dfir-world
dfir-world
DFIR World
3 posts
for DigFor and Cybersecurity knowledge
Don't wanna be here? Send us removal request.
Statistics
We looked inside some of the posts by dfir-world and here's what we found interesting.
Average Info
Notes Per Post
4
Likes Per Post
4
Reblog Per Post
0
Reply Per Post
0
Time Between Posts
5 days
Number of Posts By Type
Text
2
Video
1
Last Seen Tumblr Blogs
miss-me4333
England is my city
6K posts
justmebeingdifferent33
The BenDen
141 posts
amararoy
Industry Research Insights
65 posts
lilbeast-jj
🌌
829 posts
lenkarza
i draw sometimes
29 posts
Fun Fact
Tumblr is available in 18 languages.
dfir-world · 4 years ago
Text
Windows 10 Core Processes
Tumblr media
1) SYSTEM - This is the first process in the windows process lineage. This process host most of the kernel-mode threads. The modules that run under the System process are drivers ie ".sys" files and some important executables such as ntoskrnl.exe.
Normal attributes of this process:
Image Path: There is no image path or executable file associated with this process on the disk.
User account: User account will be NT AUTHORITY/ SYSTEM
Parent Process: There is No parent process associated with the system process.
Process ID: Process ID will always be 4.
Number of Instances: There will always be one instance of the System process.
Argument: No command-line argument.
Other: There will always be one thread per CPU core.
Abnormal to look for:
System process having Parent process
The process ID is other than 4
More than one instance of System process running.
2) SMSS.exe - Session manager subsystem. This is the first user-mode process.
The Session Manager process is responsible for creating new Sessions, Environment variables, Starts the kernel and user modes of the Win32 subsystem aka windows API.
The important thing to note during process lineage analysis is that the Smss.exe created by the System process is known as Master SMSS.exe. This master smss.exe creates at least 2 subordinate instances of smss.exe for each session created. These child instances further initiate "winit.exe" in session 0 and process "winlogon.exe" in session 1 respectively. Once these processes are initiated the subordinate instances of Smss.exe will exit.
What is Normal:
- Image Path: \%systemroot%\System32\smss.exe
- User account: This process will run with the NT AUTHORITY/ SYSTEM
- Parent Process: will always be System
- Number of Instances: Multiple during boot-up and only one without arguments after boot-up.
- Argument: No command-line argument.
- Other:
Abnormal to look for:
More than 1 instance of smss.exe is active.
Parent process other than System or PPID other than 4
Having command-line argument.
Initiating from the directory other than System32
3) CSRSS.exe - client-server subsystem - Prior to the release of Windows NT 4.0 in 1996, it was the csrss.exe responsibility to support the entire graphical user interface subsystem that included controlling Windows, drawing on the screen, and similar other OS based functions. However, with the Windows NT 4.0 launch, most of these functions went obsolete from the csrss.exe. But, the Client Server Runtime Process still supports the Windows console and the process of shutdown.
What is Normal:
- Image Path: \%systemroot%\System32\csrss.exe
- User account: The user account will be NT AUTHORITY/ SYSTEM
- Parent Process: Will not be visible in the general case as smss.exe child instance will exit once csrss.exe is initiated
- Number of Instances: At least 2 instances will be running. One instance in session 0 and another one in session 1.
Abnormal to look for:
Displaying Parent process name that is other than smss.exe
Initiating from the directory other than System32
4) WININIT.EXE — Windows Initialize.exe. Wininit.exe starts key background processes within Session 0. It is a core system process that originates in Windows XP. It reads and processes the commands stored in the file WinInit.ini file. Which ultimately allows programs to take action while the computer is still in booting mode. It primarily acts as a launcher for the majority of the background applications that are always running.
What is Normal:
- Image Path: \%systemroot%\System32\wininit.exe
- User account: The user account will be NT AUTHORITY/ SYSTEM
- Parent Process: Will not be visible in general case as smss.exe child instance will exit once wininit.exe is initiated
- Number of Instances: only 1 instance running in session 0.
- Argument: No command-line argument.
Abnormal to look for:
Running outside system32
Running as non SYSTEM user
Displaying Parent process name that is other than smss.exe
Having command-line argument.
5) SERVICES.EXE — Service Control Manager. As the name suggests this process is responsible to starts, stops and interacting with Windows service processes.
Implements the Unified Background Process Manager (UBPM), which is responsible for background activities such as services and scheduled tasks. Services.exe also launches the autostart services and drivers by reading the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Once the user successfully logs in then service.exe loads the Last Known Good control set (HKLM\SYSTEM\Select\LastKnownGood) to the value of the CurrentControlSet.
