![]() The value of shell should be Explorer.exe. Will run Shell value located at Software\Microsoft\Windows NT\CurrentVersion\Winlogon within the registry.This includes running GPOs and logon scripts. Userinit initializes the user environment.Userinit.exe exits once it runs so you wont see this process running when you look.Malware will sometimes add additional values to this key, which will load malware upon successful logons. The userinit value in the registry should be: Userinit.exe, (note the comma).Loads Userinit within Software\Microsoft\Windows NT\CurrentVersion\Winlogon.Handles interactive user logons/logoffs when SAS keystroke combination is entered (Ctrl+Alt+Delete).Once password is entered the verification is sent over to LSASS and it’s verified via Active Directory or SAM (the registry hive SAM), which stores local users and group information. LogonUI will terminate once the user enters their password.Could have a child process of LogonUI if smartcard, etc. ![]() I have not personally seen malware try and impersonate LSM.exe, but there is always a first so keep your eyes open.Receives logon/off, shell start and termination, connect/disconnects from a session, and lock/unlock desktop.Sends the requests to smss.exe to start new sessions. Manages the state of terminal server sessions on the local machine.They should all be running within session 0.Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3.-k values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key.Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe.Should always have a parent of services.exe.Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE.Multiple instances of svchost.exe can/do exist/run.These “fake” names will not be a children of wininit.exe. Also mimicked by malware to hide on a system (lass.exe, lssass.exe, lsasss.exe, etc.). Often targeted by malware as a means to dump passwords.Responsible for local security policy to include managing users allowed to login, password policies, writing to the security event log, etc.There should only be one services.exe process running.Loads a database of services into memory.Services are defined in SYSTEM\CurrentControlSet\Services Parent to services such at svchost.exe, dllhost.exe, taskhost.exe, spoolsv.exe, etc.Performs user-mode initialization tasks.Created by smss.exe, but since smss.exe exits there is no parent to WININIT.Parent to services.exe (SCM), lsass.exe and lsm.exe.WININIT.EXE – Windows Initialization Process Its name is often used by malware to hide on systems (CSSRS.EXE, CSRSSS.EXE, etc.).Under Windows 7, the conhost process now does that functionality. In XP its used to draw text based console windows.Creates/Deletes processes and threads, Temp files, etc.0 and 1 are for a single user logged onto the system. There can be more sessions if more users are logged on to the system.The second smss.exe process exits, so you will only see the one running in session 0. Only one smss.exe process should be running at one time.Creates csrss and winlogon then exits, which is why they have no parent process and they both have session ids of 1.Runs from %systemroot%\System32\smss.exe.Performs delayed file delete/rename changes.There should only be one system process running.Created by ntoskrnl.exe via the process manager function, which creates and terminates processes and threads.Here I am highlighting a few of the processes, which we should know in our day today work as an analyst. Though as per current threat product platforms can identify most of it, however we as a malware analyst should know, what this processes are meant to be doing basically. If we see the behavior of a Malware, they often take the leverage of windows processes to hide themselves and full-fill the objective. ![]() 1002 0 2 101 0 0x80000000000000 36514 Application DESKTOP-EEBHG2T explorer.exe 1.1023 206c 01d761f97ca6a864 0 C:\Windows\explorer.We often come across to investigating many malicious events in our windows environment. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.Īpplication Path: C:\Windows\explorer.exe ![]() The program explorer.exe version 1.1023 stopped interacting with Windows and was closed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |