adam's notes

Malicious Processes

Process Analysis Tools for Windows

  • Process Monitor and Process Explorer tools
    • part of Sysinternals suite
    • widely used for live analysis and logging
  • tasklist
    • is a command line version of Task Manager
    • displays:
      • memory usage
      • state of running threads
      • a process tree
      • and individual operations for each process
    • taskkill terminates processes
  • PE Explorer
    • is proprietary software
    • offers a variety of different features
    • main use is ability to browse the structure of 32-bit Windows executable files
      • can observe what a program is accessing
        • what dynamic-link libraries (DLLs) it calls
        • how it interfaces with other applications on the system
        • how it uses application programming interfaces (APIs)

Core Windows Processes

  • Processes:
    • Windows Kernel (system.exe)
      • Windows OS kernel
      • always has a process identifier of 4
    • Session Manager Subsystem (smss.exe)
      • is a child process of sysem.exe
      • responsible for managing sessions and monitoring other critical system processes
    • Client Server Runtime Subsystem (csrss.exe)
      • started by smss and manages console windows, threat creation, and the Windows API
    • Windows Initialization Process (wininit.exe)
      • loads during boot
      • primarily responsible for starting other processes
    • Service Control Manager (services.exe)
      • child process of wininit.exe
      • responsible for managing system activities
    • Local Security Authority Subsystem Service (lsass.exe)
      • child process of wininit.exe
      • enforces security policies and manages user logons, password changes, and access tokens
  • these processes are often targets of attack
    • mimicked to hide and obfuscate malware
  • indicator of infection:
    • presence of multiple versions of these files
    • running in a location other than System32 folder
  • In Process Explorer can
    • right-click > Properties to see details including location, parent, autostart location
    • click verify to validate the process’s digital signature
    • submit executable to Virus Total

Process Analysis Tools for Linux

  • background services are known as daemons
    • typically use a name ending in “d”
  • when Linux boots,
    • the kernel image is loaded into memory and executes an init daemon (usually systemd)
      • has process ID of 1
    • the init daemon loads all the processes listed in its configuration file(s)
  • a process launched by the user will be a child process to a parent process such as shell
  • each process has a unique process ID (PID) and parent process ID (PPID)
  • pstree command displays the parent/child relationships of processes
  • ps command lists the attributes of all current processes
    • by default, only displays processes started by the current user
    • displays:
      • user that started the process
      • PID and PPID
      • TTY
        • (which terminal executed the process)
      • execution time of the process
      • name of the process itself
    • -A or -e switches show a full list of all user processes
    • can filter results
    • can sort results by piping into sort
      • e.g., find the process with highest CPU utilization
        • ps -A | sort -k 3
          • sorts processes by execution time (column 3)

Graph View

Backlinks