Windows Processes
Day 4
BIOS Pre-Boot: Power On Self Test (POST) MBR: Loads boot code Bootcode: Searches partition table for boot sector and loads NTLDR NTLDR: Reads boot.ini to display OS choices and runs NTDETECT.com to query hardware Stored data from NTDETECT.com in HKLM\Hardware registry key Kicks off NTOSKRNL.exe and HAL.dll NTOSKRNL.exe: starts SMSS.exe SMSS.exe: Launches Winlogon.exe and CSRSS Winlogon: Starts LSASS loads MSGINA starts SCM starts logonui.exe accepts secure attention sequence Pre-boot, Boot, Logon - Windows XP Skill 5: Define the Windows pre-boot process Skill 6: Define the Windows boot process Skill 7: Identify the Windows logon process
Pre-boot, Boot, Logon - Windows XP (cont.) MSGINA.dll: Graphical Identification and Authorization (GINA) dll library. Activates the user shell. Customizable identification and authentication procedures. Logon Dialog. Winlogon: receives credentials from MSGINA and passes them to LSASS LSASS: checks creds against LSA database cache, the against NTLM or kerberos, if not found. Sends user token back to winlogon. Winlogon: starts userinit in user context Userinit: loads user profile, runs startup programs, starts explorer.exe Skill 5: Define the Windows pre-boot process Skill 6: Define the Windows boot process Skill 7: Identify the Windows logon process
Bios Power On Self Test (POST) MBR First 512 byte sector on hard disk. Reads and loads Volume Boot Record VBR Loads bootmgr into memory Bootmgr Reads Boot Config Database (BCD) Boot menu and memtest Calls winload (fresh boot) Calls winresume (if resuming) Winload Loads NTOSKRNL.exe Loads dependencies Loads device drivers
Pre-boot - Windows 7 Two different types of pre-boot processes EFI/UEFI Power On Self Test (POST) Runs boot loader out of NVRAM Loads BCD (also in NVRAM). Boot loader detects hardware EFI boot manager gives OS boot menu Winload.efi: EFI version of winload Requires EFI system partition Formatted as FAT Up to 1GB in size Skill 5: Define the Windows pre-boot process Skill 6: Define the Windows boot process Skill 7: Identify the Windows logon process
NTOSKRNL: SYSTEM Prepares for running native systems Runs smss HAL.dll Hardware Abstraction Layer Interfaces driver to kernel Smss Session manager Session 0 loads Win32k.sys (kernel subsystem) Runs wininit Wininit Starts Service Control Manager (SCM) Starts Local Security Authority SubSystem (LSASS) Starts Local Session Manager (LSM) CSRSS Client/Server Runtime SubSystem Client side of the win32 subsystem process Thread creation Boot - Windows 7 Skill 5: Define the Windows pre-boot process Skill 6: Define the Windows boot process Skill 7: Identify the Windows logon process
Skill 5: Define the Windows pre-boot process Skill 6: Define the Windows boot process Skill 7: Identify the Windows logon process
Logon Winlogon Coordinates logon and useractivity Launches logonui Logonui Interactive logon dialog box Services Loads auto-start drivers and services NOTE: Main difference between local logon and domain logon is where the user is authenticating. Local Logon: User authenticates locally with the SAM Domain Logon: User authenticates with the Domain Controller
Activity Monitor the boot process in procmon
Tools Tasklist #cmd.exe; view loaded modules, services, owner Pslist #sysinternals; view detailed information on processes WMIC PROCESS list full #WMIC; view executable path for process Get-process #powershell Get -wmiobject -class win32_process #powershell Task manager #GUI Processes and Threads 8.1 Explain how to find the current status of Windows processes
PID’s Sequence Out of order PID’s may warrant investigation Names Processes with names that do not look familiar may warrant investigation Processes that are spelled incorrectly or too many of a specific process warrant investigation Process Age Processes that should have been running from the start of the machine but have only been running for hours warrant investigation. Ex. A process named smss.exe that has not been running since the start of the machine. Priority Levels Check to make sure processes do not have a higher or lower priority than required Handles Check to see what libraries or files the process has open Process Validity 9.2 Determine abnormal activities that are taking place on a system, based on a process list
DEMO: Stress the system: Download and install heavyload V3.40 on VM. check all boxes and run the test “https://www.jam-software.com/heavyload/download/.shtml” Stress system with heavyload V3.40 and analyze with: Native cmd.exe Procexp
DEMO: PROCMON Process Creation Load procmon - showing PID, PPID, Thread ID. Add filters: Process name is calc.exe : Include Operation is process start : Include Operation is thread create : Include Operation is Load Image : Include Run calc.exe from cmd or powershell prompt View events process start, thread create, load image: kernel32.dll, next thread create Show properties on process start (right click) point out user(U) vs kernel(K) level execution on stack.
