InfoAcademy

Cisco Networking Academy

www.infoacademy.net

CyberOps Associate – Lab 2

Explore Windows Operating System

Explore Apps and Processes

Launch the Windows Task Manager by right-clicking the Task bar and selecting Task
Manager. Alternate ways of launching the Task Manager include using Ctrl-Alt-
Delete to bring up the Windows Security screen and select Start Task Manager,
or with the taskmgr command either from a command prompt or from the search
input field in the Windows Start menu.

The processes displayed are grouped into three categories:

• Apps: These are programs that you interact with on the desktop. Apps are the
reason that people use personal computers. Browsers, word processors, email
clients, music managers, and games are all applications.
• Background processes: Processes that are executing in the background. They
do not have a desktop user interface.
• Windows processes: Microsoft Windows services. They also run in the
background. They are handled a little differently than the other background
processes. Windows services will be explored in a later section of this lab
exercise.

Launch a command prompt window. In the command prompt window, execute the
ftp speedtest.tele2.net command.

When prompted for credentials, use anonymous as the username. Any password will
be accepted. Minimize the command prompt window with the FTP connection active
(ftp specific commands are out-of-scope for this lab).

Launch any web browser. Open your favorite search engine and search for
Sysinternals suite. Download Process Explorer (a direct link is included here for
convenience - https://live.sysinternals.com/procexp.exe ).

Launch procexp.exe to start the Process Explorer.

The initial display is pretty busy. Minimize the tree of processes that are displayed
under wininit.exe to make the display easier to handle.

1
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Examine the process hierarchy. Where Task Manager grouped processes by category
(App, Background Process, Windows Process), Process Explorer displays the
parent/child relationships.

For example, explorer.exe is the process that provides the Windows desktop. All
the applications that you launched on the Windows desktop, including the
Process Explorer itself, are children of the explorer.exe process.
Also, find cmd.exe under the explorer.exe process, which is the command
prompt window that you launched. Note that this process has children:
conhost.exe and ftp.exe. You can expect conhost.exe as a child of cmd.exe
under Windows 10. The ftp.exe process is associated with the ftp command
that you launched under the command prompt window.

Note that a process depends on its parent. Demonstrate by right clicking the parent
browser (i.e. chrome.exe) process and select Kill Process. Click OK to confirm
the action. The parent chrome process and the children chrome processes are all
terminated.

While the Process Explorer is executing, look at one feature of particular interest
to the security analyst. Imagine that you were surprised to see the conhost.exe
process as a child of cmd.exe. If you have any reason to believe that a process is
suspect, you can submit the details to VirusTotal.com. Select the conhost.exe
process, right-click, and select Check VirusTotal. You will see the hash that is
submitted in the VirusTotal column. This should quickly change to a pair of numbers
that are separated by a slash. The second number is the quantity of antivirus
databases that were consulted; the first number is the number of those databases
that indicate malicious content in the executable. This VirusTotal rating is a
hyperlink. Click the link to see the full report on VirusTotal.com.

2
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Explore the Registry Database

The Windows registry is a database that stores a wide variety of configuration

settings. Most of the Windows operating system and desktop environment
configuration settings are stored in the registry. Many of the options that are
exposed in the registry are not manageable anywhere else in Windows. Third-party
programs can also use the registry to store their settings. The registry is not the
only location where configuration settings can be stored. Sometimes settings are
stored in configuration files, and sometimes Windows Group Policy Objects are
involved.

To begin your exploration of the Windows registry, launch regedit.exe from the
search field on the Windows Start menu.

Five structures called hives are at the top level of the Windows registry. Examine
the hives that are displayed in the Registry Editor window.

Note the following:

• HKEY_CLASSES_ROOT: Stores data that is used by programs for file associa-

tion and for sharing information.
• HKEY_CURRENT_USER: Stores settings and configuration that are associated
with the current user.
• HKEY_LOCAL_MACHINE: Stores system-related information.
• HKEY_USERS: Stores settings and configuration for all users on the computer.
Data from this hive is copied to HKEY_CURRENT_USER when the user logs in.
• HKEY_CURRENT_CONFIG: Stores hardware information about the PC’s re-
sources and configuration.

