Threat

Hunting
Professiona
l
Introduction to
Endpoint Hunting
S e c t i o n 0 3 | M o d u l e 0 1
© Caendra Inc.
2020
All Rights
Table of
Contents
MODULE 01 | INTRODUCTION TO ENDPOINT
HUNTING

1. Introduction

2. Windows Processes

3. Endpoint Baselines

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.2
 1.
1

Introducti
on

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.3
1.1
Introduction

We will now focus our hunts on the endpoints.

At this point, imagine that threat intelligence feeds

are in place and network traffic/flow is being
monitored, but nothing is producing any alerts
that would merit a hunt.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.4
1.1
Introduction
That doesn’t mean the adversary has not obtained
a foothold into the network. They probably found
their way in by bypassing the perimeter defenses
that are put into place.

Maybe an employee's laptop got compromised

at their home or at a local coffee shop and the
adversary found their way right into the juicy
middle of our enterprise.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.5
1.1
Introduction

To be successful as a hunter, you must already

think that the adversary found its way in and you
need to find them.

Remember we discussed dwell time in the

beginning of this course. Based on reports, the
adversary has been hidden in enterprise networks
for months before detected.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.6
1.1
Introduction

We’ll approach these next few modules as such, a

hunt
without specific threat intel.

Before we can dive in and start hunting, we need

to focus on the basics, we need to understand the
end points that we’re hired to protect and that
attackers are going after.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.7
1.1
Introduction

Servers typically don’t change much, meaning

software isn’t constantly installed from day to day.
The services, processes, etc. are not different from
day to day. Windows patches might be done in a
monthly or quarterly basis.
Detecting anomalies on servers, if they’re monitored,
should
be easier than on desktop machines.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.8
1.1
Introduction
Each enterprise will have different policies in place
that will either prohibit or allow the end user from
performing certain tasks.

Some corporations will give end users local admin

rights because it’s easier to just allow the end user
to install and configure anything rather than calling
the help desk, or an application only works
correctly if local admin rights are given to the user.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.9
1.1
Introduction

Some corporations will give end users local admin

rights only to certain folders, services, etc., but this
can still pose a significant problem.

If this is known to an attacker, then that can be

exploited to gain access and elevate privileges on
the system.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.10
1.1
Introduction

Enterprises, for the most part, are doing the best

they can with what they have, with whatever
appliances and budget they have in place.

At the end of the day, you still need to defend the

network
and find evil if they’re within your systems.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.11
1.1
Introduction
We’ll begin by:
• Looking at the Windows operating system core
processes
• Discussing the role each process plays
• Discussing the normal behavior of the process

This is important because even if you have appliances

in place, attackers are becoming more and more crafty
in tricking these appliances. We must recognize
anything suspicious with these core processes, in case
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.12
 1.
2

Windows
Processes

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.13
1.2 Windows
Processes
When it comes to the Windows core
processes and attempting to detect if they
are the legitimate core processes, we can
look at a few key factors:
• Did the expected parent process
spawn it?
• Is it running out of the expected
path?
• Is it spelled correctly?
*Click on the number to return to your previous page in the slides 27, 30,
THPv2: Section 03, Module 01 - Caendra p.1
•
33, 39, 43, 47, 48
Inc. © 2020 | 4
1.2 Windows
Processes
This is a snapshot of the processes Windows 7
running on a Windows system (VM).
We will use this snapshot to explain the
various core Windows processes.
• Name
• Purpose
• Executable
path
• Parent
process
• SID
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.15
1.2.1
smss.exe
SMSS.EXE is known as the Session Manager. Its responsibility is to
create new sessions.
• Session 0 starts csrss.exe and wininit.exe. (OS services)
• Session 1 starts csrss.exe and winlogon.exe. (User session)
• You will see 1 instance (Session 0) within the process tree. The child
instances of smss.exe which was used to create the other sessions,
by copying itself into that new session, will self-terminate.
• Loads the registry and known DLLs into shared memory locations,
among other things.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.16
1.2.1
smss.exe

Executable Path: %SystemRoot%\System32\

smss.exe
Parent Process: System
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 11
Time of Execution: For Session 0, within
seconds of boot time
https://msdn.microsoft.com/en-us/library/windows/desktop/ THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.17
1.2.1.1 Hunting
Tip

Sessions 0 and 1 are normal. Additional sessions

may be created by Remote Desktop Protocol (RDP)
sessions and Fast User Switching on shared
computers. If this does not apply to your
environment, then it’s worth checking the additional
sessions (if such exist).

