Using the NtQueryInformationProcess API we can read the PROCESS_BASIC_INFORMATION structure from a process using its process handle and locate the PebBaseAddress. So, with NtQuerySystemInformation as a starting point to collect overall information about all processes running in the system, we then use the PEB of individual processes to collect more detailed info about each process.
Process monitor vs process explorer windows#
Although the API and related structures are not fully documented, this API allows you to collect a wealth of information about a Windows system.
Process monitor vs process explorer code#
First, we need to figure out how these tools work under the hood (and within user-mode), next we need to figure out the best way to display this information from a console instead of a GUI.Īfter analyzing publicly available code it became clear that many low-level system information tools are heavily based on the native NtQuerySystemInformation API.
Trying to replicate the functionality and information provided by a tool like Process Explorer is not an easy task. To collect more detailed information, we wrote our own process info utilities to collect and enrich the information we can gather from the systems we compromise. The output from the ps command is useful for a quick triage of running processes, but lacks the detailed information which can help us to better understand the system. Combined with ProcessColor aggressor script this is probably the best method to easily collect process information. This command displays basic process information from all processes running on the system. Within Cobalt Strike we can use the ps command within the beacon context. But with PowerShell under heavy security monitoring these days, we try to avoid this method.
Of course, we could use PowerShell as this provides us a very powerful scripting language and enables access to the Windows APIs. Now we have looked at some interesting process information we can gather using Process Explorer, you might wonder how we can get access to the same information available from user-mode within our favourite C2 frameworks. An incoming PowerShell remoting session or RDP session might indicate that an investigation is started. From an offensive perspective this can be useful to detect when connections are made from a system under our control. This will show all the network connection related to the process. As a Red Team operator with a long background in network and system administration I have always been a big fan of the Sysinternals tools.Īnother interesting tab in Process Explorer is the TCP/IP tab. For example the system utilities within the Sysinternals suite. To collect detailed information, there is more advanced tooling available. The Windows task manager for example, provides us basic information about all the processes running within the system, but what if we need more detailed information like the object handles, network connections or loaded modules within a particular process? Although most of these tools would fit the purpose of basic system administration, some lack the functionality we need for more advanced troubleshooting and monitoring.
The Windows Operating System is equipped with many out-of-the-box utilities to administer the system. We can then learn how these utilities collect such information, so that we can subsequently leverage these techniques in our red teaming tools. We will first explore which utilities are available for harvesting process information from a Windows computer. The tools (including source) can be found here: To be able to collect detailed process data from compromised end-points we wrote a collection of process tools which brings the power of these advanced process utilities to C2 frameworks (such as Cobalt Strike). Moreover, periodically polling process data allows us to react on changes within the environment or provide triggers when an investigation is taking place. Collecting and analysing data of running processes from compromised systems gives us a wealth of information and helps us to better understand how the IT landscape from a target organisation is setup. Having a good technical understanding of the systems we land on during an engagement is a key condition for deciding what is going to be the next step within an operation. In this blog post we are going to explore the power of well-known process monitoring utilities and demonstrate how the technology behind these tools can be used by Red Teams within offensive operations.
0 kommentar(er)
