#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.
Image for post
Image for post
Task Scheduler

In my last blog post I talked about windows system processes in general, their child-parent relationship and gave a brief description of each (See link below).

Today I want to refocus on specific processes and talk about schedule tasks and the schedule task service.

Malware authors have often used schedule tasks as persistence mechanisms as they are a reliable way to make their malicious code run in a recurring way.

From a threat hunting perspective it is necessary to grasp how schedule tasks are run and understand the commands and command line arguments associated with their process(es).

Today, we’ll take a look at how schedule tasks get created with the “schtasks.exe” and “at.exe” commands and the services / processes (svchost.exe, taskhostw.exe, taskeng.exe) responsible for running them. …

Image for post
Image for post
Windows Process — Mind Map

The Windows operating system contains a lot of system processes that are present every time we boot our machines. These processes are responsible for a lot of things. From initialization and creating the user interface to loading the necessary drivers and DLL’s.

It becomes a must for threat hunters to know what is the normal behavior of these processes. Such as the parent child relationship between them and the number of instances that should be present on a machine or user instance.

Today we’ll discuss these processes and provide an overview that’ll help every threat hunter in his journey (hopefully).

Let’s get started. …

Image for post
Image for post

If you’ve been reading my recent blog posts, you’ll notice that I’ve taken an interest in windows processes. If you haven’t yet check my two recent posts on “svchost.exe” and “rundll32.exe”. Please do.

Continuing with the same theme, today we’ll be taking a look at “dllhost.exe” and answering the simple question.

“What is the DLLHOST.EXE process actually running”

Before we can answer this question, let’s first take a little detour and understand a little bit about COM.

Component Object Model (COM)

Let’s start with a definition from MSDN about COM.

The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft’s OLE (compound documents), ActiveX (Internet-enabled components), as well as others. …

Image for post
Image for post

When threat hunting malware one of the key skills to have is an understanding of the platform and the OS. To make the distinction between the good and the bad one has to know what’s good first.

On windows this can be a little tricky to achieve because of the complexity of the OS (after all it’s a 30+ years’ operating system).

Knowing this fact, malware authors write their malware to mimic normal windows processes. So you’ll see malware disguising itself as an “svchost.exe”, “rundll32.exe” or “lsass.exe” …

Recently I’ve encountered an interesting piece of malware, that used multiple techniques to obfuscate and drop files to disk. I thought it would be interesting to do a quick write-up / analysis on the sample and discuss some of the techniques used.

I’ll be splitting this analysis into two parts, this first one we’ll discuss the initial attack vector and how the malware installs and obfuscate itself into the machine. The second will focus on the two PowerShell scripts that the malware drops in its second stage.

Here are the hashes of the sample for anyone interested in taking a…

Welcome back to the final part of “Hunting Malware with Windows Sysinternals” series.

We’ve seen previously how we can leverage “Process Explorer” and “Autoruns” functionalities to hunt malware effectively. If you haven’t read the first two parts I highly suggest you do. Here is a link to both.

In this third part, we’ll be taking a look at the powerful “Process Monitor” or “procmon” for short. …

This is part 2 of “Hunting Malware with Windows Sysinternals”, if you haven’t read part 1, please give it read here.

Welcome back. In this second blog post of this three-part series about hunting malware with the Windows Sysinternals tools, we’ll be taking a look at “Autoruns”. A tool that let us visualize the auto starting locations of a system which malware can use to persist.

Without further ado let’s get started with a bit of terminology and concepts.

The Registry and Autostart Extensibility Points

The Windows registry is the OS database. …

Image for post
Image for post
Family Group Photo

The Service Host process or “svchost.exe” is one the most notorious processes out there. It got a bad reputation for being “malicious” due to mostly two factors, one is malware impersonating it and the other is good old “Task Manager”.

Because of the way task manager was designed in the old days (and to some extent today), it never gave much details into processes on the system and especially “special” processes like “svchost.exe”. So by using the task manager to see what processes are opened, you’ll get a bunch of “svchost.exe” processes with the description “Host Process for Windows Services”. Without any information about the services that are hosted in it. …

In the last decade we’ve seen a surge in malware activity from targeted attacks like stuxnet to ransomware like WannaCry and many more in the recent years. To face threats like these, malware analyst must be able to identify malware as quickly as possible when analyzing infected machines or doing dynamic analysis.

Initial assessment must be done to determine if something is malicious or not and tools like pestudio or VirusTotal can be used to make a quick assessment of malware samples statically.

But in cases where we’re analyzing machines that were already infected with malware or we’re doing some dynamic analysis, tools like Process Explorer or Autoruns from Windows Sysinternals are the go to solution to get started. …

Image for post
Image for post

With the current threat landscape, it’s becoming clearer and clearer every day that to mitigate against such threats, security tools alone are not the perfect solution and threat hunting is becoming a necessity for organizations.

One of the most critical requirements for threat hunting is making sure that the correct data Is being collected by our tools (Sysmon, EDR, IPS…etc.).

After collections comes analysis, and writing correct search queries can be powerful to help us in our analysis. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store