1
00:00:00,400 --> 00:00:05,820
In this video we're going to take a look at some of the main Microsoft Windows components

2
00:00:09,210 --> 00:00:17,450
applications that are used within Windows like Word and Internet Explorer rely on processes a process

3
00:00:17,530 --> 00:00:21,770
is an instance of a computer program that is being executed.

4
00:00:24,440 --> 00:00:27,790
The process may be made up of multiple threads.

5
00:00:28,010 --> 00:00:33,790
Threads are the individual program commands that are ran within a process.

6
00:00:33,830 --> 00:00:40,310
For example when I launch my notepad application there would be multiple threads running to take care

7
00:00:40,310 --> 00:00:42,290
of each task.

8
00:00:42,410 --> 00:00:48,500
One thread could be used to collect data input to the notepad file while another thread could be used

9
00:00:48,590 --> 00:00:55,400
to save the data to give you a better idea of how processes and threads work.

10
00:00:55,460 --> 00:01:03,970
I'm going to show you how to download and install a Windows tool called sists internals Ciss internals

11
00:01:03,980 --> 00:01:10,070
gives you the ability to drill down into some of the Microsoft Windows components that are running on

12
00:01:10,070 --> 00:01:11,890
your computer.

13
00:01:12,410 --> 00:01:21,650
If you just Google tsis internals and go to the Windows internals web page and then go to down from

14
00:01:21,650 --> 00:01:25,660
there you can download this internal suite of tools.

15
00:01:25,940 --> 00:01:26,770
So click on that

16
00:01:30,140 --> 00:01:33,910
and then downloading it into a zip file I actually already have it installed.

17
00:01:34,610 --> 00:01:40,640
Once you locate your downloaded internal zip folder you're going to want to open it up and then here

18
00:01:40,650 --> 00:01:44,990
all the tools that you can choose from to look at processes.

19
00:01:44,990 --> 00:01:48,840
On Windows you can use the Process Explorer tool.

20
00:01:49,040 --> 00:01:54,410
So I'll go ahead and extract that to my desktop.

21
00:01:54,410 --> 00:01:59,260
Go back and here is what the process explorer application looks like.

22
00:02:00,140 --> 00:02:07,070
Let's go ahead and launch that give you an example of how you can drill down into see what processes

23
00:02:07,070 --> 00:02:08,840
and threads are running for an application.

24
00:02:08,930 --> 00:02:17,350
I'm going to launch pad here.

25
00:02:17,580 --> 00:02:28,350
Here I found my notepad executable and it shows me Sibiu usage some basic information for the process.

26
00:02:28,350 --> 00:02:34,200
All right click and go to properties and then it actually shows me the threads that are running for

27
00:02:34,200 --> 00:02:35,490
the application.

28
00:02:35,880 --> 00:02:45,080
So if I were to for example click on this option you can see that when I launch that application it

29
00:02:45,080 --> 00:02:46,820
fired up additional threads.

30
00:02:46,850 --> 00:02:56,230
Since I'm doing multiple things with an application and you'll even see a new thread pop up if I were

31
00:02:56,230 --> 00:02:58,000
to save the application.

32
00:02:58,000 --> 00:03:00,570
So I just did control and save and you can see that.

33
00:03:00,750 --> 00:03:03,240
Now there's all these additional threads.

34
00:03:03,400 --> 00:03:10,300
So you can see how this tool can help you really drill into what's happening and you're using an application

35
00:03:10,600 --> 00:03:15,510
in regards to how processes and threads are working in the background.

36
00:03:17,850 --> 00:03:25,890
Computer memory is used to temporarily or permanently store information for applications processes use

37
00:03:25,890 --> 00:03:30,670
virtual memory known as virtual address space.

38
00:03:30,860 --> 00:03:39,160
It acts as a reference point for physical objects in memory for cybersecurity investigations.

39
00:03:39,230 --> 00:03:47,260
Computer memory can provide a lot of valuable forensics information such as active user sessions and

40
00:03:47,270 --> 00:03:52,680
port connections.

41
00:03:52,790 --> 00:04:00,020
The Windows registry contains settings for programs and hardware installed on Microsoft Windows operating

42
00:04:00,020 --> 00:04:09,060
systems for example when a program is installed a new subkey containing settings like a program's location.

43
00:04:09,080 --> 00:04:17,850
It's version and how to start the program are all added to the Windows registry to pull up the windows

44
00:04:17,850 --> 00:04:23,940
registry you can open up a command line prompt and enter the command rads at it.