3
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Registry keys are stored in the hives. Keys can have sub-keys, which facilitate a
tree structure for each hive. Keys store values, and every value has a name and an
associated datum. Keys must contain at least one value, so the closest thing to an
empty key that you will see is a key with a value that is named (Default) and a
value that is not set.

Navigate to HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process
Explorer and find the key that is named EulaAccepted.

Note the following:

• On first run, the user must accept the End User License Agreement (EULA).
• The value of 1 for this key indicates that the EULA was accepted.
Select the EulaAccepted registry key and select Modify. Change the Value data
field to 0 and click OK. Value 0 indicates that the EULA was not accepted. You
should be challenged the next time that you launch the Process Explorer.

Launch procexp.exe again. Click Agree to accept the EULA. The Process Explorer
will then start.

Return to the registry editor. Select View > Refresh. Verify that the value of the
EulaAccepted key has returned to 1.

For a quick example of a registry hack, follow this process to add Open in Notepad
to the context menu of the windows file explorer:

1. Navigate to HKEY_CLASSES_ROOT\*\shell.
2. Create a new key under the Shell key. Right-click Shell and select New > Key.
3. Set the key name to Open In Notepad.
4. Create a new key under the Open In Notepad key. Right-click Open In Note-
pad and select New > Key.
5. Set the key name to command.
6. Select the (Default) value in the command key and select Modify.
7. Enter notepad.exe %1 in the Value data field and click OK.

4
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Verify the registry hack. Bring the Windows File Explorer to the foreground.
Assuming that you are in SysinternalsSuite folder, you should be able to find the
PORTMON.HLP file. Select it, right-click and select the new option of Open In
Notepad from the context menu.

Notepad cannot display all the data in this file. Much of it is binary and non-
printable. But this is enough for demonstrating the context menu modification.
Close the Notepad window.

Explore Windows Services

A Windows service is a type of process that runs in the background under the con-
trol of the Windows Service Control Manager. The SCM provides an API to control
the execution of services. Services run outside of the context of currently logged in
users. Services can run even when no users are logged on. They can be configured
to start automatically when the computer boots, launch automatically in response to
certain events, or start and stop manually. Services can be grouped, and depend-
ence relationships can be defined that control the order of service execution. The
list of services on a Windows system is maintained in the registry under
HKLM\System\CurrentControlSet\Services.

The most common way of examining Windows service definitions and status is
through the services console. There are different ways of launching the services
console, and it is embedded in other interfaces such as the Computer Management
tool. For this step, launch the services console simply by entering services in the
search field of the Windows Start menu. Examine the information presented.

5
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Note the following:

• Each service has a name and a description. Depending on your technical exper-
tise, some names may be enough to explain what the service does, such as
DHCP Client and DNS Client. In any case, if you select a service in the Services
console, the description of the service will be displayed to the left of the table.
• Not all services are running.
• Services can be configured for automatic startup at system boot time. They can
also be configured for manual startup or disabled.
• Services do not run under the local user account. In fact, many services launch
automatically before any user can log in. The account that a service runs under
is displayed in the Log On As column.

Return to the Process Explorer window. Early in the lab, you minimized the process
tree under wininit.exe in Process Explorer.

During the boot process, wininit.exe is responsible for:

• Loading hardware drivers

• Launching services.exe, which is then responsible for launching the Windows
services that are configured to launch at startup
• Launching lsass.exe, which stands for local security authority subsystem ser-
vice, and is responsible for authenticating users and managing access permis-
sions
In Process Explorer, expand wininit.exe and verify that there are only two direct
child processes: services.exe and lsass.exe.

Step 43

The services.exe process is responsible for launching all services. Expand

services.exe to expose all its child processes. Examine the list.

6
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Note the following:

• The most direct way of recognizing whether a process is a service or just a

standard background process is to see if the process is a child of services.exe.
If it is a child of services.exe, it is a service.
• Most of the processes are running under an instantiation of svchost.exe. This
binary is executed with the -k flag, specifying the service that is hosted. Some-
times multiple related services will be launched together and hosted by the
same svchost.exe image.
• It is normal to see many instances of svchost.exe as children of services.exe.
Any instance of svchost.exe which has a parent process other than ser-
vices.exe is highly suspicious. Also, any process with a name that tries
to mimic svchost.exe, such as svch0st.exe, is highly suspicious.

