Module 04

Sysinternals Suite

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Program

▪ What is System Process

▪ Sysinternals

▪ PeStudio

▪ Windows Registry

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Learning Objectives

▪ You will be able to describe what is process

▪ You will be able to investigate suspicious processes with

Sysinternals

▪ You will be able to understand how registry works

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Sysinternals Suite

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What are Sysinternals?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Using Sysinternals to analyze Windows host

• Created by Mark Russinovich in 1996

• Free advanced system utility toolkit for Windows

• Manage, troubleshoot, diagnose.

• Click on the below link to download the tools suite

https://download.sysinternals.com/files/SysinternalsSuite.zip

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is System Process?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 System Process

● The process is responsible for activating applications in the

operating system.

● These can be divided into three categories:

• Applications
• Background processes
• OS processes

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 System Process

• Applications – The user can see them; these can be OS applications such as Word or
PowerPoint or third-party applications that we downloaded.
• Background processes – Applications that are not displayed to the user. Instead, such
as system services, antivirus, etc.
• OS processes – Applications that exist for the purpose of keeping the system running
smoothly.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer

• A tool for managing processes in the OS that displays all currently running processes,
whether displayed to the user or in the background.
• Go to the main folder of Sysinternals and search for the following files:

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer Colors

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer

Top Menu
• File – running processes, exporting processes to text files, restarting.
• Options – activating the tool upon system activation, checking passwords, virus total, etc.
• View – displaying system processes, setting system refresh period, and adding fields to the main
window.
● Process – stopping a single process or process tree, restarting, suspending, preferences, internet
searching.
● Users – displaying the user: connecting to the station, sending a message, disconnecting the user.

● Help – help menu and version display.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer

Top Menu
• File – running processes, exporting processes to text files, restarting.
• Options – activating the tool upon system activation, checking passwords, virus total, etc.
• View – displaying system processes, setting system refresh period, and adding fields to the main
window.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer

Main Menu
● All system processes are displayed here
● Next to each running process you can see its icon, process identifier, description,
signature of the company that created the running application, and details about the
use of system resources.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer

• Main Menu explained:

• Additional fields can be added by right-
clicking the upper icon menu bar.

• For example:
• Windows Title, User Name.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer
• A new field will appear which displays the
• Activating signatures:
process and whether it is reliable. If the
• Activate signatures -->Click on process is not signed, it may be a malicious
Options --> Verify Image process.
Signatures

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Explorer

Activate a Virus Total test

● The system will connect to the Virus
Total engine, will initiate a hash test,
and will display the processes that may
be malicious for each process
individually.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is Process Monitor?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor

• Open the main Sysinternals folder and search for the following files:

• Click on procmon and run the tool. The following window should pop up:

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor

• The upper menu – system filters, data export, and opening recording files

• Main display – here all processes will be displayed.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor:

• The upper menu explained

• File icon – loading PML type recording files – system logs.
• Floppy disk icon – saving events and exporting to PML files.
• Window with arrows icon – enables automatic scrolling of new results.
• Trash can icon – erase all displayed events.
• Filter icon – filter results according to various categories.
• Paper and pencil icon – like the filter option, only highlighting the selected value instead of
removing results.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor:

• The upper menu explained

• Target icon – a long click on this button will display the target symbol, with which
you can choose to point at a currently running application, which will then be
displayed in the list.
• Process tree icon – will display the process tree of all currently running processes.
• Lightning icon – displays the preferences of the chosen incident.
• Magnifying glass icon – search for strings.
• Arrow icon – displays the object in the registry.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor

• The upper menu explained

• The final four icons - - filter the results:
• Displays activity in the registry (creation of keys, reading, deletions, or a general query).
• Displays activity in the file system / file manager (creation, deletion, or changes to files).
• Displays network activity (displays the source and destination of TCP/UDP traffic).
• Displays system processes (identical to the processes in Process Explorer).
• Process preferences (regarding processor, memory, run time).