What is Normal:
Runs within session 0
- Image Path: %SystemRoot%\System32\services.exe
- User account: The user account will be NT AUTHORITY/ SYSTEM
- Parent Process: will be Winit.exe
- Number of Instances: only 1 instance running in session 0.
6) LSASS.EXE — The Local Security Authentication Subsystem Service is a user-mode process that is responsible for authenticating users by calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa registry key. Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating users, lsass.exe is also responsible for implementing the local security policy (such as password policies and audit policies) and for writing events to the security event log.
Image Path: %SystemRoot%\System32\Lsass.exe
User account: User account will be NT AUTHORITY/ SYSTEM
Parent Process: Wininit.exe
Number of Instances: There will always be one instance of the lsass.exe process. And should have no child processes except EFS (Encrypting File System).
Other: Often targeted by malware as a means to dump passwords. Also mimicked by malware to hide on a system (lass.exe, lssass.exe, lsasss.exe, etc.). These “fake” names will not be a child of wininit.exe.
7) LSAiso.exe - LSA isolate.exe. As the name describes this is an isolated LSA process that runs in a virtualized environment by leveraging the Hardware virtualization technology. Lsaio.exe appears in the process tree when the credential guard is enabled in Windows 10. This provides added security against credential dumping attacks.
Image Path: %SystemRoot%\System32\Lsaiso.exe
User account: User account will be NT AUTHORITY/ SYSTEM
Parent Process: Wininit.exe
Number of Instances: There will always be one instance of lsaiso.exe process. And should have no child processes.
Other: this process should only appear in the process tree if the credential guard is enabled.
8) SVCHOST.EXE — Service Hosting Process - This process host multiple DLL files of multiple services for implementing the shared service model which ultimately helps in preserving the CPU resources. But this is no more valid from Windows 10 (version 1703) Now in Windows 10 services will be hosted in their individual svchost.exe process if the machine has a memory of more than 3.5 GB.
Image Path: %SystemRoot%\System32\svchost.exe
User account: User account will be NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE. Now in windows 10, some instances run with user account as well.
Parent Process: services.exe
Number of Instances: Multiple instances can run
The command-line argument must contain "-k" parameter.
Other: the process should be running in session 0 This will be valid only in case of windows prior to win10. This process is often been the target of malware developers due to its ubiquitous nature. This allows hiding malware in plain sight. A simple similar spelling will fool an untrained eye.. For example "scvhost.exe"
9) RUNTIMEBROKER.exe - This process was introduced in Windows 8 and is available in windows 10 as well. The task of this process is to check for the windows apps required permissions such as location access, microphone access, etc.
Image Path:%SystemRoot%\System32\runtimebroker.exe
User account: logged on a user account
Parent Process: svchost.exe
Number of Instances: One instance per Universal Windows Platform (aka windows store apps) opened
10) TASKHOSTW.exe - Taskhostw process hosts DLL files related to scheduled tasks. This continuously listens for the triggers to initiate the tasks. Microsoft has renamed the Host Process multiple times. In Windows 7 it was named taskhost.exe, in Windows 8 it was called taskhostex.exe and the new name is taskhostw.exe in Windows 10. So just by looking at the name of the Taskhost process, we can recognize the OS version.
Image Path: %SystemRoot%\System32\taskhostw.exe
User account: The user account will be the system account or logged-on user account.
Parent Process: svchost.exe
Number of Instances: Multiple instances can run
11) LSM.EXE — Load Session Manager Service
Manages the state of terminal server sessions on the local machine. Sends the requests to smss.exe to start new sessions.
There must only be 1 instance of lsm.exe on Windows 7 machines. You should NOT be seeing this on Windows 8 and windows 10. It will be running as a service DLL instead — lsm.dll.
Child to wininit.exe
It should not have child processes
Receives logon/off, shell start and termination, connect/disconnects from a session, and lock/unlock desktop
%systemroot%\System32\lsm.exe
Base Priority of 8
Username: NT AUTHORITY\SYSTEM
Runs within session 0
12) WINLOGON.exe - Winlogon handles interactive user logons and logoffs. It launches
LogonUI.exe, which loads DLLs called the credential provider to collect the credentials from the user. Once it has the credentials it passes them to lsass.exe for validation. When the user is authenticated then Winlogon loads the user’s NTUSER.DAT file into the Current User registry hive and starts the user’s shell (usually explorer.exe) via userinit.exe.