Remember only 1 instance of smss.exe

should be running. THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.18
1.2.2
csrss.exe
CSRSS.EXE is the Client/Server Run Subsystem Process. It
is responsible for managing processes and threads, as well as
making the Windows API available for other processes. It’s also
responsible for mapping drive letters, creating temp files, and
handling the shutdown process.
• Runs within Session 0 and 1.
• Will be available for each newly created user session.

Windows 7

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.19
1.2.2
csrss.exe
Executable Path: %SystemRoot%\System32\
csrss.exe Parent Process: Created by child
instance of SMSS.EXE but that process won’t exist
so will appear as no parent
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: For Sessions 0 & 1, within
seconds of boot time
https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. ©
us/library/windows/desktop/ms685100(v=vs.85).
2020 | p.20
1.2.2.1 Hunting
Tip

Malware authors can masquerade their malware to

appear as this process by hiding in plain sight.
They can name the malware as csrss.exe but just
misspell it slightly. Examples of this would be
cssrs.exe, cssrss.exe, and csrsss.exe.

Remember, typically you will see 2 instances of

csrss.exe.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.21
1.2.3
winlogon.exe
WINLOGON.EXE is the Windows Logon Process. It is
responsible for user logons/logoffs. It launches LogonUI.exe for
username and password and passes credentials to LSASS.exe
which is verified via AD or local SAM.
• Loads Userinit.exe via Software\Microsoft\
Windows NT\CurrentVersion\Winlogon.
• Loads NTUSER.DAT into HKCU and starts
the users shell via
Userinit.exe.
• Userinit initializes the user environment and runs logon
scripts and GPO.
Windows 7
*Both LogonUI.exe and Userinit.exe will exist and will not be visible after this
process.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.22
1.2.3
winlogon.exe
Executable Path: %SystemRoot%\System32\
winlogon.exe Parent Process: Created by child
instance of SMSS.EXE but that process won’t exist
so will appear as no parent
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: For Sessions 1, within
seconds of boot time. Other instances may start
later.
https://msdn.microsoft.com/en-THPv2: Section 03, Module 01 - Caendra Inc. ©
us/library/windows/desktop/ms685100(v=vs.85).
2020 | p.23
1.2.3.1 Hunting
Tip

The abuse within this process often comes

within the different components of the login
process. Malware sometimes abuses the SHELL
registry value. This value should be explorer.exe.

Another registry key that is abused by malware

that works in conjunction with winlogon.exe is
Userinit.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.24
1.2.4
wininit.exe

WININIT.EXE is the Windows Initialization

Process. It is responsible to launch services.exe,
lsass.exe, and lsm.exe in Session 0.

Windows 7

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.25
1.2.4
wininit.exe

Executable Path: %SystemRoot%\System32\

wininit.exe
Parent Process: Created by child instance of
SMSS.EXE but that process won’t exist so will
appear as no parent Username: NT AUTHORITY\
SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: Within seconds
https://msdn.microsoft.com/en-
of boot time
THPv2: Section 03, Module 01 - Caendra p.2
us/library/windows/desktop/ms685100(v=vs.85).
Inc. © 2020 | 6
1.2.4.1 Hunting
Tip

You should only see 1 instance of wininit.exe.

Remember the clues to look for provided at

the beginning
of this section, here.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.27
1.2.5
lsm.exe
LSM.EXE is the Local Windows 7
Session Manager. It is
responsible to work with
smss.exe to create,
destroy, or manipulate
new user sessions.
• Responsible for
logon/logoff, shell
start/end, lock/unlock
desktop to name a few. Windows 10
Note: After Windows 7,
lsm.exe no longer exists,
and it is now a service
called lsm.dll.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.28
1.2.5
lsm.exe

Executable Path: %SystemRoot%\System32\

lsm.exe
Parent Process: wininit.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-
18)
Base Priority: 8
Time of Execution: Within seconds of boot
time
https://msdn.microsoft.com/en-
THPv2: Section 03, Module 01 - Caendra
us/library/windows/desktop/ms685100(v=vs.85).
Inc. © 2020 |
p.2
9
1.2.5.1 Hunting
Tip

You should only see 1 instance of lsm.exe on

Windows 7 machines. You should NOT be seeing
this on Windows 8 and beyond. It will be running
as a service DLL instead, lsm.dll.

