InfoAcademy Cisco Networking Academy www.infoacademy.net

CyberOps – Lab 2 Explore Windows

Explore Apps and Processes

Launch the Windows Task Manager by right-clicking the Task bar and selecting Task Manager. Alternate ways of launching the Task Manager include using Ctrl-Alt- Delete to bring up the Windows Security screen and select Start Task Manager, or with the taskmgr command either from a command prompt or from the search input field in the Windows .

The processes displayed are grouped into three categories:

• Apps: These are programs that you interact with on the desktop. Apps are the reason that people use personal computers. Browsers, word processors, email clients, music managers, and games are all applications. • Background processes: Processes that are executing in the background. They do not have a desktop . • Windows processes: Windows services. They also run in the background. They are handled a little differently than the other background processes. Windows services will be explored in a later section of this lab exercise.

Launch a command prompt window. In the command prompt window, execute the ftp speedtest.tele2.net command.

When prompted for credentials, use anonymous as the username. Any password will be accepted. Minimize the command prompt window with the FTP connection active (ftp specific commands are out-of-scope for this lab).

Launch the Chrome web browser. Open your favorite search engine and minimize the window.

The Sysinternals suite is available on D: drive. Launch procexp.exe to start the Explorer.

The initial display is pretty busy. Minimize the tree of processes that are displayed under wininit.exe to make the display easier to handle.

1 InfoAcademy Cisco Networking Academy www.infoacademy.net

Examine the process hierarchy. Where Task Manager grouped processes by category (App, Background Process, Windows Process), Process Explorer displays the parent/child relationships.

For example, explorer.exe is the process that provides the Windows desktop. All the applications that you launched on the Windows desktop, including the Process Explorer itself, are children of the explorer.exe process. Also, find cmd.exe under the explorer.exe process, which is the command prompt window that you launched. Note that this process has children: conhost.exe and ftp.exe. You can expect conhost.exe as a child of cmd.exe under Windows 10. The ftp.exe process is associated with the ftp command that you launched under the command prompt window.

Note that a process depends on its parent. Demonstrate by right-clicking the parent chrome.exe process and select Kill Process. Click OK to confirm the action. The parent chrome process and the children chrome processes are all terminated.

While the Process Explorer is executing, look at one feature of particular interest to the security analyst. Imagine that you were surprised to see the conhost.exe process as a child of cmd.exe. If you have any reason to believe that a process is suspect, you can submit the details to VirusTotal.com. Select the conhost.exe process, right-click, and select Check VirusTotal. You will see the hash that is submitted in the VirusTotal column. This should quickly change to a pair of numbers that are separated by a slash. The second number is the quantity of antivirus databases that were consulted; the first number is the number of those databases that indicate malicious content in the executable. This VirusTotal rating is a hyperlink. Click the link to see the full report on VirusTotal.com.

2 InfoAcademy Cisco Networking Academy www.infoacademy.net

Explore the Registry Database

The Windows registry is a database that stores a wide variety of configuration settings. Most of the Windows operating system and desktop environment configuration settings are stored in the registry. Many of the options that are exposed in the registry are not manageable anywhere else in Windows. Third-party programs can also use the registry to store their settings. The registry is not the only location where configuration settings can be stored. Sometimes settings are stored in configuration files, and sometimes Windows Group Policy Objects are involved.

To begin your exploration of the Windows registry, launch regedit.exe from the search field on the Windows Start menu.

Five structures called hives are at the top level of the Windows registry. Examine the hives that are displayed in the Registry Editor window.

Note the following:

• HKEY_CLASSES_ROOT: Stores data that is used by programs for file associa- tion and for sharing information. • HKEY_CURRENT_USER: Stores settings and configuration that are associated with the current user. • HKEY_LOCAL_MACHINE: Stores system-related information. • HKEY_USERS: Stores settings and configuration for all users on the computer. Data from this hive is copied to HKEY_CURRENT_USER when the user logs in. • HKEY_CURRENT_CONFIG: Stores hardware information about the PC’s re- sources and configuration. 3 InfoAcademy Cisco Networking Academy www.infoacademy.net

Registry keys are stored in the hives. Keys can have sub-keys, which facilitate a tree structure for each hive. Keys store values, and every value has a name and an associated datum. Keys must contain at least one value, so the closest thing to an empty key that you will see is a key with a value that is named (Default) and a value that is not set.

