Malware can sometimes hide itself or impersonate common Windows processes. These are some of my notes on how to differentiate between real and fake.
Checklist:
- What is the expected parent process?
- Is it running on the expected path?
- Is it spelled correctly?
- Is it running under the correct SID?
- Is it signed by an authorized source?
- Is it running from a temp or strange location?
- Does it have a digital signature?
Below are some of the most common Windows processes that should be analyzed when suspicious of malware:
SMSS.exe
Session Manager — Creates new sessions, loads registry and DLLs into memory locations.
- session 0 starts csrss.exe and wininit.exe
- session 1 starts csrss.exe and winlogon.exe
- will self-terminate
- Executable Path: %SystemRoot%\System32\smss.exe
- Parent Process: System
- Username: NT Authority\System (S-1–5–18)
- Time of Execution: for session 0 it will execute within seconds of boot time
Only 1 instance of smss.exe should be running
CSRSS.exe
Client/Servers Run Subsystem Process — Manages processess and threads, makes Windows API available for other processes, mapping the drive, creating temp files, and handling the shutdown of processes.
- Runs both in session 0 and 1
- For each session there is a new csrss.exe
- Executable Path: %SystemRoot%\system32\csrss.exe
- Parent Process: Created by child instance of smss.exe BUT since smss.exe self terminates, it technically does not have a parent process
- Username: NT Authority\System (S-1–5–18)
- Time of Execution: For sessions 0 and 1, they execute at boot time
Typically there is only two instances of csrss.exe
WINLOGON.exe
Windows Logon Process — Responsible for user logons/logoffs. Launches LOGONUI.exe for login credentials and sends them to lsass.exe which verifies via AD or local SAM. Then it launches userinit.exe which is specified in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
- Executable Path: %SystemRoot%\system32\winlogon.exe
- Parent Process: Child instance on smss.exe which self terminates, so it doesnt have a parent process
- Username: NT Authority\System (S-1–5–18)
- Time of Execution: For session 1, within seconds of boot time, other instances may appear later on
Abuse may come from different components of login process. Malware may abuse SHELL registry value. SHELL registry value should be explorer.exe.
WINIT.exe
Windows Intialization Process — Launches services.exe, lsaas.exe, and lsm.exe in session 0.
- Executable Path: %SystemRoot%\system32\winit.exe
- Parent Process: Created by smss.exe which then self terminates
- Username: NT Authority\System (S-1–5–18)
- Time of Execution: Within seconds of boot time
There should only be one instance of this
LSM.exe
Local Session Manager — Works with smss.exe to create, destroy, or manipulate new users sessions. Responsible for logon/logoff, shell start/end, lock/unlock Desktop. After Win7 lsm.exe was transformed into a service lsm.dll.
- Executable Path: %SystemRoot%\system32\lsm.exe
- Parent Process: winit.exe
- Username: NT Authority\System (S-1–5–18)
- Time of Execution: Within seconds of boot time
Should only be one instance in Win7. Should not see lsm.exe in Win8, only lsm.dll
SERVICES.exe
Services Control Manager — Responsile for loading services (auto-start) and device drivers into memory
- Parent process to svchost.exe, dllhost.exe, taskhost.exe, and spoolsv.exe
- Services are defined in HKLM\System\Current\ControlSet\Services
- After a successful interactive login, services.exe will backup a copy of the registry keys to HKLM\System\Select\LastKnownGood
- Executable Path: %SystemRoot%\system32\services.exe
- Parent Process: winit.exe
- Username: NT Authority\System (S-1–5–18)
- Time of Execution: within seconds of boot time
There should only be one instance
LSASS.exe
Local Security Authority Subsystem — Responsible for user authentication and generating access tokens specifying security policies and/or restrictions for the user and the processes spawned in the user session.
- Uses authentication packages within HKLM\System\CurrentControlSet\Control\LSA
- Writes to security event log
- Executable Path: %SystemRoot%\system32\lsass.exe
- Parent Process: winit.exe
- Username: NT Authority\System (S-1–5–18)
- Time of Execution: within seconds of boot time
There should only be one instance
SVCHOST.exe
Generic Service Host Process — Responsible for hosting multiple services DLL into a generic shared service process.
- Each service will have registry entries that will include serviceDLL
- Multiple instances of svchost.exe host will be running. Each entry will also include svchost.exe -k
- Executable Path: %SystemRoot%\system32\svchost.exe
- Parent Process: services.exe
- Username: NT Authority\System (S-1–5–18), LOCAL SERVICE (S-1–5–19), or NETWORK SERVICE (S-1–5–20)
- Time of Execution: varies
If any of them is not using the -k flag then that is a red flag
TASKHOST.exe
Generic Host Process — Acts like a host for processes that run from DLLs rather than .exes. This process is also sometimes called taskhostex.exe (Win8)or taskhostw.exe (Win10).
- Executable Path: %SystemRoot%\system32\taskhost.exe
- Parent Process: services.exe
- Username: varies
- Time of Execution: varies
EXPLORER.exe
Windows Explorer — Responsible for user’s desktop and everything that comes with it including access to file and launching files via their file extensions.
- Only one process per user will be spawned
- Executable Path: %SystemRoot%\system32\explorer.exe
- Parent Process: userinit.exe which self terminates
- Username: name of logged in user
- Time of Execution: varies
Look for instances where explorer uses CMD, is listening or connected to a port