Scribd
Upload
224 views

Introduction To Endpoint Hunting

The document provides an introduction to endpoint hunting. It discusses understanding Windows processes on endpoints as a starting point for hunting without specific threat intelligence. The document examines several core Windows processes including smss.exe, csrss.exe, and winlogon.exe and details their typical behavior and hunting tips.

Uploaded by

madhugouda
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
224 views

Introduction To Endpoint Hunting

The document provides an introduction to endpoint hunting. It discusses understanding Windows processes on endpoints as a starting point for hunting without specific threat intelligence. The document examines several core Windows processes including smss.exe, csrss.exe, and winlogon.exe and details their typical behavior and hunting tips.

Uploaded by

madhugouda
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 88

Threat Hunting

Professional

Introduction to Endpoint
Hunting
S e c t i o n 0 3 | M o d u l e 0 1
© Caendra Inc. 2020
All Rights Reserved
Table of Contents

MODULE 01 | INTRODUCTION TO ENDPOINT HUNTING

1.1 Introduction

1.2 Windows Processes

1.3 Endpoint Baselines

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.2


1.1

Introduction

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.3


1.1 Introduction

We will now focus our hunts on the endpoints.

At this point, imagine that threat intelligence feeds are in


place and network traffic/flow is being monitored, but
nothing is producing any alerts that would merit a hunt.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.4


1.1 Introduction

That doesn’t mean the adversary has not obtained a


foothold into the network. They probably found their way in
by bypassing the perimeter defenses that are put into
place.

Maybe an employee's laptop got compromised at their


home or at a local coffee shop and the adversary found
their way right into the juicy middle of our enterprise.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.5
1.1 Introduction

To be successful as a hunter, you must already think that


the adversary found its way in and you need to find them.

Remember we discussed dwell time in the beginning of this


course. Based on reports, the adversary has been hidden in
enterprise networks for months before detected.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.6


1.1 Introduction

We’ll approach these next few modules as such, a hunt


without specific threat intel.

Before we can dive in and start hunting, we need to focus


on the basics, we need to understand the end points that
we’re hired to protect and that attackers are going after.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.7


1.1 Introduction

Servers typically don’t change much, meaning software isn’t


constantly installed from day to day. The services,
processes, etc. are not different from day to day. Windows
patches might be done in a monthly or quarterly basis.
Detecting anomalies on servers, if they’re monitored, should
be easier than on desktop machines.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.8


1.1 Introduction

Each enterprise will have different policies in place that will


either prohibit or allow the end user from performing certain
tasks.

Some corporations will give end users local admin rights


because it’s easier to just allow the end user to install and
configure anything rather than calling the help desk, or an
application only works correctly if local admin rights are
given to the user.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.9
1.1 Introduction

Some corporations will give end users local admin rights


only to certain folders, services, etc., but this can still pose
a significant problem.

If this is known to an attacker, then that can be exploited to


gain access and elevate privileges on the system.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.10


1.1 Introduction

Enterprises, for the most part, are doing the best they can
with what they have, with whatever appliances and budget
they have in place.

At the end of the day, you still need to defend the network
and find evil if they’re within your systems.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.11


1.1 Introduction

We’ll begin by:


• Looking at the Windows operating system core processes
• Discussing the role each process plays
• Discussing the normal behavior of the process

This is important because even if you have appliances in place,


attackers are becoming more and more crafty in tricking these
appliances. We must recognize anything suspicious with these
core processes, in case the appliance is unable to pick it up.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.12
1.2

Windows Processes

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.13


1.2 Windows Processes

When it comes to the Windows core processes and


attempting to detect if they are the legitimate core
processes, we can look at a few key factors:
• Did the expected parent process spawn it?
• Is it running out of the expected path?
• Is it spelled correctly?
• Is it running under the proper SID?
• Is it signed by Microsoft?
*Click on the number to return to your previous page in the slides 27, 30, 33, 39, 43, THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.14
47, 48
1.2 Windows Processes