Remember the clues to look for provided at

the beginning of this section, here.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.30
1.2.6
services.exe
SERVICES.EXE is the Service Control Windows 7
Manager. It is responsible for loading services
(auto-start) and device drivers into memory.
• Parent to svchost.exe, dllhost.exe,
taskhost.exe,
spoolsv.exe, etc.
• Services are defined in
HKLM\SYSTEM\CurrentControlSet\
Services.
• Maintains an in-memory database of service
information which can be queried using the
built-in Windows tool, sc.exe.
• After a successful interactive login,
services.exe will backup a copy of the registry
keys into HKLM\SYSTEM\Select\
LastKnownGood which will be known as THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.31
1.2.6
services.exe

Executable Path: %SystemRoot%\System32\

services.exe
Parent Process: wininit.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 9
Time of Execution: Within seconds of boot time

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra p.3

us/library/windows/desktop/ms685100(v=vs.85).
Inc. © 2020 | 2
1.2.6.1 Hunting
Tip

You should only see 1 instance of services.exe.

This is a
protected process which makes it difficult to
tamper with.

Remember the clues to look for provided at

the beginning of this section, here.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.33
1.2.7
lsass.exe
LSASS.EXE is the Local Security Windows 7
Authority Subsystem. It is
responsible for user authentication
and generating access tokens
specifying security policies and/or
restrictions for the user and the
processes spawned in the
• Uses authentication user
packages
session.
within HKLM\System\
CurrentControlSet\Cont rol\Lsa
to authenticate users.
• Creates security tokens for
SAM, AD, and NetLogon.
• Writes to the Security event log. THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.34
1.2.7
lsass.exe

Executable Path: %SystemRoot%\System32\

lsass.exe
Parent Process: wininit.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-
18)
Base Priority: 9
Time of Execution: Within seconds of boot
time
https://msdn.microsoft.com/en-
THPv2: Section 03, Module 01 - Caendra
us/library/windows/desktop/ms685100(v=vs.85).
Inc. © 2020 |
p.3
5
1.2.7.1 Hunting
Tip

You should only see 1 instance of lsass.exe. This

process is commonly attacked and abused by
hackers and malware. It is targeted to dump
password hashes and is often used to hide in plain
sight. You might see different variations of spelling
for this process (lass.exe or lsasss.exe), and might
even see multiple instances of it, like with Stuxnet
malware.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.36
1.2.8
svchost.exe
SVCHOST.EXE is the Generic Service Host Windows 7
Process. It is responsible for hosting multiple
services DLLs into a generic shared service process.
• Each service will have registry entries that include
ServiceDll. This will instruct svchost.exe what DLL
to use. The entry will also include svchost.exe – k
<name>.

• Multiple instances of svchost.exe host will be

running, as seen in the screenshot to the right.
• All DLL-based services with the same
<name> will
share the same svchost.exe process.
• <name> values are found in
Software\ Microsoft\Windows
NT\CurrentVersion\ Svchost
registry key.
• Each svchost.exe process will run with a THPv2: Section 03, Module 01 - Caendra Inc. ©
unique – k 2020 | p.37
1.2.8
svchost.exe
Executable Path: %SystemRoot%\System32\
svchost.exe
Parent Process: services.exe
Username: NT AUTHORITY\SYSTEM (S-1-5-18),
LOCAL SERVICE (S-1-5-19), or NETWORK
SERVICE (S-1-5-20) *
Base Priority: 8
Time
*In of Execution:
Windows 10, an instanceVaries
will start as user upon logon (-k
UnistackSvcGroup).
https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra p.3
us/library/windows/desktop/ms685100(v=vs.85).
Inc. © 2020 | 8
1.2.8.1 Hunting
Tip
This process is another process that is heavily
abused. It can be used to launch malicious services
(malware installed as a service). When this is done,
(-k) will not be present. This process is often
misspelled to hide in plain sight. Another technique
used with this process is to place it in different
directories, but note that services.exe will not be the
parent.

Remember, the clues to look for provided at

the beginning THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.39
1.2.8.1 Hunting
Tip
When it comes to services, we will need to
perform extra steps to determine whether the
service/DLL being loaded by svchost.exe is
legitimate or not.

