Boot Process

Question 1

Win XP - Pre-Boot

Answer 1

Power On Self Test (POST)

Question 2

Win XP - MBR

Answer 2

Loads boot code

Question 3

Win XP - Bootcode

Answer 3

Searches partition table for boot sector and loads NTLDR

Question 4

Win XP - NTLDR

Answer 4

Reads in boot.ini for OS choices, runs NTDETECT.com to query hardware
Stored data from NTDETECT.com in HKLM\Hardware registry key
Starts NTOSKRNL.exe and HAL.dll

Question 5

Win XP - NTOSKRNL.exe

Answer 5

starts SMSS.exe

Question 6

Win XP - SMSS.exe

Answer 6

Launches Winlogon.exe and CSRSS

Question 7

WIn XP - Winlogon

Answer 7

starts LSASS, loads MSGINA, starts SCM, starts logonui.exe

Question 8

WIn XP - MSGINA.dll

Answer 8

Graphical Identification and Authorization (GINA) dll library
Activates the user shell
Customizable identification and authentication procedures
Logon dialog

Question 9

WIn XP - Winlogon

Answer 9

Receives credentials from MSGINA and passes them to LSASS

Question 10

WIn XP - LSASS

Answer 10

Checks creds against LSA database cache then NTLM or Kerberos if not found
Sends user token back to Winlogon

Question 11

WIn XP - Winlogon

Answer 11

Starts userinit in user context

Question 12

WIn XP - Userinit

Answer 12

Loads user profile, runs startup programs, starts explorer.exe

Question 13

BIOS

Answer 13

Basic Input/Output System

Question 14

Win7 - Pre-Boot

Answer 14

Power On Self Test (POST)

Question 15

Win7 - MBR

Answer 15

First 512 byte sector on hard disk

Reads and loads Volume Boot Record

Question 16

Win7 - VBR

Answer 16

Loads bootmgr into memory

Question 17

Win7 - Bootmgr

Answer 17

Reads Boot Config Database (BCD)
Boot menu and memtest
Calls winload (fresh boot)
Calls winresume

Question 18

Win7 - Winload

Answer 18

Loads NTOSKRNL.exe
Loads dependencies
Loads device drive

Question 19

Win7 - NTOSKRNL

Answer 19

SYSTEM
Prepares for running native system
Runs SMSS

Question 20

Win7 - HAL.dll

Answer 20

Hardware Abstraction Layer (HAL)

Interfaces driver to kernel

Question 21

Win7 - SMSS

Answer 21

Session manager
Session 0 loads Win32k.sys (kernel subsystem)
Runs WININIT

Question 22

Win7 - WININIT

Answer 22

Starts Service Control Manager (SCM)
Starts Local Security Authority SubSystem (LSASS)
Starts Local Session Manager (LSM)

Question 23

Win7 - CSRSS

Answer 23

Client/Server Runtime SubSystem
Client side of the win32 subsystem process
Thread creation

Question 24

VBR

Answer 24

Volume Boot Record

Question 25

CSRSS

Answer 25

Client/SErver Runtime SubSystem

Question 26

SMSS

Answer 26

Session Manager SubSystem

Question 27

BCD

Answer 27

Boot Config Database

Question 28

EFI

Answer 28

Extensible Firmware Interface

Question 29

UEFI

Answer 29

Unified Extensible Firmware Interface

Question 30

EFI/UEFI - Step 1

Answer 30

Power On Self Test (POST)

Question 31

EFI/UEFI - Step 2

Answer 31

Runs Bootloader (from NVRAM)
Loads BCD (also in NVRAM)

Question 32

EFI/UEFI - Step 3

Answer 32

Bootloader detects hardware

Question 33

EFI/UEFI - Step 4

Answer 33

EFI boot manager gives OS boot menu

Question 34

EFI/UEFI - Step 5

Answer 34

Winload.efi: EFI version of winload

Question 35

EFI/UEFI - Step 6

Answer 35

Requires EFI system partition
Formatted as FAT
Up to 1GB in size

Question 36

Win7 - Winlogon

Answer 36

Coordinates logon and useractivity

Launches logonui

Question 37

Win7 - Logonui

Answer 37

Interactive logon dialog box

Question 38

Win7 - Services

Answer 38

Loads auto-start drivers and services

Question 39

Main difference between local and domain logon

Answer 39

Where the user is authenticating

Question 40

Local Logon authenticates where?

