle misspellings to hide rogue process in plain sight
* Not running as SYSTEM
* Shell value in the registry other than explorer.exe
### explorer.exe
Gives users access to their files and folders.
Winlogon.exe runs userinit.exe, which launches the value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Unusual stuff to look out for:
* An actual parent process. (userinit.exe calls this process and exits)
* Image file path other than C:\Windows
* Running as an unknown user
* Subtle misspellings to hide rogue process in plain sight
* Outbound TCP/IP connections
Additional resources:
[Threat Hunting](https://www.threathunting.se/tag/windows-process/)
[Hunt Evil](https://www.sans.org/posters/hunt-evil/)
[Windows Internals](https://docs.microsoft.com/en-us/sysinternals/resources/windows-internals)
## Sysinternals
Is a compilation of over 70+ windows tools that fall into the following categories:
* File and Disk Utilities
* Networking Utilities
* Process Utilities
* Security Utilities
* System Information
* Miscellaneous
Sysinternals utilities [index](https://docs.microsoft.com/en-us/sysinternals/downloads/) page
Sysinternals [live url](https://live.sysinternals.com/)
Download the zip from [here](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
System Properties can be launched via the command line by running sysdm.cpl - you'll need this for editing the env var to add your new install to PATH
Alternatively, a PowerShell module can download and install all of the Sysinternals tools.
```PowerShell command: Download-SysInternalsTools C:\Tools\Sysint```
## File and Disk Utilities
### Sigcheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.
It can lookup the file info on virus total
```sigcheck -u -e C:\Windows\System32``` checks for all unsigned files in C:\Windows\System32 (the location of all executables aside from Explorer.exe)
-u : if Virus total check is enabled, show files that are unknown by Virus total or have non-zero detection.
-e : scan executable images only regardless of their extension.
### Streams
Windows NTFS provides applications the ability to create alternate data streams of information.
By default, all data is stored in a file's main unnamed data stream.
Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS.
Every file has at least one data stream ($DATA) and ADS allows files to contain more than one stream of data.
You can view the ADS with powershell or 3rd party tools like streams.
You can use ```file:stream``` to read and write to Alternate Data Streams.
```streams [file path]``` scans the file for data streams.
### SDelete
Secure Delete allows you to delete one or more files/directories or to cleanse free space from a logical disk.
It implements the DOD 5220.22-M (Department of Defense clearing and sanitizing protocol):
* pass 1: writes a zero and verifies the write
* pass 2: writes a one and verifies the write
* pass 3: writes a random character and verifies the write
SDelete is associated with Mitre Techniques:
- Data Destruction [T1485](https://attack.mitre.org/techniques/T1485/)
- Indicator Removal on Host: file deletion [T170.004](https://attack.mitre.org/techniques/T1070/004/)
- SDelete's associated MITRE id is [S0195](https://attack.mitre.org/software/S0195/)
Read more about SDelete [here](https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete)
other tools in the file and disk utilities category can be found [here](https://docs.microsoft.com/en-us/sysinternals/downloads/file-and-disk-utilities)
## Networking Utilities
Tcp view: provides detailed resources of resource utilization
```tcpview --accepteula```
## Process Utilities
### Autoruns
Shows you what programs are configured to start during system bootup or login, and when you start various windows apps.
It reports shell extensions, toolbars, browser helper objects, winlogon certifications, auto-start services etc.
Useful when searching for any malicious entries aimed at persistence.
### ProcDump
[ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
### ProcMon
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
Combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including:
* rich and non-destructive filtering,
* comprehensive event properties such as session IDs and user names,
* reliable process information,
* full thread stacks with integrated symbol support for each operation,
* simultaneous logging to a file.
Read more about configuring procmon [here](https://adamtheautomator.com/procmon/).
### PsExec
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.
## Security Utilities
### Sysmon
Is a windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the windows event log.
Provides detailed info about:
* process creations
* network connections
* changes to file creation time
Collecting the events generated using Windows Event Collection or SIEM agents and subsequently analyzing them allows analysts to identify malicious activity and understand how malware and intruders operate on their networks.
## System Information
### WinObj
WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
```winobj```
## Additional resources
Here are cool youtube videos on:
[Malware hunting with sysinternals](https://www.youtube.com/watch?v=A_TPZxuTzBU)
[Malware Hunting with Sys Internals](https://www.youtube.com/watch?v=vW8eAqZyWeo)
## Let's talk processes vs threads
Each process provides the resources needed to execute a program.
A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, env vars, a priority class, minimum and maximum working set sizes, and at least one thread of execution.
Each process is started with a single thread - the primary thread, but can create additional threads from any of its threads.
A Thread is the entity within a process that can be scheduled for execution.
All threads of a process share its virtual address space and system resources.
Each thread maintains exception handlers, a scheduling priority, thread local storage, a unique thread identifier, and a set of structures the system will use to save the thread context until it is scheduled.
The thread context includes the thread's set of machine registers, the kernel stack, a thread environment block, and a user stack in the address space of the thread's process.
Threads can also have their own security contexts which can be used for impersonating clients.
## Windows Event Logs
Windows Event Logs are not text files that can be viewed using a text editor.
However, the raw data can be translated into XML using the Windows API.
The events stored in these log files are stored in a proprietary binary format with a .evt or .evtx extension. The log files with the .evtx file extension typically reside in C:\Windows\System32\winevt\Logs.
Event logs can be accessed through either:
1. Event Viewer (GUI-based application)
1. Wevtutil.exe (command-line tool)
1. Get-WinEvent (PowerShell cmdlet)
launch event view using ```eventvwr.msc```
Sign in with Wallet
Connect another wallet