It’s more than just checking for misspellings in

svchost.exe, because techniques such as Process
Injection and Process Hollowing can attack
legitimate services. In these cases, advanced
techniques are required, such THPv2:
as memory
Section 03, Moduleanalysis.
https://attack.mitre.org/wiki/Technique/
T1055
01 - Caendra Inc. ©
2020 | p.40
1.2.9
taskhost.exe
TASKHOST.EXE is a generic host process Windows 7
which acts as a host for processes that run
from DLLs rather than EXEs. At startup,
TASKHOST checks the Services portion of the
Registry to construct a list of DLL-based
services that it needs to load, and then loads
them.
• In Windows 8, this process was
renamed to
taskhostex.exe.
• In Windows 10, this process was
renamed to
taskhostw.exe.

THPv2: Section 03, Module 01 - Caendra p.4

Inc. © 2020 | 1
1.2.9
taskhost.exe

Executable Path: %SystemRoot%\System32\

taskhost.exe
Parent Process: services.exe
Username: Varies
Base Priority: 8
Time of Execution: Varies

https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. ©

us/library/windows/desktop/ms685100(v=vs.85).
2020 | p.42
1.2.9.1 Hunting
Tip

Remember, the clues to look for are

provided at the beginning of this section,
here.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.43
1.2.10
explorer.exe
EXPLORER.EXE is the Windows Explorer.
• Explorer.exe is responsible for the user’s desktop
and everything that comes with it, including
access to files (file browser) and launching files
via their file extensions.
• Even if multiple Windows Explorer windows open,
only 1
process will be spawned per logged on user.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.44
1.2.10
explorer.exe

Executable Path: %SystemRoot%\explorer.exe

Parent Process: Created by USERINIT.EXE but that
process
won’t exist so will appear as no parent
Username: As logged-on users
Base Priority: 8
Time of Execution: Varies
https://msdn.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra p.4
us/library/windows/desktop/ms685100(v=vs.85).
Inc. © 2020 | 5
1.2.10.1 Hunting
Tip

This process is targeted by malware as well.

Different techniques will be incorporated, like the
ones already mentioned, against this process. They
will inject into the process, spawn malware named
as explorer.exe, run it from a different folder or
misspell it and have it run from the actual folder.
Look for instances where explorer has CMD hanging
off it or is listening/connected on a network port.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.46
1.2.10.1 Hunting
Tip
Let’s add more to the checklist shown near the
beginning of this section.
• Core Windows processes shouldn’t run from
Windows temp locations, or the Recycle Bin, and
neither should be communicating to any
outbound IPs.

• Check for digital signatures (all Microsoft

artifacts should be digitally signed)
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.47
1.2.10.1 Hunting
Tip
Let’s add more to the checklist shown near the
beginning of this section (CONTINUED):
• Look for any process that have cmd.exe,
wscript.exe, powershell.exe etc. running as a
child process.

• Lastly, you’ll need to dig deeper, and that is where

memory analysis will come into play to find
instances of DLL injection, Process Hollowing, etc.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.48
1.2 Windows
Processes

Some additional references, besides the Internet,

to learn more about these core Windows
Processes:
• Windows Internals, Seventh Edition, Part 1
• Windows Internals, Sixth Edition, Part 2
*Windows Internals, Seventh Edition, Part 2 has not been released
yet as of this date.

https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-
9780735684188 https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.49
1.2 Windows
Processes
This section was meant to get us familiar with the
core Windows Processes to help us spot
suspicious processes and/or:
• Services masquerading as legitimate processes
• Services actually using the legitimate processes
• Services being used to execute malware
on the systems.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.50
1.2 Windows
Processes

Next, we need to be able to do the same after

configuring these systems to be deployed in our
environments.

The purpose of the next section is to look for

suspicious artifacts hiding within processes,
services, files, folders, etc.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.51
 1.
3

Endpoint
Baselines

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.52
1.3 Endpoint
Baselines

In the next few slides, we’ll discuss a technique

that many enterprises should be implementing
within their organization, baselining.

As mentioned in the Hunting Web Shells module,

baselines will help you find anomalies within system
processes, services, drivers, installed applications,
file structures, etc.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.53
1.3 Endpoint
Baselines

A baseline is a file that will be used for

comparisons against current settings and/or
configurations. You can compare the current state
of a machine, file system, etc. against the
baseline to determine anything out of place.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.54
1.3 Endpoint
Baselines
In the Hunting Web Shells module, we looked at how
to use PowerShell to create a baseline of a folder
structure on an internal web server.