This is a snapshot of the processes running Windows 7


on a Windows system (VM). We will use this
snapshot to explain the various core
Windows processes.
• Name
• Purpose
• Executable path
• Parent process
• SID
• etc.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.15
1.2.1 smss.exe

SMSS.EXE is known as the Session Manager. Its responsibility is to create new


sessions.
• Session 0 starts csrss.exe and wininit.exe. (OS services)
• Session 1 starts csrss.exe and winlogon.exe. (User session)
• You will see 1 instance (Session 0) within the process tree. The child instances
of smss.exe which was used to create the other sessions, by copying itself into
that new session, will self-terminate.
• Loads the registry and known DLLs into shared memory locations, among other
things.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.16


1.2.1 smss.exe

Executable Path: %SystemRoot%\System32\smss.exe


Parent Process: System
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 11
Time of Execution: For Session 0, within seconds of boot
time

https://msdn.microsoft.com/en-us/library/windows/desktop/ms685100(v=vs.85).aspx THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.17


1.2.1.1 Hunting Tip

Sessions 0 and 1 are normal. Additional sessions may be


created by Remote Desktop Protocol (RDP) sessions and
Fast User Switching on shared computers. If this does not
apply to your environment, then it’s worth checking the
additional sessions (if such exist).

Remember only 1 instance of smss.exe should be running.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.18


1.2.2 csrss.exe
CSRSS.EXE is the Client/Server Run Subsystem Process. It is
responsible for managing processes and threads, as well as making the
Windows API available for other processes. It’s also responsible for
mapping drive letters, creating temp files, and handling the shutdown
process.
• Runs within Session 0 and 1.
• Will be available for each newly created user session.
Windows 7

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.19


1.2.2 csrss.exe

Executable Path: %SystemRoot%\System32\csrss.exe


Parent Process: Created by child instance of SMSS.EXE but
that process won’t exist so will appear as no parent
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: For Sessions 0 & 1, within seconds of
boot time

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.20


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.2.1 Hunting Tip

Malware authors can masquerade their malware to appear


as this process by hiding in plain sight. They can name the
malware as csrss.exe but just misspell it slightly. Examples
of this would be cssrs.exe, cssrss.exe, and csrsss.exe.

Remember, typically you will see 2 instances of csrss.exe.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.21


1.2.3 winlogon.exe
WINLOGON.EXE is the Windows Logon Process. It is responsible for user
logons/logoffs. It launches LogonUI.exe for username and password and
passes credentials to LSASS.exe which is verified via AD or local SAM.
• Loads Userinit.exe via Software\Microsoft\Windows
NT\CurrentVersion\Winlogon.
• Loads NTUSER.DAT into HKCU and starts the users shell via
Userinit.exe.
• Userinit initializes the user environment and runs logon scripts and
GPO.
Windows 7

*Both LogonUI.exe and Userinit.exe will exist and will not be visible after this process.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.22


1.2.3 winlogon.exe

Executable Path: %SystemRoot%\System32\winlogon.exe


Parent Process: Created by child instance of SMSS.EXE but
that process won’t exist so will appear as no parent
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: For Sessions 1, within seconds of boot
time. Other instances may start later.

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.23


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.3.1 Hunting Tip

The abuse within this process often comes within the


different components of the login process. Malware
sometimes abuses the SHELL registry value. This value
should be explorer.exe.

Another registry key that is abused by malware that works


in conjunction with winlogon.exe is Userinit.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.24


1.2.4 wininit.exe

WININIT.EXE is the Windows Initialization Process. It is


responsible to launch services.exe, lsass.exe, and lsm.exe
in Session 0.

Windows 7

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.25


1.2.4 wininit.exe

Executable Path: %SystemRoot%\System32\wininit.exe


Parent Process: Created by child instance of SMSS.EXE but
that process won’t exist so will appear as no parent
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: Within seconds of boot time

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.26


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.4.1 Hunting Tip

You should only see 1 instance of wininit.exe.

