In my last blog post I talked about windows system processes in general, their child-parent relationship and gave a brief description of each (See link below).
Today I want to refocus on specific processes and talk about schedule tasks and the schedule task service.
Malware authors have often used schedule tasks as persistence mechanisms as they are a reliable way to make their malicious code run in a recurring way.
From a threat hunting perspective it is necessary to grasp how schedule tasks are run and understand the commands and command line arguments associated with their process(es).
Today, we’ll take a look at how schedule tasks get created with the “schtasks.exe” and “at.exe” commands and the services / processes (svchost.exe, taskhostw.exe, taskeng.exe) responsible for running them. …
The Windows operating system contains a lot of system processes that are present every time we boot our machines. These processes are responsible for a lot of things. From initialization and creating the user interface to loading the necessary drivers and DLL’s.
It becomes a must for threat hunters to know what is the normal behavior of these processes. Such as the parent child relationship between them and the number of instances that should be present on a machine or user instance.
Today we’ll discuss these processes and provide an overview that’ll help every threat hunter in his journey (hopefully).
Let’s get started. …
If you’ve been reading my recent blog posts, you’ll notice that I’ve taken an interest in windows processes. If you haven’t yet check my two recent posts on “svchost.exe” and “rundll32.exe”. Please do.
Continuing with the same theme, today we’ll be taking a look at “dllhost.exe” and answering the simple question.
“What is the DLLHOST.EXE process actually running”
Before we can answer this question, let’s first take a little detour and understand a little bit about COM.
Let’s start with a definition from MSDN about COM.
When threat hunting malware one of the key skills to have is an understanding of the platform and the OS. To make the distinction between the good and the bad one has to know what’s good first.
On windows this can be a little tricky to achieve because of the complexity of the OS (after all it’s a 30+ years’ operating system).
Knowing this fact, malware authors write their malware to mimic normal windows processes. So you’ll see malware disguising itself as an “svchost.exe”, “rundll32.exe” or “lsass.exe” …
Recently I’ve encountered an interesting piece of malware, that used multiple techniques to obfuscate and drop files to disk. I thought it would be interesting to do a quick write-up / analysis on the sample and discuss some of the techniques used.
I’ll be splitting this analysis into two parts, this first one we’ll discuss the initial attack vector and how the malware installs and obfuscate itself into the machine. The second will focus on the two PowerShell scripts that the malware drops in its second stage.
Here are the hashes of the sample for anyone interested in taking a…
Welcome back to the final part of “Hunting Malware with Windows Sysinternals” series.
We’ve seen previously how we can leverage “Process Explorer” and “Autoruns” functionalities to hunt malware effectively. If you haven’t read the first two parts I highly suggest you do. Here is a link to both.
In this third part, we’ll be taking a look at the powerful “Process Monitor” or “procmon” for short. …
This is part 2 of “Hunting Malware with Windows Sysinternals”, if you haven’t read part 1, please give it read here.
Welcome back. In this second blog post of this three-part series about hunting malware with the Windows Sysinternals tools, we’ll be taking a look at “Autoruns”. A tool that let us visualize the auto starting locations of a system which malware can use to persist.
Without further ado let’s get started with a bit of terminology and concepts.
The Windows registry is the OS database. …
The Service Host process or “svchost.exe” is one the most notorious processes out there. It got a bad reputation for being “malicious” due to mostly two factors, one is malware impersonating it and the other is good old “Task Manager”.
Because of the way task manager was designed in the old days (and to some extent today), it never gave much details into processes on the system and especially “special” processes like “svchost.exe”. So by using the task manager to see what processes are opened, you’ll get a bunch of “svchost.exe” processes with the description “Host Process for Windows Services”. Without any information about the services that are hosted in it. …
In the last decade we’ve seen a surge in malware activity from targeted attacks like stuxnet to ransomware like WannaCry and many more in the recent years. To face threats like these, malware analyst must be able to identify malware as quickly as possible when analyzing infected machines or doing dynamic analysis.
But in cases where we’re analyzing machines that were already infected with malware or we’re doing some dynamic analysis, tools like Process Explorer or Autoruns from Windows Sysinternals are the go to solution to get started. …
With the current threat landscape, it’s becoming clearer and clearer every day that to mitigate against such threats, security tools alone are not the perfect solution and threat hunting is becoming a necessity for organizations.
One of the most critical requirements for threat hunting is making sure that the correct data Is being collected by our tools (Sysmon, EDR, IPS…etc.).
After collections comes analysis, and writing correct search queries can be powerful to help us in our analysis. …