In theory, the baseline would be created the last

time a developer or dev team made updates to the
folder structure. At the time of the comparison,
whether daily, weekly, etc., that baseline (CSV)
would be compared to the current folder structure
(CSV) of the present day. THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.55
1.3 Endpoint
Baselines
If a changed file or new file is detected, then that would
be an indicator to investigate things on that web server
more closely.

If your enterprise utilizes change management, then

there would be some type of proof that an update was
scheduled to be conducted on that folder structure.

If there is no evidence of an authorized update, then

you’ll know something unauthorized took place, whether
it’s unintentional or intentional. THPv2:
https://www.prosci.com/change-management/what-is- Section 03, Module 01 - Caendra Inc. ©
2020 | p.56
1.3 Endpoint
Baselines

Alien Vault has a few good postings on their blog

about the
subject of File Integrity Monitoring that is worth
reading. You can check:
• Part 1
• Part 2

https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring
https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-
need-it
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.57
1.3 Endpoint
Baselines
There are several products that can assist with
monitoring unauthorized changes to files. A few of
these are included below:
• TripWire • SecureTrus
• SolarWind t
s • LogRhyth
• AlienVault m
https://www.tripwire.com/products/tripwire-file-integrity-manager/ https://
www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software
https://cybersecurity.att.com/solutions/pci-dss-file-integrity-monitoring https://
www.securetrust.com/solutions/compliance-technologies/file-integrity-monitoring/
https://logrhythm.com/solutions/security/file-integrity-monitoring/

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.58
1.3 Endpoint
Baselines

Detecting these changes and investigating each

changed or new file in a large enterprise
environment with hundreds of thousands of nodes is
simply not feasible.

You will need some type of appliance to assist you

with this task, like the ones mentioned in the
previous slide.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.59
1.3 Endpoint
Baselines
Many appliances are able to assist us with the
process of comparing artifacts to a set
configuration or simply detecting changes that are
not in a specified policy.

While vendors might refer to this technology with

different terminology, security products on the
market are able to do the job. At times, sadly,
enterprises are not implementing these features
within these appliances that already
THPv2: Sectionexist
03, Moduleon theirInc. ©
01 - Caendra
2020 | p.60
1.3.1 System Center Configuration
Manager
An example would be System Center
Configuration Manager (SCCM) which is able
to perform this task:

“Configuration baselines in System Center

Configuration Manager contain predefined
configuration items and optionally, other
configuration baselines. After a configuration
baseline is created, you can deploy it to a collection
so that devices in that collection
THPv2:download
Section 03, Module 01the
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/
create- configuration-baselines
- Caendra Inc. ©
2020 | p.61
1.3.1 System Center Configuration
Manager
Why is SCCM listed as an example?

Many large enterprises might already have SCCM

in their environment to deploy OS images, Windows
Updates, push software packages, etc. As
mentioned earlier, SCCM might not be utilized to its
fullest potential. At times, the Security Team are not
even aware of the full capabilities of the
applications the other IT teams are using in the
environment, SCCM being a prime example.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.62
1.3.2 PowerShell Desired State
Configuration
If you’re on a tight security budget, and don’t want to
wait until next fiscal to put in for a new, much
needed, security appliance, then you can resort to
PowerShell. We already saw how PowerShell can
help us with checking for changes in files.

PowerShell can also help us with configuration

baselines on machines. This feature of PowerShell
is known as Desired State Configuration.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.63
1.3.2 PowerShell Desired State
Configuration

Desired State Configuration (DSC) is an essential

part of the configuration, management, and
maintenance of Windows-based servers.

It allows a PowerShell script to specify the

configuration of the machine using a declarative
model in a simple standard way that is easy to
maintain and understand.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.64
1.3.2 PowerShell Desired State
Configuration
Two of the main advantages of Desired State
Configuration:
• To be able to configure machines identically with
the
aim of standardizing them.

• To ensure, at a given time, that the

configuration of a machine will always be
identical to its initial configuration, toModule
THPv2: Section 03,
2020 | p.65
avoid01 - Caendra Inc. ©
1.3.2 PowerShell Desired State
Configuration

If you’re familiar with Puppet, Ansible, or Chef then

you can grasp the concept behind DSC.