Remember the clues to look for provided at the beginning


of this section, here.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.27


1.2.5 lsm.exe

LSM.EXE is the Local Session Windows 7


Manager. It is responsible to
work with smss.exe to create,
destroy, or manipulate new
user sessions.
• Responsible for
logon/logoff, shell start/end,
lock/unlock desktop to
name a few.
Windows 10
Note: After Windows 7, lsm.exe
no longer exists, and it is now a
service called lsm.dll.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.28
1.2.5 lsm.exe

Executable Path: %SystemRoot%\System32\lsm.exe


Parent Process: wininit.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 8
Time of Execution: Within seconds of boot time

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.29


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.5.1 Hunting Tip

You should only see 1 instance of lsm.exe on Windows 7


machines. You should NOT be seeing this on Windows 8
and beyond. It will be running as a service DLL instead,
lsm.dll.

Remember the clues to look for provided at the beginning


of this section, here.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.30


1.2.6 services.exe

SERVICES.EXE is the Service Control Manager. It is Windows 7


responsible for loading services (auto-start) and device
drivers into memory.
• Parent to svchost.exe, dllhost.exe, taskhost.exe,
spoolsv.exe, etc.
• Services are defined in
HKLM\SYSTEM\CurrentControlSet\Services.
• Maintains an in-memory database of service
information which can be queried using the built-in
Windows tool, sc.exe.
• After a successful interactive login, services.exe will
backup a copy of the registry keys into
HKLM\SYSTEM\Select\LastKnownGood which will
be known as the Last Known Good Configuration.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.31


1.2.6 services.exe

Executable Path: %SystemRoot%\System32\services.exe


Parent Process: wininit.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 9
Time of Execution: Within seconds of boot time

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.32


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.6.1 Hunting Tip

You should only see 1 instance of services.exe. This is a


protected process which makes it difficult to tamper with.

Remember the clues to look for provided at the beginning


of this section, here.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.33


1.2.7 lsass.exe
LSASS.EXE is the Local Security Authority Windows 7
Subsystem. It is responsible for user
authentication and generating access
tokens specifying security policies and/or
restrictions for the user and the processes
spawned in the user session.
• Uses authentication packages within
HKLM\System\CurrentControlSet\Cont
rol\Lsa to authenticate users.
• Creates security tokens for SAM, AD,
and NetLogon.
• Writes to the Security event log.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.34
1.2.7 lsass.exe

Executable Path: %SystemRoot%\System32\lsass.exe


Parent Process: wininit.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 9
Time of Execution: Within seconds of boot time

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.35


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.7.1 Hunting Tip

You should only see 1 instance of lsass.exe. This process


is commonly attacked and abused by hackers and malware.
It is targeted to dump password hashes and is often used
to hide in plain sight. You might see different variations of
spelling for this process (lass.exe or lsasss.exe), and might
even see multiple instances of it, like with Stuxnet malware.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.36


1.2.8 svchost.exe

SVCHOST.EXE is the Generic Service Host Process. It is Windows 7


responsible for hosting multiple services DLLs into a generic
shared service process.
• Each service will have registry entries that include
ServiceDll. This will instruct svchost.exe what DLL to use.
The entry will also include svchost.exe –k <name>.

• Multiple instances of svchost.exe host will be running, as


seen in the screenshot to the right.
• All DLL-based services with the same <name> will
share the same svchost.exe process.
• <name> values are found in Software\
Microsoft\Windows NT\CurrentVersion\
Svchost registry key.
• Each svchost.exe process will run with a unique –k
<name>.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.37


1.2.8 svchost.exe

Executable Path: %SystemRoot%\System32\svchost.exe


Parent Process: services.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-18), LOCAL
SERVICE (S-1-5-19), or NETWORK SERVICE (S-1-5-20) *
Base Priority: 8
Time of Execution: Varies

*In Windows 10, an instance will start as user upon logon (-k UnistackSvcGroup).

