How to identify malicious activity in your Windows Device!


It's no secret that Windows is the most popular operating system globally (whether people like it or not), but most people don't fully understand how it works. So long as they don't notice any strange errors, everything is fine. Users were slow to grasp the importance of a security program ( Antivirus).


Nothing stays the same. Viruses and malware have evolved. Since antivirus is designed to catch viruses, it has difficulty keeping up. Because the antivirus cannot grab every malicious binary and process running on an endpoint, new security tools, such as EDR (Endpoint Detection and Response), have been created.


Even though it has improved, it is not 100% effective yet. There are still ways for attackers to bypass the defenses running on endpoints. We aim to find this way so that we can research and decide what to do next.


In this blog post, I'll help you understand what standard Windows behavior is and how you can identify malicious processes running on an endpoint by reading this blog post.


 

Our investigation of the Windows operating system begins with these two programs, Process Explorer or Process Hacker because they show us a Parent-Child process view that we cannot see in our built-in Task Manager tool for Windows.


First of all, you want to examine the System process in Windows. As a rule, the Process ID for System is always 4.


Process Hacker Tool
System process is always PID number 4

If you are like me and you are wondering why there is nothing between PID 0 To 4, I highly recommend you read this article"


Kernel mode:

With Windows NT kernel mode, the computer's hardware and system resources are fully accessible and code is run in a protected memory area. It manages scheduling, thread priority, memory management, and hardware interaction.

Kernel mode prevents user-mode services from accessing critical areas of the operating system; user-mode processes must ask the kernel mode to perform such operations on their behalf.

There are four types of code running in kernel mode: the Executive, which can itself be broken into many modules for specific tasks; the kernel, which provides low-level services for the Executive; the Hardware Abstraction Layer (HAL); and kernel drivers.


Executive:

The Windows Executive services make up the low-level kernel-mode portion and are It deals with I/O, object management, security, and process management. These are divided into several subsystems: Cache Manager, Configuration Manager, I/O Manager, Local Procedure Call (LPC), Memory Manager, Object Manager, Process Structure, and Security Reference Monitor (SRM). The components can be called Executive services (internal name Ex). System Services (internal name Nt), i.e., system calls, are implemented at this level, too, except very few call directly into the kernel layer for better performance.


System Process:

System is the kernel and drivers. Everything is under the architecture layer named "Executive." In Windows NT (all modern versions of Windows are NT), the Executive splits the unprivileged user mode tasks (ring three on Intel x86 derived CPUs) from the privileged system tasks (ring 0).



Process Hacker Tool image
Normal behaviour of System Process

Normal Operation:

The expected behavior of the System Process

Image Path: C:\Windows\system32\ntoskrnl.exe (NT OS Kernel)

Parent Process: System Idle Process (0)

In other words, if you notice that something is unusual, such as;

  • A parent process (Changed from System Idle Process (0))

  • Have Multiple instances of system. (Should only be one instance)

  • PID Number changed. (Remember that the PID will always be PID 4)

  • Not running in Session 0

This means that something is wrong, and you need to take action.

 

System - Session Manager Subsystem (smss.exe)

The following process we will look at is SMSS.exe (Session Manager Subsystem). This process, also known as the Windows Session Manager, is responsible for creating new sessions. This is the first user-mode process started by the kernel.



From Wikipedia

Session Manager Subsystem, or smss.exe, is executed during the startup process of the Operation system (it is the first user-mode process started by the kernel). At this time, it performs the following tasks:

  • Creates environment variables.

  • smss.exe starts the kernel and user modes of the Win32 subsystem. This subsystem includes win32k.sys (kernel-mode), winsrv.dll (user-mode), and csrss.exe (user-mode). Any other subsystems listed in the Required value of the HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems Registry key are also started.

  • Creates DOS device mappings (e.g., CON: NUL: AUX: COM1: COM2: COM3: COM4: PRN: LPT1: LPT2: LPT3: and drive letters) listed at the HKLM\System\CurrentControlSet\Control\Session Manager\DOS Devices registry key. This can be used to create permanent subset drives.

  • Creates virtual memory paging files.

  • It Starts winlogon.exe, the Windows login manager.

After the boot process finished, the program resides in memory and can be seen running in the Windows Task Manager.


Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session. The first child instance creates child instances in new sessions. It's done by smss.exe copying itself into the new session and self-terminating. You can read more about this process.


Normal Operation:

Image Path: %SystemRoot%\System32\smss.exe

Parent Process: System

Number of Instances: One master instance and child instance per session. The child instance exits after creating the session.

User Account: Local System

Start Time: Within seconds of boot time for the master instance

If you notice that something is unusual, such as;

  • A different parent process other than system (4)

  • The image path is different from C:\Windows\System32

  • More than one running process. (children self-terminate and exit after each new session)

  • The user is not a SYSTEM

  • Unexpected registry entries for subsystem

This means that something is wrong, and you need to take action.


 

Another process that we need to check closely is the Windows subsystem's user-mode process is, csrss.exe (Client Server Runtime Process), as discussed in the previous section. For the system to function, this process must always be running. If it is terminated by mistake, the system will not work. This process is responsible for the Win32 console window and thread creation and deletion process. For each instance, csrsrv.dll, basesrv.dll, and winsrv.dll are loaded (along with others).


Other tasks performed by this process include providing access to Windows APIs, mapping drive names, and handling Windows shutdown.



Process image
Notice what is shown for the parent process for these 2 processes. Remember these processes are spawned by smss.exe which self-terminates itself.

Normal Operation:

Image Path: %SystemRoot%\System32\csrss.exe

Parent Process: Created by an instance of smss.exe

Number of Instances: Two or more

User Account: Local System

Start Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional instances occur as new sessions are created, although often only Sessions 0 and 1 are made.

If you notice that something is unusual, such as;

  • An actual parent process. (smss.exe calls this process and self-terminates)

  • Image file path other than C:\Windows\System32

  • Subtle misspellings to hide rogue operation masquerading as csrss.exe in plain sight

  • User is not a SYSTEM

This means that something is wrong, and you need to take action.

 

Here's another Windows process that runs in the background


Within Session 0, wininit.exe launches services.exe (Service Control Manager), lsass.exe (Local Security Authority), and lsaiso.exe.


The lsaiso.exe process is related to the Credential Guard and KeyGuard applications. It is only visible if Credential Guard is enabled.


Normal Operation:

Image Path: %SystemRoot%\System32\wininit.exe

Parent Process: Created by an instance of smss.exe

Number of Instances: One

User Account: Local System

Start Time: Within seconds of boot time


If you notice that something is unusual, such as;

  • An actual parent process. (smss.exe calls this process and self-terminates)

  • Image file path other than C:\Windows\System32

  • Subtle misspellings to hide rogue process in plain sight

  • Multiple running instances

  • Not running as a SYSTEM

This means that something is wrong, and you need to take action.

 

Services.exe is the following process in the chain, which is the Service Control Manager (SCM). The primary responsibility of this group is to manage system services: loading, interacting with, and starting/ending services. The Windows built-in utility 'sc.exe' provides access to its database.


Normal Operation:

Image Path: %SystemRoot%\System32\services.exe

Parent Process: wininit.exe

Number of Instances: One

User Account: Local System

Start Time: Within seconds of boot time

If you notice that something is unusual, such as;

  • A parent process other than wininit.exe

  • Image file path other than C:\Windows\System32

  • Subtle misspellings to hide rogue process in plain sight

  • Multiple running instances

  • Not running as a SYSTEM

This means that something is wrong, and you need to take action.


 

The Service Host (Host Process for Windows Services), or svchost.exe, is responsible for hosting and managing Windows services. It is responsible for hosting and managing Windows services on behalf of the Service Host (Host Process for Windows Services), also known as svchost.exe.


This process has always been a target for malicious use because svchost.exe runs multiple processes on any Windows system. Svchost.exe is used by hackers to disguise malware as this process and to hide amongst the legitimate processes. malware infection can be called svchost.exe or misspelled as scvhost.exe. This is done to avoid detection. A malicious DLL (DLL) can also be installed or called.


Normal Operation:

Image Path: %SystemRoot%\System32\svchost.exe

Parent Process: services.exe

Number of Instances: Many

User Account: Varies (SYSTEM, Network Service, Local Service) depending on the svchost.exe instance. In Windows 10, some instances can run as the logged-in user.