Using SysInternals for Host-Based Analysis

The Sysinternals website was created by Mark Russinovich to host advanced system utilities and
troubleshooting information. It contains information to manage, diagnose, troubleshoot, and
monitor a Microsoft Windows environment and also determine if there are malicious or suspicious
processes.

Also, Mark’s blog: https://blogs.technet.microsoft.com/markrussinovich/

A little outdated but still useful.

-------------------- -------------------- --------------------

The Assignment Activities

Note: You will need to run your computer/laptop as an administrator with full privileges in order to
execute these utilities.

Go to https://docs.microsoft.com/en-us/sysinternals/downloads/networking-utilities which lists

several networking utilities.

Important note: Keep in mind that many of these utilities tools are powerful. Do not run other
utilities outside of this lab without prior knowledge.

Part 1: TCPView

1. Download TCPView: https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

TCPView shows processes, sockets and UDP/TCP endpoints on your system. Endpoints that change
state from one update to the next are highlighted in yellow; those that are deleted are shown in
red, and new endpoints are shown in green. TCPView is a live program (by default it refreshes once
per second). It shows you connections in real-time (unlike the command line Netstat function).

This tool can also be used to identity unauthorized and/or malicious connections, processes and
programs on your computer. It can also help you ‘clean house’ and get rid of unwanted programs
that may be slowing down your system. With TCPView, you can conduct a full audit of your
system’s connections.

2. You can flag by connection state in TCPView. Go to View/Connection States and select all
but one connection state (your choice).

Provide a screenprint showing your flagged connection states.

 Part 2: Process Explorer

1. Find Process Explorer and download it.

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Process Explorer can be used in incident response to explore for malware.

 The default tree view shows the hierarchical parent relationship between processes, and
displays using colors to easily understand processes at a glance.

1. New Objects (Bright Green) – When a new process shows up in Process Explorer, it
starts out as bright green.
2. Deleted Objects (Red) – When a process is killed or closes it will usually flash red right
before deleting.
3. Own Processes (Light Blueish) – Processes running as the same user account as Process
Explorer.
4. Services (Light Pink) – Windows Service processes, although it’s worth noting that they
might have child processes that are launched as a different user, and those might be a
different color.
5. Suspended Processes (Dark Gray) – When a process is suspended it can’t do anything.
You can easily use Process Explorer to suspend an application. Sometimes crashed apps
will briefly show up in gray while Windows is handling the crash.
6. Immersive Process (Bright Blue) – This is just a fancy way of saying that the process is a
Windows 8 application using the new APIs. In the screenshot earlier you might have
noticed WSHost.exe, which is a “Windows Store Host” process that runs Metro apps. For
some reason Explorer.exe and Task Manager will also show up as immersive.
7. Packed Images (Violet) – these processes might contain compressed code hidden inside
of them, or at least Process Explorer thinks that they do by using heuristics. If you see a
violet process, make sure to scan for malware!

Order is determined by importance: Suspended > Packed > Immersive > Services -> Own
Processes

https://docs.microsoft.com/en-us/sysinternals/

2. Provide a screen capture of the Process Explorer window running.

3. Go to Process/Properties.
 Take a screen capture of the Performance Graph tab.

4. Go to View/Select Columns. Select several columns of interest and provide a screenshot.

(You may have to deselect the default columns).

5. The following are indicators of normal processes (from Blue Team Handbook: Incident
Response Edition, Murdoch, D. 2016):
a. System: only one, no parent ID, runs as LocalSystem
b. Smss.exe: only one master instance, its parent is System, runs as LocalSystem, and
started right after System.
c. Wininit.exe, services.exe, lsm.exe, and WinLogon.exe: only one, not likely to have a
parent (smss creates it and then exists), runs as LocalSystem, started right after the
system startup time.
d. Taskhost.exe: multiple run by various users
e. Explorer.exe: One, started by each interactive user

6. For the above normal processes, verify that your machine is aligned with these and that
there are no indicators of an issue. Write 2-3 sentences about your findings.

7. The following are indicators of abnormal windows processes (from Blue Team Handbook:
Incident Response Edition, Murdoch, D. 2016):

a. No visible icon or description

b. No company name, misspelled company name, company spelled correctly but
improper case (for example Microsoft in upper case).
c. Software that resides in the Windows directory or its subdirectories
d. User looking processes that start from directories other than “Program Files”
e. Processes that “look like” they are native Microsoft, but not digitally signed (nearly
all Microsoft code is signed), are started from a non-standard directory, or slight
misspellings of the process name
f. Software with non valid URLs in their name
g. Open TCP or UDP endpoints which aren’t clearly attributable to a service
h. Packed or compressed files
 i. Pseudo random file names – it is unusual not to name the file something that makes
sense

8. For the above abnormal processes, verify that your machine does not have any indicators of
an issue. Write 2-3 sentences about your findings.