Windows Processes and Lateral Movement

Flashcards to review key Windows processes and lateral movement techniques.

System Idle Process

Responsible for representing idle CPU time; not generated from an executable image; parent process is None; one instance; user account is Local System; starts at boot time; responsible for most kernel-mode threads.

smss.exe (Session Manager)

Responsible for creating new sessions; image path is %SystemRoot%\System32\smss.exe; parent process is System; has one master instance and child instances per session which exit after session creation; user account is Local System; starts within seconds of boot time for the master instance.

wininit.exe

Starts key background processes within Session 0; image path is %SystemRoot%\System32\wininit.exe; parent process is an instance of smss.exe that exits; one instance; user account is Local System; starts within seconds of boot time.

RuntimeBroker.exe

Acts as a proxy between constrained Universal Windows Platform (UWP) apps and the full Windows API; image path is %SystemRoot%\System32\RuntimeBroker.exe; parent process is svchost.exe; one or more instances; user account is typically the logged-on user(s); start times vary greatly.

taskhostw.exe

Generic host process for Windows Scheduled Tasks; image path is %SystemRoot%\System32\taskhostw.exe; parent process is svchost.exe; one or more instances; user account is logged-on users and/or local service accounts; start times vary greatly.

winlogon.exe

Handles interactive user logons and logoffs; image path is %SystemRoot%\System32\winlogon.exe; parent process is an instance of smss.exe that exits; one or more instances; user account is Local System; starts within seconds of boot time for the first instance.

csrss.exe (Client/Server Run-Time Subsystem)

User-mode process for the Windows subsystem, manages processes and threads; image path is %SystemRoot%\System32\csrss.exe; parent process is an instance of smss.exe that exits; two or more instances; User Account is Local System; start time is within seconds of boot time for the first two instances for Session 0 and 1

services.exe

Implements the Unified Background Process Manager (UBPM) and Service Control Manager (SCM); image path is %SystemRoot%\System32\services.exe; parent process is wininit.exe; one instance; user account is Local System; starts within seconds of boot time.

svchost.exe

Generic host process for Windows services, used for running service DLLs. Image path is %SystemRoot%\system32\svchost.exe; parent process is services.exe (most often); many instances; user account varies.

lsaiso.exe

Function of lsass.exe is split between two processes when Virtualization-based Security (VBS) is enabled (used with Credential Guard), Otherwise it should not be running on the system; image path is %SystemRoot%\System32\lsaiso.exe; parent process is wininit.exe; zero or one instances; user account is Local System; start time is Within seconds of boot time

lsass.exe

Responsible for authenticating users and implementing the local security policy; image path is %SystemRoot%\System32\lsass.exe; parent process is wininit.exe; one instance; user account is Local System; starts within seconds of boot time.

explorer.exe

Provides users access to files and user interface features like the Desktop, Start Menu, and Taskbar; image path is %SystemRoot%\explorer.exe; parent process is an instance of userinit.exe that exits; one or more instances per interactively logged-on user; user account is logged-on user(s).

Lateral Movement

An inescapable requirement for attackers to stealthily move from system to system and accomplish their objectives. Tools and techniques to hunt the artifacts

System Resource Usage Monitor (SRUM)

Records 30 to 60 days of historical system performance including applications run, user accounts responsible, network connections, and bytes sent/received per application per hour. Location: Win8+ C:\Windows\System32\SRU\SRUDB.dat.

Windows Background/Desktop Activity Moderator (BAM/DAM)

Maintained by the Windows power management sub-system to provide the full path of file executed and last execution date/time (Available in Win10+). Location: Win10 SYSTEM\CurrentControlSet\Services\bam\ UserSettings{SID} SYSTEM\CurrentControlSet\Services\dam\ UserSettings{SID}

UserAssist

Records metadata on GUI-based program executions. Location: NTUSER.DAT HIVE NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\UserAssist\ {GUID}\Count

Jump Lists

Allow user access to frequently or recently used items quickly via the task bar. Location: %USERPROFILE%\AppData\Roaming\ Microsoft\Windows\Recent\ AutomaticDestinations

ShimCache

Windows Application Compatibility Database used by Windows to identify possible application compatibility challenges with executables. Location: XP: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility Win7+: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Prefetch

Evidence of program execution which increases performance of a system by pre-loading code pages of commonly used applications. Location: C:\Windows\Prefetch

Amcache.hve

Tracks installed applications, programs executed (or present), drivers loaded, and more. Location: C:\Windows\AppCompat\Programs\ Amcache.hve