Try   HackMD

Windows basics 101

tags: cybersecurity windows blueteam

Core Windows Processes

The location of all the executables is C:\Windows\System32, except for Explorer.exe (which is C:\Windows)

smss.exe

Session Manager Subsystem (smss.exe) - responsible for creating new sessions.
is the first user-mode process started by the kernel.
starts the kernel mode and user mode of the windows sub system including:

  • win32k.sys (kernel mode)
  • winsrv.dll (user mode)
  • csrss.exe (user mode)

Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session.
The first child instance creates child instances in new sessions. This is done by smss.exe copying itself into the new session and self-terminating.

Smss.exe is also responsible for creating env vars, virtual memory paging files and starting winlogon.exe

Unusual stuff to look out for:

  • A different Parent process other than system ( 4).
  • Image path is different from C:\Windows\System32.
  • More than 1 running process.
  • User is not SYSTEM.
  • Unexpected registry entries for Subsystem.

csrss.exe

Client Server Runtime Process - user mode side of the windows subsys.
Always running and is sys critical. Process termination would lead to sys failure.
Responsible for the Win 32 console window and process thread creation and deletion.
For each instance: csrsrv.dll, basesrv.dll, and winsrv.dll are loaded.
Responsible for making the Windows API available to other processes, mapping drive letters, and handling the Windows shutdown process.

Unusual stuff to look out for:

  • An actual parent process (smss.exe calls this process then self-terminates)
  • Image file path other than C:\Windows\System32
  • Subtle mispellings to hide rogue processes masquerading as csrss.exe
  • User is not SYSTEM

wininit.exe

Runs in the background along with its child processes:

  • services.exe -Service control manager
  • lsass.exe - Local Security Authority
  • lsaiso.exe - associated with Credential Guard and key guard and can only be seen if Credential Guard is enabled.

Unusual stuff to look out for:

  • An actual parent process. (smss.exe calls this process and self-terminates)
  • Image file path other than C:\Windows\System32
  • Subtle misspellings to hide rogue process in plain sight
  • Multiple running instances
  • Not running as SYSTEM

wininit.exe > services.exe

Service Control Manager is primarily responsible for loading services, and interacting with services.
It maintains a db that can be queried using a windows built-in utility 'sc.exe'
Information regarding services is stored in the registry HKLM\System\CurrentControlSet\Services
It loads device drivers marked as auto-start into memory.
Upon successful user logon, the process sets the value of the last known good control set configuration - HKLM\System\Select\LastKnownGood
Is the parent process to: svchost.exe, spoolsv.exe, msmpeng.exe, dllhost.exe

Unusual stuff to look out for:

  • A parent process other than wininit.exe
  • Image file path other than C:\Windows\System32
  • Subtle misspellings to hide rogue process in plain sight
  • Multiple running instances
  • Not running as SYSTEM

wininit.exe > services.exe > svchost.exe

Host process for windows services is responsible for hosting and managing windows services.
services running in this process are implemented as DLLs.
The dll to implement is stored in the registry for the service under the Parameters subkey in ServicesDLL.
The full path is HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters

Unusual stuff to look out for:

  • A parent process other than services.exe
  • Image file path other than C:\Windows\System32
  • Subtle misspellings to hide rogue process in plain sight
  • The absence of the -k parameter in the Command line or Binary path

lsass.exe

Local Security Authority Subsystem Service is responsible for enforcing the security policy on the system.
Verifies users logging into a Windows computer or server, handles password changes, and creates access tokens.
Writes to the windows security log.
Creates security tokens for the SAM - Security Account Manager, AD, and NETLOGON.
It's authentication packages are specified in HKLM\System\CurrentControlSet\Control\Lsa

Unusual stuff to look out for:

  • A parent process other than wininit.exe
  • Image file path other than C:\Windows\System32
  • Subtle misspellings to hide rogue process in plain sight
  • Multiple running instances
  • Not running as SYSTEM

winlogon.exe

Windows logon is responsible for handling the Secure Attention Sequence (SAS) - the CTRL + ALT + DEL key combination users press to enter their username and password.
Is responsible for loading the user profile - done by loading the user's NTUSER.dat file into HKCU and via userinit.exe loads the user's shell.

