Security Operations & Monitoring -- Core Windows Processes

[WDavid404]

Task Manager

Add columns “Image path name” and “Command line”.

Based on the task list image, the PID for services.exe is 632. But wait, one of the svchost.exe processes has a PID of 384. How did svchost.exe start before services.exe? Well, it didn't. Task Manager doesn't show a Parent-Child process view. That is where other utilities, such as Process Hacker and Process Explorer, come to the rescue.

Beside task manager, we can also use tasklist, Get-Process or ps (PowerShell), and wmic

[WDavid404]

System

The PID for System is always 4. Tool: Process Explorer or Process Hacker

Image Path: N/A Parent Process: None Number of Instances: One User Account: Local System Start Time: At boot time Image Path: C:\Windows\system32\ntoskrnl.exe (NT OS Kernel) Parent Process: System Idle Process (0)

What is unusual behaviour for this process?

• A parent process (aside from System Idle Process (0))
• Multiple instances of System. (Should only be one instance)
• A different PID. (Remember that the PID will always be PID 4)
• Not running in Session 0

[WDavid404]

System > smss.exe

smss.exe (Session Manager Subsystem), also known as the Windows Session Manager, is responsible for creating new sessions. It is the first user-mode process started by the kernel.

This subsystem includes win32k.sys (kernel mode), winsrv.dll (user mode), and csrss.exe (user mode).

Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session.

Any other subsystem listed in the Required value of HKLM\System\CurrentControlSet\Control\Session Manager\Subsystems is also launched.

SMSS is also responsible for creating environment variables, virtual memory paging files and starts winlogon.exe (the Windows Logon Manager).

Normal:

Image Path: %SystemRoot%\System32\smss.exe Parent Process: System Number of Instances: One master instance and child instance per session. The child instance exits after creating the session. User Account: Local System Start Time: Within seconds of boot time for the master instance

What is unusual?

A different parent process other than System (4) The image path is different from C:\Windows\System32 More than one running process. (children self-terminate and exit after each new session) The running User is not the SYSTEM user Unexpected registry entries for Subsystem

[WDavid404]

csrss.exe

csrss.exe (Client Server Runtime Process) is the user-mode side of the Windows subsystem. This process is always running and is critical to system operation. If this process is terminated by chance, it will result in system failure. This process is responsible for the Win32 console window and process thread creation and deletion. For each instance, csrsrv.dll, basesrv.dll, and winsrv.dll are loaded (along with others).

This process is also responsible for making the Windows API available to other processes, mapping drive letters, and handling the Windows shutdown process.

Normal

Session 0 (PID 392) Session 1 (PID 512) Image Path: %SystemRoot%\System32\csrss.exe Parent Process: Created by an instance of smss.exe Number of Instances: Two or more User Account: Local System Start Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional instances occur as new sessions are created, although only Sessions 0 and 1 are often created.

Unusual

An actual parent process. (smss.exe calls this process and self-terminates) Image file path other than C:\Windows\System32 Subtle misspellings to hide rogue processes masquerading as csrss.exe in plain sight The user is not the SYSTEM user.

[WDavid404]

wininit.exe

The Windows Initialization Process, wininit.exe, is responsible for launching services.exe (Service Control Manager), lsass.exe (Local Security Authority), and lsaiso.exe within Session 0. It is another critical Windows process that runs in the background, along with its child processes.

Note: lsaiso.exe is a process associated with Credential Guard and KeyGuard. You will only see this process if Credential Guard is enabled.

normal

Image Path: %SystemRoot%\System32\wininit.exe Parent Process: Created by an instance of smss.exe Number of Instances: One User Account: Local System Start Time: Within seconds of boot time

unusual

An actual parent process. (smss.exe calls this process and self-terminates) Image file path other than C:\Windows\System32 Subtle misspellings to hide rogue processes in plain sight Multiple running instances Not running as SYSTEM

[WDavid404]

wininit.exe > services.exe

The next process is the Service Control Manager (SCM) or services.exe. Its primary responsibility is to handle system services: loading services, interacting with services and starting or ending services. It maintains a database that can be queried using a Windows built-in utility, sc.exe.

Information regarding services is stored in the registry, HKLM\System\CurrentControlSet\Services.

When a user logs into a machine successfully, this process is responsible for setting the value of the Last Known Good control set (Last Known Good Configuration), HKLM\System\Select\LastKnownGood, to that of the CurrentControlSet.

[WDavid404]

wininit.exe > services.exe > svchost.exe

The Service Host (Host Process for Windows Services), or svchost.exe, is responsible for hosting and managing Windows services.

The services running in this process are implemented as DLLs. The DLL to implement is stored in the registry for the service under the Parameters subkey in ServiceDLL. The full path is HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters.

The example below is the ServiceDLL value for the Dcomlaunch service.

There is a key identifier in the binary path, and that identifier is -k . This is how a legitimate svchost.exe process is called.

The -k parameter is for grouping similar services to share the same process. This concept was based on the OS design and implemented to reduce resource consumption. Starting from Windows 10 Version 1703, services grouped into host processes changed. On machines running more than 3.5 GB of memory, each service will run its own process.

[WDavid404]

lsass.exe

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

It creates security tokens for SAM (Security Account Manager), AD (Active Directory), and NETLOGON. It uses authentication packages specified in HKLM\System\CurrentControlSet\Control\Lsa.

Lsass.exe is another process adversaries target. Common tools such as mimikatz are used to dump credentials, or adversaries mimic this process to hide in plain sight. Again, they do this by either naming their malware by this process name or simply misspelling the malware slightly.

[WDavid404]

winlogon.exe

The Windows Logon, winlogon.exe, is responsible for handling the Secure Attention Sequence (SAS). It is the ALT+CTRL+DELETE key combination users press to enter their username & password.

This process is also responsible for loading the user profile. It loads the user's NTUSER.DAT into HKCU, and userinit.exe loads the user's shell.

It is also responsible for locking the screen and running the user's screensaver, among other functions. You can read more about this process here.

smss.exe launches this process along with a copy of csrss.exe within Session 1.

Image Path: %SystemRoot%\System32\winlogon.exe Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name. Number of Instances: One or more User Account: Local System Start Time: Within seconds of boot time for the first instance (for Session 1). Additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.

[WDavid404]

explorer.exe

The last process we'll look at is Windows Explorer, explorer.exe. This process gives the user access to their folders and files. It also provides functionality for other features, such as the Start Menu and Taskbar.

As mentioned previously, the Winlogon process runs userinit.exe, which launches the value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.

Userinit.exe exits after spawning explorer.exe. Because of this, the parent process is non-existent.

There will be many child processes for explorer.exe.

normal

Image Path: %SystemRoot%\explorer.exe Parent Process: Created by userinit.exe and exits Number of Instances: One or more per interactively logged-in user User Account: Logged-in user(s) Start Time: First instance when the first interactive user logon session begins

What is unusual?

An actual parent process. (userinit.exe calls this process and exits) Image file path other than C:\Windows Running as an unknown user Subtle misspellings to hide rogue processes in plain sight Outbound TCP/IP connections