You can read more about DSC here.

https://puppet.com/
https://www.
ansible.com/ https://w
ww.chef.io/
https://www.red-
gate.com/simple-talk/sy THPv2: Section 03, Module 01 - Caendra Inc. ©
sadmin/powershell/pow 2020 | p.66
1.3.3 Microsoft Security Compliance
Manager
Another tool that can prove useful is Microsoft
Security Compliance Manager.

“SCM provides ready-to-deploy policies and DCM

configuration packs based on Microsoft security
guide recommendations and industry best practices,
allowing you to easily manage configuration drift
and address compliance requirements for Windows
operating systems, Office applications, and other
Microsoft applications.”
https://www.microsoft.com/en-THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.67
1.3.3 Microsoft Security Compliance
Manager

You can download baselines for different

Microsoft products.

They are all available here.

https://www.microsoft.com/en- THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.68
1.3.4 Microsoft Security
Compliance Toolkit

For Windows 10, you can download the Microsoft

Security
Compliance Toolkit 1.0 here.

As noted here, Microsoft Security Compliance

Manager is retired, but they mention the increasing
popularity of PowerShell DSC, which was already
mentioned.
https://www.microsoft.com/en-us/download/details.aspx?id=55319
https://docs.microsoft.com/en-us/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-
procedures

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.69
1.3 Endpoint
Baselines

For certain types of analysis, such as memory

analysis, it’s good to have a process or service
baseline to use to compare against a memory
image to find evidence of malware running on a
system.

In the next few slides, we’ll look at how we can use

PowerShell to create these baselines.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.70
1.3.5 Services
Baseline
To get a baseline of the running services on a newly
imaged and configured machine, you can use the Get-
Service PowerShell cmdlet.

A brief explanation of the code (only components

not already explained):
• Get-Service * instructs PowerShell to obtain all
the services
in the device.
• Where {$_.status –eq “Running”} is filtering
those items and only pulling the running services
and exporting the information toSection
THPv2:
microsoft.powershell.management/get-
service?
a XML
https://docs.microsoft.com/en-us/powershell/module/ file.
03, Module 01 - Caendra Inc. ©
2020 | p.71
1.3.5 Services
Baseline

To conduct the comparison we can simply use

another PowerShell cmdlet, Compare-Object, to
compare the original services baseline (XML) to
the current list of running services on any given
device.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/ THPv2: Section 03, Module 01 - Caendra p.7

compare- object?view=powershell-7
Inc. © 2020 | 2
1.3.5 Services
Baseline
A brief explanation of the code (only components not already
explained):
• Compare-Object instructs PowerShell to compare 2 sets of objects.
• 1st object = Import-Clixml Baseline-Services.xml.
• Here we’re importing the baseline file (XML)
• 2 ND object = Obtaining the current list of running services
• -Property DisplayName is instructing PowerShell to pull the display
name of the service
• Where-Object {$_.sideindicator –eq “<=“} is instructing PowerShell
to display only the entries that Compare-Object is indicating as
different from the baseline.
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.73
1.3.6 Processes
Baseline
The same can be done with processes on a
system. You just need to make some tweaks to the
previous PowerShell code and instead of using Get-
Service, we’ll be using Get- Process.

A brief explanation of the code (only components

not
already explained):
• Get-Process instructs PowerShell to obtain all
the processes in the device and export the
information to a XML file. THPv2: Section 03, Module 01 - Caendra Inc. ©
https://msdn.microsoft.com/en-
us/powershell/reference/5.1/microsoft.powershell.management/get-
2020 | p.74
1.3.6 Processes
Baseline

To conduct the comparison, the process is similar

with just a slight change as you can see in the
below screenshot.

If you need more information on this process,

please refer
to this blog page from Hey, Scripting Guy!.
https://devblogs.microsoft.com/scripting/weekend-scripter-use- THPv2: Section 03, Module 01 - Caendra Inc. ©
powershell-to-
2020 | p.75
1.3 Endpoint
Baselines

As you just saw, we were able to use basically the

same PowerShell code snippet that was used to
create a baseline for running services on a Windows
machine to create a baseline of processes as well.

These are not the only baselines that you can

create with PowerShell.