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.38


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.8.1 Hunting Tip

This process is another process that is heavily abused. It


can be used to launch malicious services (malware
installed as a service). When this is done, (-k) will not be
present. This process is often misspelled to hide in plain
sight. Another technique used with this process is to place
it in different directories, but note that services.exe will not
be the parent.

Remember, the clues to look for provided at the beginning


of this section, here.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.39
1.2.8.1 Hunting Tip

When it comes to services, we will need to perform extra


steps to determine whether the service/DLL being loaded
by svchost.exe is legitimate or not.

It’s more than just checking for misspellings in svchost.exe,


because techniques such as Process Injection and Process
Hollowing can attack legitimate services. In these cases,
advanced techniques are required, such as memory
analysis.
https://attack.mitre.org/wiki/Technique/T1055 THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.40
https://attack.mitre.org/wiki/Technique/T1093
1.2.9 taskhost.exe
TASKHOST.EXE is a generic host process which Windows 7
acts as a host for processes that run from DLLs
rather than EXEs. At startup, TASKHOST checks the
Services portion of the Registry to construct a list of
DLL-based services that it needs to load, and then
loads them.
• In Windows 8, this process was renamed to
taskhostex.exe.
• In Windows 10, this process was renamed to
taskhostw.exe.

Windows 10
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.41
1.2.9 taskhost.exe

Executable Path: %SystemRoot%\System32\taskhost.exe


Parent Process: services.exe
Username: Varies
Base Priority: 8
Time of Execution: Varies

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.42


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.9.1 Hunting Tip

Remember, the clues to look for are provided at the


beginning of this section, here.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.43


1.2.10 explorer.exe

EXPLORER.EXE is the Windows Explorer.


• Explorer.exe is responsible for the user’s desktop and
everything that comes with it, including access to files
(file browser) and launching files via their file extensions.
• Even if multiple Windows Explorer windows open, only 1
process will be spawned per logged on user.

Windows 7

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.44


1.2.10 explorer.exe

Executable Path: %SystemRoot%\explorer.exe


Parent Process: Created by USERINIT.EXE but that process
won’t exist so will appear as no parent
Username: As logged-on users
Base Priority: 8
Time of Execution: Varies

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.45


us/library/windows/desktop/ms685100(v=vs.85).aspx
1.2.10.1 Hunting Tip

This process is targeted by malware as well. Different


techniques will be incorporated, like the ones already
mentioned, against this process. They will inject into the
process, spawn malware named as explorer.exe, run it from
a different folder or misspell it and have it run from the
actual folder. Look for instances where explorer has CMD
hanging off it or is listening/connected on a network port.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.46


1.2.10.1 Hunting Tip

Let’s add more to the checklist shown near the beginning of


this section.
• Core Windows processes shouldn’t run from Windows
temp locations, or the Recycle Bin, and neither should be
communicating to any outbound IPs.

• Check for digital signatures (all Microsoft artifacts


should be digitally signed)
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.47
1.2.10.1 Hunting Tip

Let’s add more to the checklist shown near the beginning of


this section (CONTINUED):
• Look for any process that have cmd.exe, wscript.exe,
powershell.exe etc. running as a child process.

• Lastly, you’ll need to dig deeper, and that is where


memory analysis will come into play to find instances of
DLL injection, Process Hollowing, etc.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.48
1.2 Windows Processes

Some additional references, besides the Internet, to learn


more about these core Windows Processes:
• Windows Internals, Seventh Edition, Part 1
• Windows Internals, Sixth Edition, Part 2

*Windows Internals, Seventh Edition, Part 2 has not been released yet as of this date.

https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188
https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.49


1.2 Windows Processes

This section was meant to get us familiar with the core


Windows Processes to help us spot suspicious processes
and/or:
• Services masquerading as legitimate processes
• Services actually using the legitimate processes
• Services being used to execute malware on the
systems.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.50


1.2 Windows Processes

Next, we need to be able to do the same after configuring


these systems to be deployed in our environments.