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor:

• To see data regarding an event, double-click on the desired event

• Now, information will be displayed regarding the chosen event (Event column):
• Date
• Event type
• Path in the registry
• Run time
• Process that caused
the event/change

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor

• In the Process tab, information will be displayed regarding the actual event:
• Full path of the application
• Version
• How it is running
• Which modules loaded it
• Run time
• Identifier

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Process Monitor

• The Stack tab displays activity according to memory.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is TCPview?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 TCPView

• Go to the main Sysinternals folder and search for the following files:

• Click on TCPVIEW, run the tool, after which the following window will open:

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 TCPView

• The upper menu – system filters, data exports, and recording files.

• Main menu – which displays all network processes.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 TCPView:

• The upper menu explained

• Clock icon – suspends the activity of updating the main display.

• Refresh icon – refreshes all communications shown in the main display.
• Window + settings icon – resolves addresses in the Local Address / Remote Address fields.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 TCPView

• The upper menu explained

• TCP v4 / TCP v6 / UDP v4 / UDP v6 – displays communications of a specific protocol.

• Green flag icon – displays the fields that can be added or removed from the main display.
• Search field – search for IP addresses or other identifiers with which the communication was
made.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is Autoruns?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 TCPView

• It displays the applications that start automatically with the OS and are organized
according to category.

• It enables you to open the registry to find the relevant value that was created and
allows you to display the application that it is connected to.

• It is essential to notice the file path.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 TCPView

• Go to the main Sysinternals folder and search for the files related to autoruns. Click
on Autoruns, run the tool, you will se the following window will open.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is PEStudio?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 PEStudio

• It allows you to investigate the malware without running it and to receive large
amounts of information to determine whether the file is malicious.

• This tool does not require installation. It can be downloaded from the following link:
https://www.winitor.com/features

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 PEStudio

• Activation
• Open the folder that appeared and activate the highlighted file.
• After activation, a gray window will open, onto which you can drag any file you
wish to investigate.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 PEStudio

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 PEStudio

• The first tab contains general information:

• Hash – the file’s signature. If the file is malicious, the hash can be used to locate
activity relating to this file found at additional workstations.
• By adding the hash to the antivirus or EDR blocked list, you can prevent the file
from being used in the future.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 PEStudio

• The first bytes on the hexadecimal base, which can reveal the file type.

• When a value begins with 4D 5A, you can conclude it is an executable file (exe) intended
for a Windows OS.

• The value is also equal to MZ on the ASCII base.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 PEStudio

• The Strings tab displays information regarding readable strings that are present in
the file.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 PEStudio

• The Version tab displays information regarding the file’s type, language, name,
description, and version.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is the Registry?

• The Windows Registry is a hierarchical database containing all the configurations and settings used by
components, services, applications, and almost everything in Windows.

• The registry has two basic concepts to be aware of: Keys and Values.

• Root-level keys - The exciting thing that most people do not know is that three of the five items on the
root level are not actually located there. They are links to items further down in one of the other keys.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Registry Structure

● The registry is structured similarly to the

Windows directory/subdirectory structure.

● You have the five root keys, or hives, followed

by the subkeys. In some cases, you may have
sub-subkeys.

● These subkeys then have descriptions and

values displayed in the contents pane.

● Very often, the values are 0 or 1, meaning on

or off, and can contain more complex
information, usually displayed in hexadecimal.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is Windows Task Scheduler?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Windows Task Scheduler

• Task Scheduler is a built-in utility in Windows that allows users to schedule and automate certain tasks,
such as running programs or scripts, at specified times or in response to certain events.

• It can be used to schedule tasks to run automatically, even when the user is not logged on to the
computer.

• This can be useful for tasks such as running backups, sending emails, or performing other maintenance
tasks.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Malware Persistence with Task Scheduler

• An attacker may use the task scheduler to establish persistence on a compromised system by creating a scheduled
task that runs a malicious payload or script on a regular basis.

• This allows the attacker to maintain access to the system even if their initial methods of entry are discovered and
removed.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Malware Persistence with Task Scheduler:

• There are several ways an attacker can use the task scheduler to establish persistence on a
compromised system:

• Creating a scheduled task: An attacker can create a new scheduled task that runs a malicious payload
or script on a regular basis. This can be done using the "schtasks" command-line utility or the Task
Scheduler GUI.

• Modifying an existing task: An attacker can also modify a scheduled task to run a malicious payload or
script. This can be done by modifying the command or script associated with the task.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0