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.76
1.3 Endpoint
Baselines
You can create baselines on pretty much
anything. The question is what do you want to
baseline that you might need to run a
comparison against in the future to detect
something suspicious?

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.77
1.3 Endpoint
Baselines
Aside from the items already mentioned, here are a few
items that should be baselined (if not controlled by
Active Directory):
• Accounts on a system (user or service)
• Local administrators on a system
• Folder permissions
• Folders contents
• Tasks folder (scheduled tasks)
• Network folders containing internal
installation executables THPv2:
& filesSection 03, Module 01 - Caendra Inc. ©
2020 | p.78
1.3 Endpoint
Baselines

Refer to the MSDN page on Win32 Classes to

obtain the different names of WMI classes you
can access with the Get-WMIObject PowerShell
cmdlet.

Creating baselines is an important security process

that should be implemented whether you have
enterprise-grade appliances, or you’re using free
tools such as PowerShell. THPv2: Section 03, Module 01 - Caendra Inc. ©
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?
classes
view=powershell-5.1 2020 | p.79
Module
Conclusion
This concludes this module on Windows Processes
and the importance of creating baselines. We have
covered:
• Each of the core Windows Processes, what they
do, how to detect that they are legitimate, and
how malware attempts to abuse them.
• The importance of creating various types of
baselines, and not neglecting tools that will aid
you in the process of creating these much
needed artifacts to help youTHPv2:
on Section
your hunts.
03, Module 01 - Caendra Inc. ©
2020 | p.80
Referenc
es

THPv2: Section 03, Module 01 - Caendra Inc. ©

2020 | p.81
 Referenc
Base Priority es
https://msdn.microsoft.com/en-us/library/windows/desktop/
ms685100(v=vs.85).aspx

Process Injection
https://attack.mitre.org/wiki/Technique/T1055

Process Hollowing
https://attack.mitre.org/wiki/Technique/T1093

Windows Internals, Seventh Edition, Part 1

https://www.microsoftpressstore.com/store/windows-internals-part-1-system-
architecture- processes-9780735684188
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.82
 Referenc
Windows Internals, Sixth Edition, Part 2 es
https://www.microsoftpressstore.com/store/windows-internals-part-2-
9780735665873

What is Change Management

https://www.prosci.com/change-management/what-is-change-management

What is File Integrity Monitoring?

https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring

What is File Integrity Monitoring and Why You Need It

https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-
monitoring-and- why-you-need-it
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.83
 Referenc
TripWire es
https://www.tripwire.com/products/tripwire-file-integrity-manager/

SolarWinds
https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-
monitoring-
software

File Integrity Monitoring Solutions

https://cybersecurity.att.com/solutions/pci-dss-file-integrity-monitoring

SecureTrust
https://www.securetrust.com/solutions/compliance-technologies/file-integrity-
monitoring/ THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.84
 Referenc
LogRhythm es
https://logrhythm.com/solutions/security/file-integrity-monitoring/

SCCM Baselines
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-
configuration-
baselines

Puppet
https://puppet.com/

Anisble
https://www.ansible.com/
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.85
 Referenc
Chef es
https://www.chef.io/

PowerShell DSC
https://www.red-gate.com/simple-talk/sysadmin/powershell/powershell-desired-
state-
configuration-the-basics/

Microsoft SCM
https://www.microsoft.com/en-us/download/details.aspx?id=53353

Microsoft Windows Security Baselines

https://www.microsoft.com/en-us/download/details.aspx?id=55319
THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.86
 Referenc
Microsoft Security Compliance Toolkit es
https://www.microsoft.com/en-us/download/details.aspx?id=55319

Microsoft SCM
https://docs.microsoft.com/en-us/archive/blogs/secguide/security-compliance-
manager-
scm-retired-new-tools-and-procedures

Get-Service
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.management/get-service?
view=powershell-7

Compare-Object
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/
compare- object?view=powershell-7 THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.87
 Referenc
Get-Process
https://msdn.microsoft.com/en-
es
us/powershell/reference/5.1/microsoft.powershell.management/get-
process

Weekend Scripter: Use PowerShell to Compare Two

Snapshots of Running Processes
https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-
compare-two- snapshots-of-running-processes/

Win32 Providers
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-classes

Get-WmiObject
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.management/get-wmiobject?
view=powershell- 5.1 THPv2: Section 03, Module 01 - Caendra Inc. ©
2020 | p.88