The purpose of the next section is to look for suspicious


artifacts hiding within processes, services, files, folders,
etc.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.51


1.3

Endpoint Baselines

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.52


1.3 Endpoint Baselines

In the next few slides, we’ll discuss a technique that many


enterprises should be implementing within their
organization, baselining.

As mentioned in the Hunting Web Shells module, baselines


will help you find anomalies within system processes,
services, drivers, installed applications, file structures, etc.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.53


1.3 Endpoint Baselines

A baseline is a file that will be used for comparisons


against current settings and/or configurations. You can
compare the current state of a machine, file system, etc.
against the baseline to determine anything out of place.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.54


1.3 Endpoint Baselines

In the Hunting Web Shells module, we looked at how to use


PowerShell to create a baseline of a folder structure on an
internal web server.

In theory, the baseline would be created the last time a


developer or dev team made updates to the folder
structure. At the time of the comparison, whether daily,
weekly, etc., that baseline (CSV) would be compared to the
current folder structure (CSV) of the present day.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.55
1.3 Endpoint Baselines
If a changed file or new file is detected, then that would be an
indicator to investigate things on that web server more closely.

If your enterprise utilizes change management, then there would


be some type of proof that an update was scheduled to be
conducted on that folder structure.

If there is no evidence of an authorized update, then you’ll know


something unauthorized took place, whether it’s unintentional or
intentional.
https://www.prosci.com/change-management/what-is-change-management THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.56
1.3 Endpoint Baselines

Alien Vault has a few good postings on their blog about the
subject of File Integrity Monitoring that is worth reading.
You can check:
• Part 1
• Part 2

https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring
https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.57


1.3 Endpoint Baselines
There are several products that can assist with monitoring
unauthorized changes to files. A few of these are included
below:
• TripWire • SecureTrust
• SolarWinds • LogRhythm
• AlienVault

https://www.tripwire.com/products/tripwire-file-integrity-manager/
https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software
https://cybersecurity.att.com/solutions/pci-dss-file-integrity-monitoring
https://www.securetrust.com/solutions/compliance-technologies/file-integrity-monitoring/
https://logrhythm.com/solutions/security/file-integrity-monitoring/

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.58


1.3 Endpoint Baselines

Detecting these changes and investigating each changed or


new file in a large enterprise environment with hundreds of
thousands of nodes is simply not feasible.

You will need some type of appliance to assist you with this
task, like the ones mentioned in the previous slide.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.59


1.3 Endpoint Baselines

Many appliances are able to assist us with the process of


comparing artifacts to a set configuration or simply
detecting changes that are not in a specified policy.

While vendors might refer to this technology with different


terminology, security products on the market are able to do
the job. At times, sadly, enterprises are not implementing
these features within these appliances that already exist on
their network and they should be.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.60
1.3.1 System Center Configuration Manager

An example would be System Center Configuration


Manager (SCCM) which is able to perform this task:

“Configuration baselines in System Center Configuration


Manager contain predefined configuration items and
optionally, other configuration baselines. After a
configuration baseline is created, you can deploy it to a
collection so that devices in that collection download the
configuration baseline and assess their compliance with it.”
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.61
configuration-baselines
1.3.1 System Center Configuration Manager

Why is SCCM listed as an example?

Many large enterprises might already have SCCM in their


environment to deploy OS images, Windows Updates, push
software packages, etc. As mentioned earlier, SCCM might
not be utilized to its fullest potential. At times, the Security
Team are not even aware of the full capabilities of the
applications the other IT teams are using in the
environment, SCCM being a prime example.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.62
1.3.2 PowerShell Desired State Configuration

If you’re on a tight security budget, and don’t want to wait


until next fiscal to put in for a new, much needed, security
appliance, then you can resort to PowerShell. We already
saw how PowerShell can help us with checking for changes
in files.

PowerShell can also help us with configuration baselines


on machines. This feature of PowerShell is known as
Desired State Configuration.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.63
1.3.2 PowerShell Desired State Configuration

Desired State Configuration (DSC) is an essential part of


the configuration, management, and maintenance of
Windows-based servers.