Great example of dynamic analysis Research Activity
Process States The students will research and define the process states They will understand that one of them will be chosen at random to brief the class on their research findings Use the random name generator (Script) to choose the briefer Once the briefer is finished, cover the material below on the process states. Emphasize that wording is not important (ex: new vs. created)
Process States New/Created Open the file (.exe) Create initial thread Pass to kernel32.dll to check permissions Pass to csrss, build structure, spawns first sub-thread, inserts into windows subsystem-wide proc list Starts execution of initial thread For real-time systems, processes may be held in “New State” to avoid contention Otherwise, move to “Ready State” automatically Running Process currently being executed (one or more threads executing) Ready Process is ready to execute when given the opportunity (CPU Time) Waiting Process can’t execute until some event occurs (I/O Read) Terminated/Exit Termination of a process due to a halt or abort 8.2 Explain the process states and identify why they are important
Paging Memory is allocated to processes in distinct chunks known as “Pages” A page is the smallest unit of protection at the hardware level 4KB for small page, 2MB for large page When Physical memory (RAM) becomes overcommitted (threads try to use more memory than is available), pages are written to the page file on disk. A page fault occurs when a thread references an invalid page. If this page is on disk in the page file, it can be brought back into memory. Paging 8.2 Explain the process states and identify why they are important
What are Windows Services? Long running executable applications that run in their own session Can be started automatically at boot, on demand, or when requested Can be paused, stopped, or restarted Run in the background, normally without a user interface Provide a service such as http, ftp, or rdp. How do we view service on a machine? Sc #cmd.exe; allows the querying and management of windows services Get-service #powershell WMIC service # WMIC Examples: Sc queryex eventlog #info for eventlog service including PID Tasklist /FI “pid eq XXX” /v #query tasklist for PID associated with eventlog Tasklist /FI “pid eq XXX” /svc #query tasklist for svchost services Sc qdescription eventlog #query eventlog service description Sc qc eventlog #show the binary command that loads the service THOUGHT: What if the service is R/W to someone it shouldn’t be? Furthermore, what context do services run as? Services 8.2 Explain the process states and identify why they are important
Activity Service Enumeration
Day 5
Threads Basic unit to which the OS allocates processor time. Can execute any part of the process code including parts currently being executed by another thread. Share memory with each other as well as the process Deadlock is possible if the threads are waiting for each other’s resources Synchronization (semaphores, mutexes) are used to control access to shared variables Csrss maintains a list of threads Threads are part of a execution priority pool 0-31 per processor, highest executes next Threads and Handles 8.3 Explain process threads and handles
Handles Objects are data structures representing a system resource (file, thread, etc.) Applications can’t access objects directly, must obtain a handle Handles for each process are tracked in an internal table known as the Object Manager Handles allow a common interface to objects, regardless of underlying changes to the object Handles allow Windows to track ACLs for objects during handle creation time Threads and Handles
Research Activity Thread States Have students read sections out of the Windows Processes Book Excerpt under Windows Resources. Pg 416 and 417 cover thread states. The students will understand that one of them will be chosen at random to brief the class on the findings of their research Use the random name generator (Script) to select the briefer Once the briefer is finished, cover the material below, on the thread states.
