# Intro to Endpoint Security

## <mark style="color:red;">Endpoint Security Monitoring</mark>

### <mark style="color:orange;">Core Windows Processes</mark>

**Task Manager** allows users to see what is running on the Windows System and provides information on resource usage, describing how much CPU and memory is used from running processes. TM is used to terminate a program's process when they are not responding.

Running processes that are considered normal behavior:

* System
* System > smss.exe
* csrss.exe
* wininit.exe
* wininit.exe > services.exe
* wininit.exe > services.exe > svchost.exe
* lsass.exe
* winlogon.exe
* explorer.exe

Note: "**>**" symbol represents a parent-child relationship.

Processes with no depiction of a parent-child relationship should not have a Parent Process under normal circumstances, except for the System process, which should only have System Idle Process (0) as its parent process.

### <mark style="color:orange;">Sysinternals</mark>

**Sysinternals** tools comprise of over 70+ Windows-based tools. Each of the tools falls into one of the following categories:

* File and Disk Utilities
* Networking Utilities
* Process Utilities
* Security Utilities
* System Information
* Miscellaneous

Two of the most used Sysinternals tools for endpoint investigation:

* TCPView - Networking Utility tool.
* Process Explorer - Process Utility tool.

### <mark style="color:orange;">TCPView</mark>

**TCPView** is a Windows program showing detailed listings of all TCP/UDP system endpoints including local and remote addresses/state of TCP connections. Additionally, TCPView provides a presented subset of the **Netstat** program. The TCPView download includes **Tcpvcon**: a command-line version with same functionality.&#x20;

<figure><img src="https://309112325-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdUCUPJ7E8b7n8AB8j3ms%2Fuploads%2FfAb1CuXSHL2JRZ8VMSl7%2Fimage.png?alt=media&#x26;token=fbaa93d7-2528-48e6-9f7f-2a113eb4f45d" alt=""><figcaption><p>TCPView </p></figcaption></figure>

Every connection initiated by a process is listed by the tool, which may aid in correlating the network events executed concurrently.

### <mark style="color:orange;">Process Explorer</mark>&#x20;

Process Explorer display has two sub-windows.&#x20;

<figure><img src="https://309112325-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdUCUPJ7E8b7n8AB8j3ms%2Fuploads%2FpB5zKd7Ae1YBQpYDOWYp%2Fimage.png?alt=media&#x26;token=e491ae91-7b14-4cdd-8b96-df9394aed4da" alt=""><figcaption><p>Process Explorer</p></figcaption></figure>

<mark style="color:yellow;">**Top Window**</mark>: Shows list of current active processes with names of the owning accounts

<mark style="color:yellow;">**Bottom Window**</mark>: Display depends on mode PE is in. <mark style="color:purple;">**Handle mode**</mark> will display the handles that the process selected in the top window has open. <mark style="color:green;">**DLL mode**</mark> will show the DLLs and memory-mapped files that the process has loaded.

***What is the normal parent process of services.exe?***

wininit.exe

***What is the name of the network utility tool introduced in this task?***

tcpview

## <mark style="color:red;">Endpoint Logging and Monitoring</mark>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jacob-taylor.gitbook.io/security-analyst/path-4/endpoint-security-monitoring/intro-to-endpoint-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.