Navigate to HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer and find the key that is named EulaAccepted.

Note the following:

• On first run, the user must accept the End User License Agreement (EULA). • The value of 1 for this key indicates that the EULA was accepted. Select the EulaAccepted registry key and select Modify. Change the Value data field to 0 and click OK. Value 0 indicates that the EULA was not accepted. You should be challenged the next time that you launch the Process Explorer.

Launch procexp.exe again. Click Agree to accept the EULA. The Process Explorer will then start.

Return to the registry editor. Select View > Refresh. Verify that the value of the EulaAccepted key has returned to 1.

For a quick example of a registry hack, follow this process to add Open in Notepad to the context menu of the windows file explorer:

1. Navigate to HKEY_CLASSES_ROOT\*\shell. 2. Create a new key under the Shell key. Right-click Shell and select New > Key. 3. Set the key name to Open In Notepad. 4. Create a new key under the Open In Notepad key. Right-click Open In Note- pad and select New > Key. 5. Set the key name to command. 6. Select the (Default) value in the command key and select Modify. 7. Enter notepad.exe %1 in the Value data field and click OK.

4 InfoAcademy Cisco Networking Academy www.infoacademy.net

Verify the registry hack. Bring the Windows File Explorer to the foreground. Assuming that you are in SysinternalsSuite folder, you should be able to find the PORTMON.HLP file. Select it, right-click and select the new option of Open In Notepad from the context menu.

Notepad cannot display all the data in this file. Much of it is binary and non- printable. But this is enough for demonstrating the context menu modification. Close the Notepad window.

Explore Windows Services

A is a type of process that runs in the background under the con- trol of the Windows . The SCM provides an API to control the execution of services. Services run outside of the context of currently logged in users. Services can run even when no users are logged on. They can be configured to start automatically when the computer boots, launch automatically in response to certain events, or start and stop manually. Services can be grouped and depend- ence relationships can be defined that control the order of service execution. The list of services on a Windows system is maintained in the registry under HKLM\System\CurrentControlSet\Services.

The most common way of examining Windows service definitions and status is through the services console. There are different ways of launching the services console, and it is embedded in other interfaces such as the Computer Management tool. For this step, launch the services console simply by entering services in the search field of the Windows Start menu. Examine the information presented.

5 InfoAcademy Cisco Networking Academy www.infoacademy.net

Note the following:

• Each service has a name and a description. Depending on your technical exper- tise, some names may be enough to explain what the service does, such as DHCP Client and DNS Client. In any case, if you select a service in the Services console, the description of the service will be displayed to the left of the table. • Not all services are running. • Services can be configured for automatic startup at system boot time. They can also be configured for manual startup or disabled. • Services do not run under the local user account. In fact, many services launch automatically before any user can log in. The account that a service runs under is displayed in the Log On As column.

Return to the Process Explorer window. Early in the lab, you minimized the process tree under wininit.exe in Process Explorer.

During the boot process, wininit.exe is responsible for:

• Loading hardware drivers • Launching services.exe, which is then responsible for launching the Windows services that are configured to launch at startup • Launching lsass.exe, which stands for local security authority subsystem ser- vice, and is responsible for authenticating users and managing access permis- sions In Process Explorer, expand wininit.exe and verify that there are only two direct child processes: services.exe and lsass.exe.

Step 43

The services.exe process is responsible for launching all services. Expand services.exe to expose all its child processes. Examine the list.

6 InfoAcademy Cisco Networking Academy www.infoacademy.net

Note the following:

• The most direct way of recognizing whether a process is a service or just a standard background process is to see if the process is a child of services.exe. If it is a child of services.exe, it is a service. • Most of the processes are running under an instantiation of svchost.exe. This binary is executed with the -k flag, specifying the service that is hosted. Some- times multiple related services will be launched together and hosted by the same svchost.exe image. • It is normal to see many instances of svchost.exe as children of services.exe. Any instance of svchost.exe which has a parent process other than ser- vices.exe is highly suspicious. Also, any process with a name that tries to mimic svchost.exe, such as svch0st.exe, is highly suspicious.