The 8 Thread States Ready: Waiting for execution, in priority pool Deferred Ready: Selected to run, but not yet executed. Optimization for scheduling database Standby: Next thread to run, only one per processor per system Running: A thread currently running on a processor Waiting: A period of inactivity while waiting for an event Transition: Ready for execution, but paging needed to bring stack back into memory Terminated: Finished execution, heading for deallocation in most cases Initialized: Thread is being created Thread States 8.4 Describe the thread states
8.4 Describe the thread states
So what is the difference between processes, threads, and handles? Process is the primary container (memory structure) for a program being executed. Threads represent sequential machine-code instructions that a processor executes Handles are pointers to OS objects referenced within a process 8.5 Discuss the differences between processes, threads and handles
What are system processes? Processes owned by, and executed by the operating system. They are required for the system to function. What are the 2 types? User Mode Runs in private virtual address space. Applications are isolated, one crash will not cause another to crash Kernel Mode All kernel mode programs run in a single virtual address space Not isolated from other processes System Processes 8.6 Describe system processes
Virus Requires user interaction to replicate Worm DOES NOT require user interaction to replicate Trojan Malware hidden within another legitimate program Not usually self-replicating Malicious Mobile Code Transmitted from remote host to local host Executed without user instruction (i.e. Javascript, VBScript, etc…) Blended Attack Multiple infection/transmission methods used as one Types of Malware - Attacks 10.1 Distinguish between types of malware
Types of Malware - Tools Backdoor Malicious program that allows illegitimate access to machine. User is unaware. Remote Access Tool (RAT) malicious program that provides remote command and control Rootkit Malicious program that is ONLY used to hide things. DOES NOT provide access or command and control alone. Keylogger records keyboard usage Botnet Client Remote administration/Command and Control of a botnet Spyware Monitors behavior of user Adware Paid for ads to infected users Ransomware Blocks access to a resource, requires payment from victim 10.1 Distinguish between types of malware
Bot Herder Person in control of the botnet Botnet Multiple machines infected and controlled by a bot herder Zombie Individual machine infected and part of the botnet Purpose: Allows bot herder to utilize all the machines to accomplish a task Tasks include things such as: Attack (DDoS) Computation (Algorithm/Password Cracking) Infection of additional systems Obfuscation of traffic Bitcoin Mining Methodology A payload is configured to infect the intended machines and delivered in some way to the victim The victim executes the payload, infecting the machine, and joining the botnet (implanted) Victim machine’s implant calls back to bot herder for additional instructions. Bot Herders, Botnets, and Zombies 10.2 Discuss the purpose and methodology of bots and botnets
Research Activity Malware Research Have students read sections out of the Windows Processes Book Excerpt under Windows Resources. Pg 416 and 417 cover thread states. The students will understand that one of them will be chosen at random to brief the class on the findings of their research Use the random name generator (Script) to select the briefer Once the briefer is finished, cover the material below, on the thread states.
Day 6
There are 2 (two) main types of malware/process analysis Static & Dynamic Static Analysis Static analysis examines malware without actually running it. Strings IDA Pro, OLEDebug Searching for DLLs the strings output. OSINT (Open Source Research) Hash the file and check the hash to see if there is anything online about it. Dynamic Analysis Watching the malware while it is running ProcMon, Task Manager, Procexep TCPView OLEDebug, IDA Pro Reg Shot (tool or custom look at keys) WireShark. Malware/Process Analysis Need to find skill for this one
Ability to run multiple virtual machines off a single set of hardware VMs can be dynamically created and allocated to users A single baseline image can be maintained and updated, rather than multiple physical devices VM instances can be rolled back to undo any changes that take place during a session Can provide fault tolerance through redundant hardware and migration could be used as a pivot point could provide persistence if you can compromise the data store running from virtual machine lessens attribution able to spin up whatever OS you need. Malware analysis quick restoral times could create honey pot or tar pit able to spin up whatever OS you need harder for malware to maintain persistence manageability. Virtualization - Benefits 11.1 Discuss the importance of virtual machines.
Typically require more upfront planning and configuration In public cloud environments, lack of granularity in control of data at rest can lead to compliance issues (HIPPA, etc). Some functions may not work well in a VM, such as copy/paste, printers, netstat, without additional setup effort. Persistence can be lost if the target machine is restored could end up in a honey pot or tar pit If the data store is compromised all new instances will also be compromised planning and initial setup cost more with virtual networks. Virtualization - Risks 11.1 Discuss the importance of virtual machines.
What is situational awareness? A method of gaining an understanding of the current operating environment on the target machine. It applies both defensively and offensively. Allows you to get an idea of what the system is used for and what type of users use it. This is what is used to decide what courses of action are appropriate for the system.
Situational Awareness 12.1 Explain the situational awareness process
What areas are the most important to be aware of ? Running Processes Active Users Network Communications Logging Scheduled Jobs Aliases Easiest way to gain situational awareness on a machine? Using the CLI commands previously mentioned and more to come! Situational Awareness (Cont.) 12.1 Explain the situational awareness process 12.2 List ways to gain situational awareness on a remote system
Exercise Windows Baseline Processes Have students read sections out of the Windows Processes Book Excerpt under Windows Resources. Pg 416 and 417 cover thread states.
The students will understand that one of them will be chosen at random to brief the class on the findings of their research Use the random name generator (Script) to select the briefer Once the briefer is finished, cover the material below, on the thread states.