Image Path: %SystemRoot%\System32\winlogon.exe
User account: User account will be NT AUTHORITY/ SYSTEM
Parent Process: will be the exited subordinate smss.exe
Number of Instances: One or more depending upon the logged-on users.
Other: Will always be in sessions other than zero.
LogonUI.exe - It loads the credential provider to collect the credentials from the user. Once it has the credentials it passes them to lsass.exe for validation.
USERINIT.exe - Runs the initial scripts and initiate the Explorer.exe
13) Explorer.exe - This provides a default user shell or interfaces to end-users to interact with windows.
mage Path: %SystemRoot%\explorer.exe
User account: User account will be NT AUTHORITY/ SYSTEM
Parent Process: winit.exe
Number of Instances: One or more depending upon the logged on users
++++++++++++++++++++++++++++++++++++++++++++++++++++
reference:
Session 0: http://securityinternals.blogspot.com/2014/02/windows-session-0-isolation.html
Sessions, Windows and Desktops: http://securityinternals.blogspot.com/2014/01/on-sesssion-windows-and-desktops.html>
System Idle Process: http://securityinternals.blogspot.com/2013/12/what-are-system-idle-processes.html
Windows Registry: http://securityinternals.blogspot.com/2014/04/windows-registry.html
Credential Guard: https://docs.microsoft.com/en-us/archive/blogs/ash/windows-10-device-guard-and-credential-guard-demystified
Service vs Application: http://securityinternals.blogspot.com/2014/01/difference-between-windows-service-and.html
#windows10#windows processes#threat hunting#DFIR#digital forensics
1 note · View note
dfir-world · 4 years ago
Video
youtube
Tutorial on installing the latest SANS Sift workstation [Version release in May 2021]
#dfir#digital forensics#sans#sift workstation#sift latest release#sift installation#installation#tutorial
1 note · View note
dfir-world · 4 years ago
Text
SANS SIFT Workstation Installation Steps
Hello everyone, as I have promised in my YouTube video which is a Tutorial on SIFT workstation, I am sharing the Unix shell commands  required for installing the SIFT workstation. Please follow the steps below and feel free to drop the comments if you need any assistance regarding the topic or want to share any constructive criticism.
Official site for SANS SIFT Workstation installation instruction: https://www.sans.org/tools/sift-workstation/
Steps are as follows:
1. Download Ubuntu 20.04 ISO file and install Ubuntu 20.04 on VMware. For tutorial watch this YouTube Video.
2. Install SIFT-CLI by downloading latest releases of 3 files - “sift-cli-linux”, “sift-cli-linux.sig” & “sift-cli.pub” [check for the latest release]
$ sudo wget <paste the link of latest release from GitHub page> $ sudo wget <paste the link of latest release from GitHub page> $ sudo wget <paste the link of latest release from GitHub page> 3. Install cosign. For installing Cosign, you need to have Go 1.16+ (for installing Golang above 1.16 scroll to the bottom of the post). If the required Go version is installed in your Ubuntu, then copy paste the following command on terminal to install Cosign.
$ go install github.com/sigstore/cosign/cmd/cosign@latest
4. Post successful installation of Cosign we need to validate sift-cli. For that copy-&-paste the following command on terminal
$ cosign verify-blob --key sift-cli.pub --signature sift-cli-linux.sig sift-cli-linux
5. Move the sift-cli file to sift directory under local bin directory. For that copy-&-paste the following command on terminal
$ sudo mv sift-cli-linux /usr/local/bin/sift
6. Assign read, write and execute rights over Sift directory. For that copy-&-paste the following command on terminal
$ sudo chmod 755 /usr/local/bin/sift
7. Finally type the following command and then reboot the machine once the installation is completed
$ sudo sift install
=============================================================
Steps to install Golang on Ubuntu
1. To download the latest version of Go visit the official download page and download the tarball file through terminal. For that use the following command:
$ sudo wget <paste the link of latest release from download page>
2.  Extract the tarball to /usr/local directory.  For that use the following command:
$ sudo tar -C /usr/local -xzf <file name>
3. Now add the Go binary path to the PATH environment variable. For that use the following command:
$ export PATH=$PATH:/usr/local/go/bin
4. Apply changes by using following command:
$ source ~/.bashrc
5. You can verify if the installation is completed, by checking the version
$ go version
!!!!! Happy Learning !!!!!!
=============================================================
#dfir#digital forensics#sift workstation#sans#sift workstation 2021#sans tutorial#tutorial#ubuntu#ubuntu installation#golang#golang installation
2 notes · View notes