Answer 40

Locally

Question 41

Domain Logon authenticates where?

Answer 41

With the domain controller

Question 42

Tasklist

Answer 42

cmd.exe : loaded modules, services, owner

Question 43

Process States - New/Created

Answer 43

Open file (.exe)
Create initial thread
Pass to kernel32.dll to check permissions
Pass to csrss, build structure, spawns first sub-thread, inserts into windows subsystem-wide proc list
Starts execution of initial thread
For real-time systems, processes may be held in “New State” to avoid contention, otherwise moved to “Ready State”

Question 44

Process States - Running

Answer 44

Process currently being executed (one or more threads executing)

Question 45

Process States - Ready

Answer 45

Process ready to execute when given the opportunity (CPU Time)

Question 46

Process States - Waiting

Answer 46

Process can’t execute until some event occurs (I/O Read)

Question 47

Process States - Terminated/Exit

Answer 47

Termination of a process due to a halt or abort

Question 48

Paging - Pages

Answer 48

Memory is allocated to process in distinct chunks

Question 49

Paging - Page Size

Answer 49

Smallest unit of protection at the hardware level

4KB for small page, 2MB for large page

Question 50

Paging - Overcommitted

Answer 50

Physical memory becomes overcommitted (threads try to use more memory than available) pages are written to the page file on disk

Question 51

Paging - Page Fault

Answer 51

Occurs when a thread references an invalid page

if page is on disk in the page file, it can be brought back into memory

Question 52

What are Windows Services?

Answer 52

Long running executable application that run in their own container (process)

Can be started automatically at boot, on demand, or when requested

Can be paused, stopped, or restarted

Run in the background, normally without a user interface

Question 53

sc

Answer 53

cmd.exe, querying and management

Question 54

Sc queryex eventlog

Answer 54

info for eventlog service including PID

Question 55

Tasklist /FI “pid eq XXX” /v

Answer 55

query tasklist for PID associated with eventlog

Question 56

Tasklist /FI “pid eq XXX” /svc

Answer 56

query tasklist for svchost services

Question 57

Sc qdescription eventlog

Answer 57

query eventlog service description

Question 58

Sc qc eventlog

Answer 58

show the binary command that loads the service

Question 59

Threads

Answer 59

Basic unit to which the OS allocates processor time
Can execute any part of the process code
Including parts currently being executed by another thread
Share memory with each other as well as the process
Deadlock is possible if the threads are waiting for each other’s resources
Synchronization (semaphores, mutexes) are used to control access to shared variables
Client/Server Run-Time Subsystem (CSRSS) maintains a list of threads
Threads are part of a execution priority pool 0-31 per processor, highest executes next

Question 60

Handles

Answer 60

Objects are data structures representing a system resource (file, thread, etc)
Applications can’t access objects directly, must obtain a handle
Handles for each process are tracked in an internal table known as the Object Manager
Handles allow a common interface to objects, regardless of underlying changes to the object
Handles allow Windows to track ACLs for objects during handle creation time

Question 61

Thread States - Ready

Answer 61

Waiting for Execution, in priority pool

Question 62

Thread States - Deferred Ready

Answer 62

Selected to run, but not yet executed. Optimization for scheduling database

Question 63

Thread States - Standby

Answer 63

Next thread to run, only one per processor per system

Question 64

Thread States - Running

Answer 64

A thread currently running on a processor

Question 65

Thread States - Waiting

Answer 65

A period of inactivity while waiting for an event

Question 66

Thread States - Transition

Answer 66

Ready for execution, but paging needed to bring back into memory

Question 67

Thread States - Terminated

Answer 67

Finished execution, heading for deallocation in most cases

Question 68

Thread States - Initialized

Answer 68

Thread is being created

Question 69

Process

Answer 69

The primary container (memory structure) for a program being executed

Question 70

Thread

Answer 70

Represents sequential machine-code instructions that a processor executes

Question 71

Handle

Answer 71

Pointer to OS objects referenced within a process

Question 72

What are system processes?

Answer 72

processes owned by, and executed by the operating system

required for the system to function

Question 73

What are the two types of system processes?