Unusual stuff to look out for:

  • An actual parent process. (smss.exe calls this process and self-terminates)
  • Image file path other than C:\Windows\System32
  • Subtle misspellings to hide rogue process in plain sight
  • Not running as SYSTEM
  • Shell value in the registry other than explorer.exe

explorer.exe

Gives users access to their files and folders.
Winlogon.exe runs userinit.exe, which launches the value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Unusual stuff to look out for:

  • An actual parent process. (userinit.exe calls this process and exits)
  • Image file path other than C:\Windows
  • Running as an unknown user
  • Subtle misspellings to hide rogue process in plain sight
  • Outbound TCP/IP connections

Additional resources:
Threat Hunting
Hunt Evil
Windows Internals

Sysinternals

Is a compilation of over 70+ windows tools that fall into the following categories:

  • File and Disk Utilities
  • Networking Utilities
  • Process Utilities
  • Security Utilities
  • System Information
  • Miscellaneous

Sysinternals utilities index page
Sysinternals live url
Download the zip from here
System Properties can be launched via the command line by running sysdm.cpl - you'll need this for editing the env var to add your new install to PATH
Alternatively, a PowerShell module can download and install all of the Sysinternals tools.
PowerShell command: Download-SysInternalsTools C:\Tools\Sysint

File and Disk Utilities

Sigcheck

Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.
It can lookup the file info on virus total
sigcheck -u -e C:\Windows\System32 checks for all unsigned files in C:\Windows\System32 (the location of all executables aside from Explorer.exe)
-u : if Virus total check is enabled, show files that are unknown by Virus total or have non-zero detection.
-e : scan executable images only regardless of their extension.

Streams

Windows NTFS provides applications the ability to create alternate data streams of information.
By default, all data is stored in a file's main unnamed data stream.
Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS.
Every file has at least one data stream ($DATA) and ADS allows files to contain more than one stream of data.
You can view the ADS with powershell or 3rd party tools like streams.
You can use file:stream to read and write to Alternate Data Streams.
streams [file path] scans the file for data streams.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

SDelete

Secure Delete allows you to delete one or more files/directories or to cleanse free space from a logical disk.
It implements the DOD 5220.22-M (Department of Defense clearing and sanitizing protocol):

  • pass 1: writes a zero and verifies the write
  • pass 2: writes a one and verifies the write
  • pass 3: writes a random character and verifies the write

SDelete is associated with Mitre Techniques:

  • Data Destruction T1485
  • Indicator Removal on Host: file deletion T170.004
  • SDelete's associated MITRE id is S0195

Read more about SDelete here

other tools in the file and disk utilities category can be found here

Networking Utilities

Tcp view: provides detailed resources of resource utilization
tcpview --accepteula

Process Utilities

Autoruns

Shows you what programs are configured to start during system bootup or login, and when you start various windows apps.
It reports shell extensions, toolbars, browser helper objects, winlogon certifications, auto-start services etc.
Useful when searching for any malicious entries aimed at persistence.

ProcDump

ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.

ProcMon

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
Combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including:

  • rich and non-destructive filtering,
  • comprehensive event properties such as session IDs and user names,
  • reliable process information,
  • full thread stacks with integrated symbol support for each operation,
  • simultaneous logging to a file.

Read more about configuring procmon here.

PsExec

PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.

Security Utilities

Sysmon

Is a windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the windows event log.
Provides detailed info about:

  • process creations
  • network connections
  • changes to file creation time

Collecting the events generated using Windows Event Collection or SIEM agents and subsequently analyzing them allows analysts to identify malicious activity and understand how malware and intruders operate on their networks.

System Information

WinObj

WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
winobj

Additional resources

Here are cool youtube videos on:
Malware hunting with sysinternals
Malware Hunting with Sys Internals

Let's talk processes vs threads

Each process provides the resources needed to execute a program.
A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, env vars, a priority class, minimum and maximum working set sizes, and at least one thread of execution.
Each process is started with a single thread - the primary thread, but can create additional threads from any of its threads.

A Thread is the entity within a process that can be scheduled for execution.
All threads of a process share its virtual address space and system resources.
Each thread maintains exception handlers, a scheduling priority, thread local storage, a unique thread identifier, and a set of structures the system will use to save the thread context until it is scheduled.
The thread context includes the thread's set of machine registers, the kernel stack, a thread environment block, and a user stack in the address space of the thread's process.
Threads can also have their own security contexts which can be used for impersonating clients.

Windows Event Logs

Windows Event Logs are not text files that can be viewed using a text editor.
However, the raw data can be translated into XML using the Windows API.
The events stored in these log files are stored in a proprietary binary format with a .evt or .evtx extension. The log files with the .evtx file extension typically reside in C:\Windows\System32\winevt\Logs.

Event logs can be accessed through either:

  1. Event Viewer (GUI-based application)
  2. Wevtutil.exe (command-line tool)
  3. Get-WinEvent (PowerShell cmdlet)

launch event view using eventvwr.msc

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
82

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD