Windows Processes and Lateral Movement

Flashcards of key vocabulary and concepts from a lecture on Windows processes and lateral movement

System Idle Process

N/A for system.exe – Not generated from an executable image; Parent Process: None; Number of Instances: One; User Account: Local System; Start Time: At boot time; The System process is responsible for most kernel-mode threads. Modules run under System are primarily drivers (.sys files), but also include several important DLLs as well as the kernel executable, ntoskrnl.exe.

smss.exe

Image Path: %SystemRoot%\System32\smss.exe; Parent Process: System; Number of Instances: One master instance and another child instance per session. Children exit after creating their session; User Account: Local System; Start Time: Within seconds of boot time for the master instance; The Session Manager process is responsible for creating new sessions. The first instance creates a child instance for each new session. Once the child instance initializes the new session by starting the Windows subsystem (csrss.exe) and wininit.exe for Session 0 or winlogon.exe for Session 1 and higher, the child instance exits.

wininit.exe

Image Path: %SystemRoot%\System32\wininit.exe; Parent Process: Created by an instance of smss.exe that exits, typically appearing as an orphan process; Number of Instances: One; User Account: Local System; Start Time: Within seconds of boot time; wininit.exe starts key background processes within Session 0. It starts the Service Control Manager (services.exe), the Local Security Authority process (lsass.exe), and lsaiso.exe for systems with Credential Guard enabled.

RuntimeBroker.exe

Image Path: %SystemRoot%\System32\RuntimeBroker.exe; Parent Process: svchost.exe; Number of Instances: One or more; User Account: Typically the logged-on user(s); Start Time: Start times vary greatly; RuntimeBroker.exe acts as a proxy between the constrained Universal Windows Platform (UWP) apps and the full Windows API. UWP apps have limited capability to interface with hardware and the file system. Broker processes such as RuntimeBroker.exe are therefore used to provide the necessary level of access for UWP apps.

taskhostw.exe

Image Path: %SystemRoot%\System32\taskhostw.exe; Parent Process: svchost.exe; Number of Instances: One or more taskhostw.exe processes are normal; User Account: Task processes can be owned by logged-on users and/or by local service accounts; Start Time: Start times vary greatly; The generic host process for Windows Scheduled Tasks. Upon initialization, taskhostw.exe runs a continuous loop listening for trigger events.

winlogon.exe

Image Path: %SystemRoot%\System32\winlogon.exe; Parent Process: Created by an instance of smss.exe that exits, typically appearing as an orphan process; Number of Instances: One or more; User Account: Local System; Start Time: Within seconds of boot time for the first instance (for Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons; Winlogon handles interactive user logons and logoffs.

csrss.exe

Image Path: %SystemRoot%\System32\csrss.exe; Parent Process: Created by an instance of smss.exe that exits, typically appearing as an orphan process; Number of Instances: Two or more; User Account: Local System; Start Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional instances occur as new sessions are created, although often only Sessions 0 and 1 are created; The Client/Server Run-Time Subsystem is the user-mode process for the Windows subsystem.

services.exe

Image Path: %SystemRoot%\System32\services.exe; Parent Process: wininit.exe; Number of Instances: One; User Account: Local System; Start Time: Within seconds of boot time; Implements the Unified Background Process Manager (UBPM), which is responsible for background activities such as services and scheduled tasks. Services.exe also implements the Service Control Manager (SCM), which specifically handles the loading of services and device drivers marked for auto-start.

svchost.exe

Image Path: %SystemRoot%\system32\svchost.exe; Parent Process: services.exe (most often); Number of Instances: Many (generally at least 10 and often more than 50); User Account: Varies between Local System, Network Service, or Local Service accounts. Windows 10+ also has “per-user services” running under a user account context with Medium integrity level; Start Time: Typically close to boot time. However, services can be started after boot (e.g., at logon), resulting in new instances of svchost.exe long after boot time; Generic host process for Windows services. It is used for running service DLLs.

lsaiso.exe

Image Path: %SystemRoot%\System32\lsaiso.exe; Parent Process: wininit.exe; Number of Instances: Zero or one; User Account: Local System; Start Time: Within seconds of boot time; When Virtualization-based Security (VBS) is enabled(used with Credential Guard), the functionality of lsass.exe is split between two processes—itself and lsaiso.exe. Most of the functionality stays within lsass.exe, but the important role of safely storing account credentials moves to lsaiso.exe. It provides safe storage by running in a context that is isolated from other processes through hardware virtualization technology.

lsass.exe

Image Path: %SystemRoot%\System32\lsass.exe; Parent Process: wininit.exe; Number of Instances: One; User Account: Local System; Start Time: Within seconds of boot time; The Local Security Authentication Subsystem Service process is responsible for authenticating users by calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts.

explorer.exe

Image Path: %SystemRoot%\explorer.exe; Parent Process: Created by an instance of userinit.exe that exits, typically appearing as an orphan process; Number of Instances: One or more per interactively logged-on user; User Account: Logged-on user(s); Start Time: First instance starts when the owner’s interactive logon begins; At its core, Explorer provides users access to files. Functionally, though, it is both a file browser via Windows Explorer (though still explorer.exe) and a user interface providing features such as the user’s Desktop, the Start Menu, the Taskbar, the Control Panel, and application launching via file extension associations and shortcut files.

System Resource Usage Monitor (SRUM)

Description: SRUM records 30 to 60 days of historical system performance including applications run, user accounts responsible, network connections, and bytes sent/received per application per hour; Location: Win8+ C:\Windows\System32\SRU\SRUDB.dat; Interpretation:SRUDB.dat is an Extensible Storage Engine database.

BAM/DAM

Description: Windows Background/Desktop Activity Moderator (BAM/DAM) is maintained by the Windows power management sub-system. (Available in Win10+); Location: Win10 SYSTEM\CurrentControlSet\Services\bam\UserSettings{SID}; Interpretation: Provides full path of file executed and last execution date/time.

UserAssist

Description: UserAssist records metadata on GUI-based program executions; Location: NTUSER.DAT HIVE NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{GUID}\Count; Interpretation: GUIDs identify type of execution. Values are ROT-13 Encoded

Jump Lists

Description: Windows Jump Lists allow user access to frequently or recently used items quickly via the task bar. First introduced in Windows 7, they can identify applications in use and a wealth of metadata about items accessed via those applications; Location: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations; Interpretation: Each jump list file is named according to an application identifier (AppID).

ShimCache

Description: The Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables. It tracks the executable file path and binary last modified time; Location: XP: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility. Win7+: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache; Interpretation: Any executable present in the file system could be found in this key.

Prefetch

Description: Prefetch increases performance of a system by pre-loading code pages of commonly used applications. It monitors all files and directories referenced for each application or process and maps them into a .pf file. It provides evidence that an application was executed; Location: C:\Windows\Prefetch; Naming format: (exename)-(hash).pf; SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters; Interpretation: Date/Time file by that name and path was first executed - Creation date of .pf file (~-10 seconds)

Amcache.hve

Description: Amcache tracks installed applications, programs executed (or present), drivers loaded, and more. What sets this artifact apart is it also tracks the SHA1 hash for executables and drivers. (Available in Win7+); Location: C:\Windows\AppCompat\Programs\Amcache.hve; Interpretation: A complete registry hive, with multiple sub-keys.

Lateral Movement

Lateral movement is an inescapable requirement for attackers to stealthily move from system to system and accomplish their objectives.