THM — SECURITY OPERATIONS & MONITORING — CORE WINDOWS PROCESSES
Task 1 simply requires us to read the introduction and deploy the virtual machine.
This is however a great opportunity to follow along with the Task Manager.
We can click on completed and move on.
Task 2 similarly requires us to read the instructional text on Task Manager
This is however a great opportunity to follow along and get hands on.
Read the link on kernel mode and user mode.
Follow along with the use of Process Explorer and Process Hacker, which can be found on the VM desktop. Although not stated, the ‘System’ process must be double clicked upon, in order to see the same windows as the instructional text.
The instructional text is used to answer the question.
The text states that the answer is 4 so after entering that, we can click submit and move on.
Follow along with the tutorial text, and note that as before, processes within Process Hacker, will only display full details when double-clicked upon.
The tutorial states that csrss.exe and winlogon.exe are the answers and so these can be submitted, adhering to the format of the placeholder before moving on.
The diagrams for csrss.exe and winlogon.exe in the tutorial show PIDs of none-existent (parent) processes.
Both of these processes are ‘child processes’ of smss.exe, which is the answer. We can submit and move on.
The tutorial states that lsaiso.exe is a process we will only see if Credential Guard is enabled. We can submit this answer and move on.
The tutorial text states multiple running instances would be unusual so the answer 1 can be submitted before moving on.
The tutorial text gives the answer as K so we can submit this as the answer and move on.
The diagram of LSASS shows it to have a parent process of wininit.exe This can be submitted as the answer.
The diagram of winlogon.exe shows it to have a non-existent parent process with a PID of 488 which we know is the PID of smss.exe. We can submit this as the answer and move on.
The question most likely has the word ‘parent’ omitted in error, since the tutorial text under the diagram states that userinit.exe calls this process and exits. Userinit.exe can be submitted as the answer before moving on.
The final task requires no answer and can be clicked as complete with no answer once the useful information preceding it has been read.