Understanding Windows Core Processes For Cyber Security Analysts | TryHackMe

This post discusses Windows core processes, essential for security analysts, forensic investigators, and incident responders to identify and analyze malicious activities. This article also provides the walkthrough of TryHackMe Core Windows Processes.

COMPTIA Cyber Security Analyst (CySA+) Study Notes

Offensive Security Certified Professional Study Notes and Guide

Introduction

• Explains the importance of understanding Windows core processes to identify normal vs. malicious behavior.
• Emphasizes malware tactics like injecting malicious code into system processes or mimicking process names to avoid detection.

Windows Core Processes Overview

System Process:

• Responsible for kernel-mode threads execution.
• Loads Windows system components.

Session Manager Subsystem:

• Creates user sessions and manages child processes like:
• Client Server Runtime Process (CSRSS): Handles thread creation and deletion, Windows API calls, and shutdown processes.
• Windows Initialization Process: Launches services like the Local Security Authority Subsystem (LSASS) and Service Control Manager (SCM).

Services and Service Host (svchost.exe):

• SCM handles system services and interacts with tools like sc.exe.
• svchost.exe hosts and manages Windows services but is frequently targeted by malware for process hooking or injection.

LSASS:

• Manages user authentication, password changes, and access tokens.
• Critical for enforcing system security policies.

Explorer.exe:

• Manages user interface elements like the start menu, taskbar, and file explorer.

Indicators of Malicious Processes

Key characteristics of legitimate processes:

• Reside in the System32 directory.
• Have verified file paths and no unusual command-line arguments.
• Expected parent-child relationships (e.g., System is the parent for Session Manager Subsystem).

Red flags:

• Process files located outside System32.
• Mismatched parent processes.
• Command lines or properties deviating from expected values.

Tools for Analysis

• Recommended to use tools like Process Hacker to analyze processes in depth.
• Steps for validation:
• Check the image file path, parent process, and command-line arguments.
• Verify DLL paths and associated services for svchost.exe processes.
• Inspect key options like the -k parameter in svchost.exe, which indicates service grouping.

Conclusion

• Highlights the need for systematic analysis to distinguish between legitimate and malicious processes.
• Encourages familiarity with normal behavior patterns of core processes for effective detection of anomalies.

TryHackMe Windows Core Processes | Room Answers

Room answers can be found here.

Video Walkthrough