SOC LEVEL 1
  • Path 1
    • Cyber Defense Framework
      • Security Analyst Intro
      • Pyramid of Pain
      • Cyber Kill Chain
      • Unified Kill Chain
      • Diamond Model
      • MITRE
  • PATH 2
    • Cyber Threat Intelligence
      • Intro to Cyber Threat Intel
      • Threat Intelligence Tools
      • Yara
      • OpenCTI
      • MISP
  • PATH 3
    • Network Security and Traffic Analysis
      • Traffic Analysis Essentials
      • Snort
      • Snort Challenge - The Basics
      • Snort Challenge - Live Attacks
      • NetworkMiner
      • Zeek
      • Zeek Exercises
      • Brim
      • Wireshark: The Basics
      • Wireshark: Packet Operations
      • Wireshark: Traffic Analysis
  • PATH 4
    • Endpoint Security Monitoring
      • Intro to Endpoint Security
      • Core Windows Processes
      • Sysinternals
      • Windows Event Logs
      • Sysmon
      • Osquery: The basics
      • Wazuh
  • PATH 5
    • Security Information and Event Management
      • Introduction to SIEM
      • Investigating with ELK 101
      • ItsyBitsy
      • Splunk: Basics
      • Incident Handling with Splunk
      • Investigating with Splunk
      • Benign
  • PATH 6
    • Digital Forensics and Incident Response
      • DFIR: An Introduction
      • Windows Forensics 1
      • Windows Forensics 2
      • Linux Forensics
      • Autopsy
      • Redline
      • Kape
      • Volatility
      • Velociraptor
      • TheHive Project
      • Intro to Malware Analysis
  • PATH 7
    • Phishing
      • Phishing Analysis Fundamentals
      • Phishing Emails in Action
      • Phishing Analysis Tools
      • Phishing Prevention
      • The Greenholt Phish
Powered by GitBook
On this page
  • Endpoint Security Monitoring
  • Core Windows Processes
  • Sysinternals
  • TCPView
  • Process Explorer
  • Endpoint Logging and Monitoring
  1. PATH 4
  2. Endpoint Security Monitoring

Intro to Endpoint Security

Fundamentals, methodology, and tooling for endpoint security monitoring.

Endpoint Security Monitoring

Core Windows Processes

Task Manager allows users to see what is running on the Windows System and provides information on resource usage, describing how much CPU and memory is used from running processes. TM is used to terminate a program's process when they are not responding.

Running processes that are considered normal behavior:

  • System

  • System > smss.exe

  • csrss.exe

  • wininit.exe

  • wininit.exe > services.exe

  • wininit.exe > services.exe > svchost.exe

  • lsass.exe

  • winlogon.exe

  • explorer.exe

Note: ">" symbol represents a parent-child relationship.

Processes with no depiction of a parent-child relationship should not have a Parent Process under normal circumstances, except for the System process, which should only have System Idle Process (0) as its parent process.

Sysinternals

Sysinternals tools comprise of over 70+ Windows-based tools. Each of the tools falls into one of the following categories:

  • File and Disk Utilities

  • Networking Utilities

  • Process Utilities

  • Security Utilities

  • System Information

  • Miscellaneous

Two of the most used Sysinternals tools for endpoint investigation:

  • TCPView - Networking Utility tool.

  • Process Explorer - Process Utility tool.

TCPView

TCPView is a Windows program showing detailed listings of all TCP/UDP system endpoints including local and remote addresses/state of TCP connections. Additionally, TCPView provides a presented subset of the Netstat program. The TCPView download includes Tcpvcon: a command-line version with same functionality.

Every connection initiated by a process is listed by the tool, which may aid in correlating the network events executed concurrently.

Process Explorer

Process Explorer display has two sub-windows.

Top Window: Shows list of current active processes with names of the owning accounts

Bottom Window: Display depends on mode PE is in. Handle mode will display the handles that the process selected in the top window has open. DLL mode will show the DLLs and memory-mapped files that the process has loaded.

What is the normal parent process of services.exe?

wininit.exe

What is the name of the network utility tool introduced in this task?

tcpview

Endpoint Logging and Monitoring

PreviousEndpoint Security MonitoringNextCore Windows Processes

Last updated 2 years ago

TCPView
Process Explorer