Wednesday, February 20, 2019

Windows Process Tree Basics (Blue Team)

Great read by Pete here

https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2

Just jotting some notes for myself below

SYSTEM
SYSTEM IDLE Process
- no visible parent
- should only ever be 1 of each
- in kernel mode ( created by NT OS Kernel )
- SYSTEM always has PID 4
- SYSTEM IDLE Process always has 1 threat per CPU

SMSS.EXE
- parent is SYSTEM (PID 4)
- should only ever be 1 running
- runs from \system32\smss.exe
- 1st user mode process started by Kernel
- launches WINLOGON.EXE, WININIT.EXE, and CSRSS.EXE , then SMSS.EXE exits

WINLOGON.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\winlogon.exe
- may spawn child processes (alternate login devices such as biometric readers)
- launches USERINIT.EXE which runs logon scripts, connects to network, starts EXPLORER.EXE

WININIT.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\wininit.exe
- launches SERVICES.EXE, LSASS.EXE, and LSM.EXE
- creates %windir%\temp

CSRSS.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\csrss.exe

USERINIT.EXE
- parent is WINLOGON.EXE
- Runs logon scripts, connects to network, starts EXPLORER.EXE, then exits

EXPLORER.EXE
- no parent (because USERINIT.EXE launches it and then USERINIT.EXE exits)
- runs from \windows\explorer.exe
- no TCP/IP network connections
- normally launches most user processes as children

SERVICES.EXE
- parent is WININIT.EXE
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\services.exe
- normally multiple children processes as SVCHOST.EXE for each service

LSASS.EXE
- parent is WININIT.EXE
- always only 1 LSASS.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsass.exe

LSM.EXE
- parent is WININIT.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsm.exe

SVCHOST.EXE
- parent is SERVICES.EXE
- runs from \system32\svchost.exe
- runas as 1 of these accounts (NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE)
- command line always looks like "SVCHOST.EXE -k [name]"


No comments:

Post a Comment