The process explorer makes it very easy to see which services are hosted in an
instance of svchost.exe. Simply hover the mouse pointer over an svchost.exe and
a pop-up window will show the details.

In the example, the svchost.exe was launched with -k DcomLaunch as an argument.

Explore Windows Users, Groups, and Permissions

Windows supports the concepts of users and groups. Permissions can be set up
controlling access that are based on user ID and group membership. This type of
access control is particularly important in enterprise environments, especially when
considering resources that are shared on the network. Commonly in the enterprise
environment, users and group policies are centrally managed via Active Directory.

The concept of Microsoft Accounts was introduced with Windows 8. With a Microsoft
account, settings can be stored in the cloud and synchronized on multiple
computers. In this section of the lab exercise, we are looking only at local accounts.
The cleanest way to look is to launch the Local Users and Groups management
console by entering lusrmgr.msc in the Windows Start menu search field. Do this
now.
7
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Select the Users folder to display the users that are defined on PC.

The account Admin was created after initial bootup of this Windows system. The PC
has been configured to auto-login to this account. To view the groups to which the
admin user belongs, right-click Admin and select Properties, then select the
Member Of tab on the admin Properties window.

Create a new user account via net user from an elevated command prompt (Start -
> cmd -> Right-click -> Run as Administrator:

Refresh the Local User console to display the newly created user:

8
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Repeat the process to display the view the groups to which the TestUser user
belongs

Logoff from Admin account and log on as TestUser (this is to allow specific directories
and registry keys to be created in C:\Users). Logoff from TestUser and logon as
Admin.

In the Windows File Explorer, navigate to Local Disk (C:) > Users. Attempt to access
the TestUser directory with a double-click. The system will respond with a pop-up
message explaining that you do not currently have permission to access this folder.

The user Admin is in the Administrators group. This group has superuser privileges,
much like the root account on Linux. It has the ability to change permissions. The
pop-up window is offering the option to grant yourself privileges. Note that the Con-
tinue button includes a shield icon, indicating that the option would only be available
to users with administrator privileges. Click Continue.

9
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Explore Windows Network Activity from the CLI

The netstat command is useful to list open ports and ports that are involved in cur-
rent connections. Open a Command Prompt window and enter the netstat -a com-
mand to view all listening and connected ports.

The output of the netstat command is valuable, but the -a argument can make the
amount of output overwhelming. Piping the output through the find filter can be
useful to display only lines containing a particular string. Enter netstat -a | find
"EST" to give it a try.

10
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

An Internet-connected live PC environment is very dynamic. You may have more

established connections than are listed in the example.

With the -o argument, netstat will include the ID of the process that is using a par-
ticular port.

It is also important to be able to map process IDs to running processes. The tasklist
command displays all running processes along with their process ID

11
 InfoAcademy
Cisco Networking Academy
www.infoacademy.net

Explore Windows Network Activity from the GUI

TCPview is a highly effective tool for real time monitoring of network connectivity
on Windows systems. Like the Process Explorer, TCPview is a component of the
Sysinternals Suite (https://live.sysinternals.com/Tcpview.exe).

Double-click Tcpview.exe to launch TCPview. The TCPview window displays all

listening network ports and all active network connections. The data is well
organized in a tabular form.

You can sort by any column in the TCPview table. Sort by the State column to group
the TCP listening ports and TCP established connections. UDP ports that are open
for connectivity have a blank state value and are also grouped. Other interesting
ways to sort include the Remote Address, the Remote Port, and the Local Port.

Open a browser (Firefox was used as example here). Sort the TCPview table by the
Process column. Find the firefox.exe entries.

A useful feature of TCPview is that you can do a whois lookup by right clicking any
active session to help confirm who the remote address belongs to.
As connections are starting up, they are colored green. As they are terminating,
they are colored red.

12