It allows a PowerShell script to specify the configuration of


the machine using a declarative model in a simple standard
way that is easy to maintain and understand.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.64


1.3.2 PowerShell Desired State Configuration

Two of the main advantages of Desired State Configuration:


• To be able to configure machines identically with the
aim of standardizing them.

• To ensure, at a given time, that the configuration of a


machine will always be identical to its initial
configuration, to avoid unauthorized changes.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.65


1.3.2 PowerShell Desired State Configuration

If you’re familiar with Puppet, Ansible, or Chef then you can


grasp the concept behind DSC.

You can read more about DSC here.

https://puppet.com/
https://www.ansible.com/
https://www.chef.io/
https://www.red-gate.com/simple-talk/sysadmin/powershell/powershell-desired-state-configuration-the-basics/

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.66


1.3.3 Microsoft Security Compliance Manager

Another tool that can prove useful is Microsoft Security


Compliance Manager.

“SCM provides ready-to-deploy policies and DCM


configuration packs based on Microsoft security guide
recommendations and industry best practices, allowing you
to easily manage configuration drift and address
compliance requirements for Windows operating systems,
Office applications, and other Microsoft applications.”
https://www.microsoft.com/en-us/download/details.aspx?id=53353 THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.67
1.3.3 Microsoft Security Compliance Manager

You can download baselines for different Microsoft


products.

They are all available here.

https://www.microsoft.com/en-us/download/details.aspx?id=55319 THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.68


1.3.4 Microsoft Security Compliance Toolkit

For Windows 10, you can download the Microsoft Security


Compliance Toolkit 1.0 here.

As noted here, Microsoft Security Compliance Manager is


retired, but they mention the increasing popularity of
PowerShell DSC, which was already mentioned.
https://www.microsoft.com/en-us/download/details.aspx?id=55319
https://docs.microsoft.com/en-us/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.69


1.3 Endpoint Baselines

For certain types of analysis, such as memory analysis, it’s


good to have a process or service baseline to use to
compare against a memory image to find evidence of
malware running on a system.

In the next few slides, we’ll look at how we can use


PowerShell to create these baselines.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.70


1.3.5 Services Baseline
To get a baseline of the running services on a newly imaged and
configured machine, you can use the Get-Service PowerShell
cmdlet.

A brief explanation of the code (only components not already


explained):
• Get-Service * instructs PowerShell to obtain all the services
in the device.
• Where {$_.status –eq “Running”} is filtering those items
and only pulling the running services and exporting the
information to a XML file.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.71
service?view=powershell-7
1.3.5 Services Baseline

To conduct the comparison we can simply use another


PowerShell cmdlet, Compare-Object, to compare the
original services baseline (XML) to the current list of
running services on any given device.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/compare- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.72


object?view=powershell-7
1.3.5 Services Baseline

A brief explanation of the code (only components not already explained):


• Compare-Object instructs PowerShell to compare 2 sets of objects.
• 1st object = Import-Clixml Baseline-Services.xml.
• Here we’re importing the baseline file (XML)
• 2ND object = Obtaining the current list of running services
• -Property DisplayName is instructing PowerShell to pull the display name of
the service
• Where-Object {$_.sideindicator –eq “<=“} is instructing PowerShell to display
only the entries that Compare-Object is indicating as different from the
baseline.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.73
1.3.6 Processes Baseline

The same can be done with processes on a system. You


just need to make some tweaks to the previous PowerShell
code and instead of using Get-Service, we’ll be using Get-
Process.

A brief explanation of the code (only components not


already explained):
• Get-Process instructs PowerShell to obtain all the
processes in the device and export the information to a
XML file.
https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.74
us/powershell/reference/5.1/microsoft.powershell.management/get-process
1.3.6 Processes Baseline

To conduct the comparison, the process is similar with just


a slight change as you can see in the below screenshot.

