Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Contact
Hack Forums Blog Foundations of Endpoint Security (Windows) - Core Windows Processes

HF Rulez the UniverseHF Rulez the Universe
BiNBo
The Church Of Stanley
core processes windows microsoft task manager security principles sysinternals tcpview

Foundations of Endpoint Security (Windows) - Core Windows Processes

Posted Oct 16, 2023 07:07 PM
Foundations of Endpoint Security - Core Windows Processes

Introduction
The fundamentals of endpoint security is crucial in securing your systems against malicious activity. In order to understand this you'll need a strong grasp of the topics of security basics, logging and monitoring, and log analysis in regards to endpoints. In this blog, we will be delving into the security basics you'll need and some of the tools that can help you along on your journey.


Core Windows Processes
Before we tacking learning how to dive deep into endpoint logs, first we need an understanding of the fundamentals of the Microsoft Windows operating system and its workings. You could write books (and people have) on all of these systems and their interactions and functionality, but today we'll be keeping it fairly simple and limited to core Windows processes.



Common Windows Tools

Task Manager
When learning about core Windows processes, we can look to a built-in tool named Task Manager. This can help us to better understand the underlying processes inside the operating system. Task Manager is a pre-built and already installed GUI based utility for Windows. This tool allows users to see what is running at any given time in a windows system. It can also provide information such as resources use, how much of existing resources are being used by each process, when programs fail to respond, and it can be used to terminate processes as well.

[Image: Screenshot-2023-10-16-100927.png]

Task Manager provides some of the core windows processes running in the background (as seen above). There will always be some background processes that will be considered normal behavior. However, it's important to keep in mind that this can be the perfect disguise for a malicious actor to hide their actions in plain sight. The following are some of the normal running processes you could expect to see: (The ">" symbol will be used to represent parent-child relationships between processes).
  • System
  • System > smss.exe
  • csrss.exe
  • wininit.exe
  • wininit.exe > services.exe
  • wininit.exe > services.exe > svchost.exe
  • lsass.exe
  • winlogon.exe
  • explorer.exe

One thing to keep an eye out regarding these processes, is that none of the processes without any depiction of a parent-child relationship should have one under normal circumstances. We could go a into a great deal on this topic, but for now we just need to understand the basics.

SysInternals
In a previous article, we covered the basics of the SysInternals suite, and some of the tools therein. Now that we understand the basics of core windows processes, we can now delve further into the available tools for analyzing running artifacts. The SysInternals suite is a combined set of over 70 Windows-based tools. Each of these tools falls into one of six categories:
  • File and Disk
  • Networking
  • Process
  • Security
  • System Information
  • Miscellaneous

The two tools we'll be focusing on in the suite will be TCPView and Process Explorer.

TCPView is a Windows utility that will show you detailed listings of all TCP and UDP endpoints on your system. This includes local and remote addresses along with the state of TCP connections. On older operating systems such as Windows Server 08, Vista, and XP. TCPView also reports the name of the processes that owns the endpoints. TCPView provides a more expansive and informative presentation of subsets of the Netstat program that comes built-in with Windows. The TCPView tools also includes TCPvcon, a command line version with the same functionality.

[Image: Screenshot-2023-10-16-102823.png]

As you can see in the image above, every connection that is initiated by a process is listed by the tools, which can aid in correlating network events taking place concurrently.

Process Explorer presents itself in two sub-windows. The top window always shows a list of currently active processes, including the names of their owning users/accounts. Whereas the information displayed in the bottom window depends on the mode that process explorer is run. If it is in handle mode, you'll see the handles that the process selected in the top window has opened. If run in DLL mode, you'll see the DLL and memory-mapepd files that the process has loaded.

[Image: pexp.png]

Process Explorer allows you to inspect all of the details of a running process such as associated services, invoked network traffic, handles such as files or directories opened, DLLs and memory-mapped files loaded.

To learn more about the tools within the SysInternals suite, check out the previous article, or the official documentation Here.

Conclusion
In this article we've covered some of the basic fundamentals of core windows processes, and the tools (both built in and supplemental) that can be used to better understand the interactivity with and between them. You should now have enough of an understanding that you can explore running processes, identify core windows processes, their connections, their handles, and their access. This can allow you to know when something doesn't seem to match the behavior you would normally expect. Allowing you to better identify malicious activity. Keep an eye out for existing and future articles as we delve further into these fundamentals by discussing logging and monitoring and log analysis.
RECENT ARTICLES
HF Rulez the Universe