45
00:04:24,450 --> 00:04:29,190
Or just search for Raaj at it in your windows search bar.

46
00:04:32,210 --> 00:04:38,990
Here in the registry editor you can see that there's five folders each of these main folders are called

47
00:04:39,000 --> 00:04:45,180
HIV's each hive contains different registry entry types.

48
00:04:45,500 --> 00:04:52,190
For example user based settings will be set within the user HIV's and hardware sitings would be set

49
00:04:52,340 --> 00:04:54,140
within the local machine hive.

50
00:04:55,300 --> 00:05:01,940
Just to show you an example of some of the different types of registry things that you could modify

51
00:05:02,960 --> 00:05:13,490
or go to my mouse registry settings the path is user control panel and then mouse you can see all these

52
00:05:13,730 --> 00:05:16,750
default settings in here.

53
00:05:17,060 --> 00:05:25,490
So it has yes or no for if extended sounds are enabled beeping the mouse speed and sensitivity and by

54
00:05:25,490 --> 00:05:31,540
adjusting these values I could modify the behavior of how my mouse program runs.

55
00:05:33,720 --> 00:05:37,200
WMI is only used on Windows systems.

56
00:05:37,200 --> 00:05:44,040
It defines a proprietary set of specifications that allow management information to be shared between

57
00:05:44,250 --> 00:05:46,950
management applications.

58
00:05:47,050 --> 00:05:53,650
It can be used for tasks like modifying system properties and polling system information from devices

59
00:05:55,540 --> 00:05:59,950
although WMI can be very useful to I.T. administrators.

60
00:05:59,950 --> 00:06:03,310
It can also be used to conduct malicious acts.

61
00:06:03,340 --> 00:06:09,530
So access to WMI resources should be limited to only the required systems.

62
00:06:09,790 --> 00:06:15,040
As you can see in the slide if you go to your windows firewall settings you have the ability to enable

63
00:06:15,040 --> 00:06:24,160
or disable WMI handles are used when applications reference objects like memory blocks or databases

64
00:06:25,360 --> 00:06:27,170
as it relates to security.

65
00:06:27,260 --> 00:06:33,040
Handles are at risk of causing memory leaks that are created when computers do not release handles that

66
00:06:33,040 --> 00:06:40,870
are no longer being used to view handles that are associated to processes.

67
00:06:40,870 --> 00:06:45,920
You can either go to our process explorer system internals tool that we looked at earlier.

68
00:06:46,360 --> 00:06:50,550
And again I'm clicked on the notepad application and down below here.

69
00:06:50,770 --> 00:06:54,660
So the associated Handels for that program.

70
00:06:55,120 --> 00:07:02,510
Another way you can view associated handles to processes is using the resource monitor tool.

71
00:07:02,550 --> 00:07:10,150
If you go to the Sibiu tab and then select the program that you want to view Handels for down below

72
00:07:10,150 --> 00:07:13,340
you can see the associated Handels with that program.

73
00:07:16,500 --> 00:07:20,190
Services are computer programs that run in the background.

74
00:07:20,580 --> 00:07:24,020
These services can be used as an attack vector.

75
00:07:24,330 --> 00:07:32,160
Some network services leave extra layer for port open on and points like SMP and RTP that can be used

76
00:07:32,160 --> 00:07:34,320
to gain access to a system.

77
00:07:35,220 --> 00:07:40,980
Services like these should be disabled if they are not in use to view services we can go to the start

78
00:07:41,070 --> 00:07:43,680
menu and then just search for services

79
00:07:47,340 --> 00:07:50,930
and click on View local services.

80
00:07:50,940 --> 00:07:53,410
So here's a list of services running on my computer.

81
00:07:55,410 --> 00:07:57,820
Here is my remote desktop service.

82
00:07:57,900 --> 00:08:04,250
So for my computer I have no reason for my cell for anybody to use remote desktop services and log in

83
00:08:04,250 --> 00:08:05,500
to my computer remotely.

84
00:08:05,620 --> 00:08:11,710
So this'll be a good example of a service that I would want to stop it and keep disabled so it cannot

85
00:08:11,710 --> 00:08:15,790
be used as an attack factor to gain access to my computer.

86
00:08:18,240 --> 00:08:23,460
So if I want to stop the service and go to stop say yes

87
00:08:27,900 --> 00:08:33,480
and this one has to be manual for start up or if I wanted to change that behavior I could right click

88
00:08:33,480 --> 00:08:37,570
on it and go to properties and then choose the startup type.