If you need more information on this process, please refer


to this blog page from Hey, Scripting Guy!.

https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to- THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.75


compare-two-snapshots-of-running-processes/
1.3 Endpoint Baselines

As you just saw, we were able to use basically the same


PowerShell code snippet that was used to create a baseline
for running services on a Windows machine to create a
baseline of processes as well.

These are not the only baselines that you can create with
PowerShell.

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.76


1.3 Endpoint Baselines

You can create baselines on pretty much anything. The


question is what do you want to baseline that you might
need to run a comparison against in the future to detect
something suspicious?

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.77


1.3 Endpoint Baselines

Aside from the items already mentioned, here are a few items
that should be baselined (if not controlled by Active Directory):
• Accounts on a system (user or service)
• Local administrators on a system
• Folder permissions
• Folders contents
• Tasks folder (scheduled tasks)
• Network folders containing internal installation
executables & files
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.78
1.3 Endpoint Baselines

Refer to the MSDN page on Win32 Classes to obtain the


different names of WMI classes you can access with the
Get-WMIObject PowerShell cmdlet.

Creating baselines is an important security process that


should be implemented whether you have enterprise-grade
appliances, or you’re using free tools such as PowerShell.

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-classes
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.79
Module Conclusion

This concludes this module on Windows Processes and the


importance of creating baselines. We have covered:
• Each of the core Windows Processes, what they do, how
to detect that they are legitimate, and how malware
attempts to abuse them.
• The importance of creating various types of baselines,
and not neglecting tools that will aid you in the process
of creating these much needed artifacts to help you on
your hunts.
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.80
References

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.81


References
Base Priority
https://msdn.microsoft.com/en-us/library/windows/desktop/ms685100(v=vs.85).aspx

Process Injection
https://attack.mitre.org/wiki/Technique/T1055

Process Hollowing
https://attack.mitre.org/wiki/Technique/T1093

Windows Internals, Seventh Edition, Part 1


https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-
processes-9780735684188

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.82


References
Windows Internals, Sixth Edition, Part 2
https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873

What is Change Management


https://www.prosci.com/change-management/what-is-change-management

What is File Integrity Monitoring?


https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring

What is File Integrity Monitoring and Why You Need It


https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-
why-you-need-it

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.83


References
TripWire
https://www.tripwire.com/products/tripwire-file-integrity-manager/

SolarWinds
https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-
software

File Integrity Monitoring Solutions


https://cybersecurity.att.com/solutions/pci-dss-file-integrity-monitoring

SecureTrust
https://www.securetrust.com/solutions/compliance-technologies/file-integrity-monitoring/

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.84


References
LogRhythm
https://logrhythm.com/solutions/security/file-integrity-monitoring/

SCCM Baselines
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-
baselines

Puppet
https://puppet.com/

Anisble
https://www.ansible.com/

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.85


References
Chef
https://www.chef.io/

PowerShell DSC
https://www.red-gate.com/simple-talk/sysadmin/powershell/powershell-desired-state-
configuration-the-basics/

Microsoft SCM
https://www.microsoft.com/en-us/download/details.aspx?id=53353

Microsoft Windows Security Baselines


https://www.microsoft.com/en-us/download/details.aspx?id=55319

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.86


References
Microsoft Security Compliance Toolkit
https://www.microsoft.com/en-us/download/details.aspx?id=55319

Microsoft SCM
https://docs.microsoft.com/en-us/archive/blogs/secguide/security-compliance-manager-
scm-retired-new-tools-and-procedures

Get-Service
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.management/get-service?view=powershell-7

Compare-Object
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/compare-
object?view=powershell-7

THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.87


References
Get-Process
https://msdn.microsoft.com/en-
us/powershell/reference/5.1/microsoft.powershell.management/get-process

Weekend Scripter: Use PowerShell to Compare Two Snapshots


of Running Processes
https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-compare-two-
snapshots-of-running-processes/

Win32 Providers
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-classes

Get-WmiObject
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-
5.1
THPv2: Section 03, Module 01 - Caendra Inc. © 2020 | p.88

You might also like