The process explorer makes it very easy to see which services are hosted in an instance of svchost.exe. Simply hover the mouse pointer over an svchost.exe and a pop-up window will show the details.

In the example, the svchost.exe was launched with -k DcomLaunch as an argument.

Explore Windows Users, Groups, and Permissions

Windows supports the concepts of users and groups. Permissions can be set up controlling access that are based on user ID and group membership. This type of access control is very important in enterprise environments, especially when considering resources that are shared on the network. Commonly in the enterprise environment, users and group policies are centrally managed via Active Directory.

The concept of Microsoft Accounts was introduced with Windows 8. With a Microsoft account, settings can be stored in the cloud and synchronized on multiple computers. In this section of the lab exercise, we are looking only at local accounts. The cleanest way to look is to launch the Local Users and Groups management console by entering lusrmgr.msc in the Windows Start menu search field. Do this now. 7 InfoAcademy Cisco Networking Academy www.infoacademy.net

Select the Users folder to display the users that are defined on PC.

The account Admin was created after initial bootup of this Windows system. The PC has been configured to auto-login to this account. To view the groups to which the admin user belongs, right-click Admin and select Properties, then select the Member Of tab on the admin Properties window.

Create a new user account via net user from an elevated command prompt (Start - > cmd -> Right-click -> Run as Administrator:

Refresh the Local User console to display the newly created user:

8 InfoAcademy Cisco Networking Academy www.infoacademy.net

Repeat the process to display the view the groups to which the TestUser user belongs

Logoff from Admin account and log on as TestUser (this is to allow specific directories and registry keys to be created in C:\Users). Logoff from TestUser and logon as Admin.

In the Windows File Explorer, navigate to Local Disk (C:) > Users. Attempt to access the TestUser directory with a double-click. The system will respond with a pop-up message explaining that you do not currently have permission to access this folder.

The user Admin is in the Administrators group. This group has superuser privileges, much like the root account on Linux. It has the ability to change permissions. The pop-up window is offering the option to grant yourself privileges. Note that the Con- tinue button includes a shield icon, indicating that the option would only be available to users with administrator privileges. Click Continue.

9 InfoAcademy Cisco Networking Academy www.infoacademy.net

Explore Windows Network Activity from the CLI

The netstat command is useful to list open ports and ports that are involved in cur- rent connections. Open a Command Prompt window and enter the netstat -a com- mand to view all listening and connected ports.

The output of the netstat command is valuable, but the -a argument can make the amount of output overwhelming. Piping the output through the find filter can be useful to display only lines containing a particular string. Enter netstat -a | find "EST" to give it a try.

10 InfoAcademy Cisco Networking Academy www.infoacademy.net

An Internet-connected live PC environment is very dynamic. You may have more established connections than are listed in the example.

With the -o argument, netstat will include the ID of the process that is using a par- ticular port.

It’s also important to be able to map process IDs to running processes. The tasklist command displays all running processes along with their process ID

11 InfoAcademy Cisco Networking Academy www.infoacademy.net

Explore Windows Network Activity from the GUI

TCPview is a very effective tool for real time monitoring of network connectivity on Windows systems. Like the Process Explorer, TCPview is a component of the Sysinternals Suite.

Double-click Tcpview.exe to launch TCPview. The TCPview window displays all listening network ports and all active network connections. The data is well organized in a tabular form.

You can sort by any column in the TCPview table. Sort by the State column to group the TCP listening ports and TCP established connections. UDP ports that are open for connectivity have a blank state value and are also grouped. Other interesting ways to sort include the Remote Address, the Remote Port, and the Local Port.

Open the Firefox browser. Sort the TCPview table by the Process column. Find the firefox.exe entries.

A useful feature of TCPview is that you can do a whois lookup by right-clicking any active session to help confirm who the remote address belongs to. As connections are starting up, they are colored green. As they are terminating, they are colored red.

12