Intro to Endpoint Security

Fundamentals, methodology, and tooling for endpoint security monitoring.

Endpoint Security Monitoring

Core Windows Processes

Task Manager allows users to see what is running on the Windows System and provides information on resource usage, describing how much CPU and memory is used from running processes. TM is used to terminate a program's process when they are not responding.

Running processes that are considered normal behavior:

  • System

  • System > smss.exe

  • csrss.exe

  • wininit.exe

  • wininit.exe > services.exe

  • wininit.exe > services.exe > svchost.exe

  • lsass.exe

  • winlogon.exe

  • explorer.exe

Note: ">" symbol represents a parent-child relationship.

Processes with no depiction of a parent-child relationship should not have a Parent Process under normal circumstances, except for the System process, which should only have System Idle Process (0) as its parent process.

Sysinternals

Sysinternals tools comprise of over 70+ Windows-based tools. Each of the tools falls into one of the following categories:

  • File and Disk Utilities

  • Networking Utilities

  • Process Utilities

  • Security Utilities

  • System Information

  • Miscellaneous

Two of the most used Sysinternals tools for endpoint investigation:

  • TCPView - Networking Utility tool.

  • Process Explorer - Process Utility tool.

TCPView

TCPView is a Windows program showing detailed listings of all TCP/UDP system endpoints including local and remote addresses/state of TCP connections. Additionally, TCPView provides a presented subset of the Netstat program. The TCPView download includes Tcpvcon: a command-line version with same functionality.

Every connection initiated by a process is listed by the tool, which may aid in correlating the network events executed concurrently.

Process Explorer

Process Explorer display has two sub-windows.

Top Window: Shows list of current active processes with names of the owning accounts

Bottom Window: Display depends on mode PE is in. Handle mode will display the handles that the process selected in the top window has open. DLL mode will show the DLLs and memory-mapped files that the process has loaded.

What is the normal parent process of services.exe?

wininit.exe

What is the name of the network utility tool introduced in this task?

tcpview

Endpoint Logging and Monitoring

PreviousEndpoint Security MonitoringNextCore Windows Processes

Last updated