Answer 73

User

Kernel

Question 74

User mode processes

Answer 74

Runs in private virtual address space

Applications are isolated, one crash will not cause another to crash

Question 75

Kernel mode processes

Answer 75

All run in a single virtual address space

Not isolated from other processes

Question 76

Virus

Answer 76

Requires user interaction to replicate

Question 77

Worm

Answer 77

Does not require user interaction to replicate

Question 78

Trojan

Answer 78

Malware hidden within another legitimate program

Not usually self-replicating

Question 79

Malicious Mobile Code

Answer 79

Transmitted from remote host to local host

Executed without user instruction (i.e. Javascript, VBScript, etc)

Question 80

Blended Attack

Answer 80

Multiple infection/transmission methods used together

Question 81

Backdoor

Answer 81

Malicious program that allows illegitimate access to a machine
User is unaware

Question 82

Remote Access Tool (RAT)

Answer 82

Malicious program that provides remote command and control

Question 83

Rootkit

Answer 83

Malicious program that is ONLY used to hide things

DOES NOT provide access or command and control alone

Question 84

Keylogger

Answer 84

Records keyboard usage

Question 85

Botnet Client

Answer 85

Remote administration/Command and Control of a botnet

Question 86

Spyware

Answer 86

Monitors behavior of user

Question 87

Adware

Answer 87

Paid for ads to infected users

Question 88

Ransomware

Answer 88

Blocks access to a resource, requires payment from victim

Question 89

Bot Herder

Answer 89

Person in control of the botnet

Question 90

Botnet

Answer 90

Multiple machines infected and controlled by a bot herder

Question 91

Zombie

Answer 91

Individual machine infected and part of the botnet

Question 92

Static Analysis

Answer 92

Examine malware without executing it

Strings

Question 93

Dynamic Analysis

Answer 93

Examine malware while it is running

Question 94

What is virtualization?

Answer 94

Virtualization is technology that allows you to create multiple simulated environments or dedicated resources from a single, physical hardware system. Software called a HYPERVISOR connects directly to that hardware and allows you to split 1 system into separate, distinct, and secure environments known as VIRTUAL MACHINES (VMs).

Question 95

Benefits of virtualization

Answer 95

One set of Hardware -> Many virtual machines (VM)
VMs can be dynamically created and allocated to users
Baseline Image can be more rapidly updated
VMs instances can easily be rolled back to undo changes
Provide fault tolerance through redundant hardware and migration
Could be used as a pivot point
Could provide persistence if data store is compromised
Lessens attribution
Configurable software solution (OS, Services, Programs, etc)
Useful for protected Malware Analysis (Malware Detonation Chamber)
Quick restoration times
Usable as Honey Pot or Tar Pit
Difficult for malware to maintain persistence
Easily manageable across enterprise

Question 96

Risks of Virtualization

Answer 96

Typically require more upfront planning and configuration
In public cloud environments, lack of granularity in control of data at rest can lead to compliance issues (HIPPA, etc).
Some functions may not work well in a VM, such as copy/paste, printers, netstat, without additional setup effort.
Persistence can be lost if the target machine is restored
Could end up in a honey pot or tar pit
If the data store is compromised all new instances will also be compromised
Planning and initial setup cost more with virtual networks.

Question 97

What is situational awareness?

Answer 97

A method of gaining an understanding of the current operating environment on the target machine
It applies both defensively and offensively
Allows you to get an idea of what the system is used for and what type of users use it
Used to decide what courses of action are appropriate for the system

Question 98

Situational Awareness - What areas are the most important to be aware of?

Answer 98

Running Processes
Active Users
Network Configuration
Network Communications
Logging
Scheduled Jobs
Aliases

Question 99

What runs SMSS

Answer 99

NTOSKRNL

Question 100

What runs WININIT?

Answer 100

SMSS

Question 101

What starts Service Control Manager (SCM)?

Answer 101

WININIT

Question 102

What starts Local Security Authority SubSystem (LSAAS)?

Answer 102

WININT

Question 103

What starts Local Session Manager (LSM)?

Answer 103

WININIT

Question 104

What starts CSRSS?

Answer 104

SMSS

Question 105

What starts Winlogon?

Answer 105

CSRSS

Question 106

What starts Userint?

Answer 106

WInlogon

Question 107

What starts Explorer?

Answer 107

Userinit

Question 108

What starts Winload?

Answer 108

Bootmgr

Question 109

What starts NTOSKRNL?

Answer 109

Winload

Question 110

What starts Services.exe?

Answer 110

WININIT