System

Image Path: C:\Windows\System32\ntoskrnl.exe

Descrizione / Funzione (IT):
Il processo System (PID 4) ospita thread di sistema che operano esclusivamente in kernel mode. Esegue codice del kernel Windows e dei driver caricati. Non dispone di uno spazio di indirizzamento user-mode.

What is normal?

• Image Path: N/A
• Parent Process: None
• Number of Instances: One
• User Account: Local System
• Start Time: At boot time

What is unusual behaviour for this process?

• A parent process (aside from System Idle Process (0))
• Multiple instances of System. (Should only be one instance)
• A different PID. (Remember that the PID will always be PID 4)
• Not running in Session 0

---

System > smss.exe

Image Path: C:\Windows\System32\smss.exe

Descrizione / Funzione (IT):
Session Manager Subsystem. È il primo processo in user-mode avviato dal kernel. Crea le sessioni, inizializza variabili d’ambiente, paging file e avvia csrss.exe e winlogon.exe, quindi si auto-termina.

(Nel testo originale non è presente una sezione esplicita “What is normal / unusual”)

---

csrss.exe

Image Path: %SystemRoot%\System32\csrss.exe

Descrizione / Funzione (IT):
Client Server Runtime Process. È la componente user-mode del sottosistema Windows. Gestisce finestre console, creazione e terminazione di processi e thread e lo shutdown del sistema.

What is normal?

• Image Path: %SystemRoot%\System32\csrss.exe
• Parent Process: Created by an instance of smss.exe
• Number of Instances: Two or more
• User Account: Local System
• Start Time: Within seconds of boot time for the first two instances

What is unusual?

• An actual parent process. (smss.exe calls this process and self-terminates)
• Image file path other than C:\Windows\System32
• Subtle misspellings to hide rogue processes masquerading as csrss.exe in plain sight
• The user is not the SYSTEM user.

---

wininit.exe

Image Path: %SystemRoot%\System32\wininit.exe

Descrizione / Funzione (IT):
Windows Initialization Process. Avvia services.exe, lsass.exe e lsaiso.exe nella Sessione 0. Processo critico del sistema operativo.

What is normal?

• Image Path: %SystemRoot%\System32\wininit.exe
• Parent Process: Created by an instance of smss.exe
• Number of Instances: One
• User Account: Local System
• Start Time: Within seconds of boot time

What is unusual?

• An actual parent process. (smss.exe calls this process and self-terminates)
• Image file path other than C:\Windows\System32
• Subtle misspellings to hide rogue processes in plain sight
• Multiple running instances
• Not running as SYSTEM

---

winit.exe > services.exe

Image Path: %SystemRoot%\System32\services.exe

Descrizione / Funzione (IT):
Service Control Manager. Gestisce i servizi Windows, carica driver auto-start e mantiene il database dei servizi nel registro. È parent di svchost.exe.

What is normal?

• Image Path: %SystemRoot%\System32\services.exe
• Parent Process: wininit.exe
• Number of Instances: One
• User Account: Local System
• Start Time: Within seconds of boot time

What is unusual?

• A parent process other than wininit.exe
• Image file path other than C:\Windows\System32
• Subtle misspellings to hide rogue processes in plain sight
• Multiple running instances
• Not running as SYSTEM

---

wininit.exe > services.exe > svchost.exe

Image Path: %SystemRoot%\System32\svchost.exe

Descrizione / Funzione (IT):
Service Host per servizi Windows basati su DLL. I servizi sono definiti nel registro e avviati tramite il parametro -k per il grouping.

The Binary Path is listed: Also, notice how it is structured. There is a key identifier in the binary path, and that identifier is -k . This is how a legitimate svchost.exe process is called. The -k parameter is for grouping similar services to share the same process. This concept was based on the OS design and implemented to reduce resource consumption. Starting from Windows 10 Version 1703, services grouped into host processes changed. On machines running more than 3.5 GB of memory, each service will run its own process Note: Since svchost.exe will always have multiple running processes on any Windows system, this process has been a target for malicious use. Adversaries create malware to masquerade as this process and try to hide amongst the legitimate svchost.exe processes. They can name the malware svchost.exe or misspell it slightly, such as scvhost.exe. By doing so, the intention is to go under the radar. Another tactic is to install/call a malicious service (DLL).

What is normal?

• Image Path: %SystemRoot%\System32\svchost.exe
• Parent Process: services.exe
• Number of Instances: Many
• User Account: Varies (SYSTEM, Network Service, Local Service)
• Start Time: Typically within seconds of boot time

What is unusual?

• A parent process other than services.exe
• Image file path other than C:\Windows\System32
• Subtle misspellings to hide rogue processes in plain sight
• The absence of the -k parameter

---

lsass.exe

Image Path: %SystemRoot%\System32\lsass.exe

Descrizione / Funzione (IT):
Local Security Authority Subsystem Service. Gestisce autenticazione, credenziali, token di sicurezza e log di sicurezza.

What is normal?

• Image Path: %SystemRoot%\System32\lsass.exe
• Parent Process: wininit.exe
• Number of Instances: One
• User Account: Local System
• Start Time: Within seconds of boot time

What is unusual?

• A parent process other than wininit.exe
• Image file path other than C:\Windows\System32
• Subtle misspellings to hide rogue processes in plain sight
• Multiple running instances
• Not running as SYSTEM

---

winlogon.exe

Image Path: %SystemRoot%\System32\winlogon.exe

Descrizione / Funzione (IT):
Gestisce la Secure Attention Sequence (CTRL+ALT+DELETE), il login, il caricamento del profilo utente e il blocco schermo.

What is normal?

• Image Path: %SystemRoot%\System32\winlogon.exe
• Parent Process: Created by an instance of smss.exe that exits
• Number of Instances: One or more
• User Account: Local System
• Start Time: Within seconds of boot time

What is unusual?

• An actual parent process. (smss.exe calls this process and self-terminates)
• Image file path other than C:\Windows\System32
• Subtle misspellings to hide rogue processes in plain sight
• Not running as SYSTEM
• Shell value in the registry other than explorer.exe

---

explorer.exe

Image Path: %SystemRoot%\explorer.exe

Descrizione / Funzione (IT):
Fornisce l’interfaccia grafica di Windows: desktop, taskbar, menu Start e gestione file.

What is normal?

• Image Path: %SystemRoot%\explorer.exe
• Parent Process: Created by userinit.exe and exits
• Number of Instances: One or more per interactively logged-in user
• User Account: Logged-in user(s)
• Start Time: First instance when the first interactive user logon session begins

What is unusual?

• An actual parent process. (userinit.exe calls this process and exits)
• Image file path other than C:\Windows
• Running as an unknown user
• Subtle misspellings to hide rogue processes in plain sight
• Outbound TCP/IP connections