This post discusses Windows core processes, essential for security analysts, forensic investigators, and incident responders to identify and analyze malicious activities. This article also provides the walkthrough of TryHackMe Core Windows Processes.

COMPTIA Cyber Security Analyst (CySA+) Study Notes

OSCP Study Notes

Introduction

  • Explains the importance of understanding Windows core processes to identify normal vs. malicious behavior.
  • Emphasizes malware tactics like injecting malicious code into system processes or mimicking process names to avoid detection.

Windows Core Processes Overview

  1. System Process:
    • Responsible for kernel-mode threads execution.
    • Loads Windows system components.
  2. Session Manager Subsystem:
    • Creates user sessions and manages child processes like:
      • Client Server Runtime Process (CSRSS): Handles thread creation and deletion, Windows API calls, and shutdown processes.
      • Windows Initialization Process: Launches services like the Local Security Authority Subsystem (LSASS) and Service Control Manager (SCM).
  3. Services and Service Host (svchost.exe):
    • SCM handles system services and interacts with tools like sc.exe.
    • svchost.exe hosts and manages Windows services but is frequently targeted by malware for process hooking or injection.
  4. LSASS:
    • Manages user authentication, password changes, and access tokens.
    • Critical for enforcing system security policies.
  5. Explorer.exe:
    • Manages user interface elements like the start menu, taskbar, and file explorer.

Indicators of Malicious Processes

  • Key characteristics of legitimate processes:
    • Reside in the System32 directory.
    • Have verified file paths and no unusual command-line arguments.
    • Expected parent-child relationships (e.g., System is the parent for Session Manager Subsystem).
  • Red flags:
    • Process files located outside System32.
    • Mismatched parent processes.
    • Command lines or properties deviating from expected values.

Tools for Analysis

  • Recommended to use tools like Process Hacker to analyze processes in depth.
  • Steps for validation:
    • Check the image file path, parent process, and command-line arguments.
    • Verify DLL paths and associated services for svchost.exe processes.
    • Inspect key options like the -k parameter in svchost.exe, which indicates service grouping.

Conclusion

  • Highlights the need for systematic analysis to distinguish between legitimate and malicious processes.
  • Encourages familiarity with normal behavior patterns of core processes for effective detection of anomalies.

TryHackMe Windows Core Processes | Room Answers

What PID should System always be?
4

Aside from csrss.exe, what process does smss.exe spawn in Session 1?
winlogon.exe

What was the process which had PID 384 and PID 488?
smss.exe

Which process might you not see running if Credential Guard is not enabled?
lsaiso.exe

How many instances of services.exe should be running on a Windows system?
1

What single letter parameter should always be visible in the Command line or Binary path?
k


What is the parent process for LSASS?
wininit.exe


What is the non-existent parent process for winlogon.exe?
smss.exe


What is the non-existent process for explorer.exe?
userinit.exe

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles