I tried to keep the title as self-explanatory as possible. I won’t go into detail at an individual level for myself, but would like to share how I came across the infosec tool “Sysmon” which led me to see on the wall-side of my PC.

I have recently immersed myself in various sources of news related to InfoSec industry. I have to confess that my interest has suddenly piqued after the WannaCry ransomware incident. As we all know, it has made MalwareTech quite popular. So it was only a matter of time when he came on reddit for an AMA and suggested that following people on twitter is the most effective way to stay ahead in this field. Taking notice of that, like 40–50 other users, I started following almost all of his peers. One of those peer’s tweet was pretty interesting to follow.

This guy has gone and setup his own honeypot for trapping SMB exploits which would ultimately lead to several EternalBlue attacks to be captured.

Being a newbie, I was only able to grasp so much from the article, but this encouraged me to at least try and get the foundation of event monitoring (windows) right, since that is something which should be on the tips of your fingers. Anyways, coming back to his article, I opened every link in that article in a new tab and one of them was regarding Sysmon which he said as:

the best InfoSec tool you’ve never heard of

Installing Sysmon was a breeze and with Powershell it was a matter of typing out a single command after going through the “help” menu. Next came a little struggle to get through actually seeing the event logs while my PC was on for sometime. It was actually quite fruitful and I got tons of “network connection detected” messages provided by Sysmon. For this blog post, I would like to go over some of the more peculiar termed services, as long as I can go on:

1. mDNSResponder.exe

And the path for this service is C:\Program Files\Bonjour. How about that! Interestingly this service is a Apple product which would come to your PC as well if you’ve installed iTunes. It is supposed to be a helping hand when detecting other Mac devices or devices running iTunes. On a Mac or iOS device, this program is used for networking nearly everything. It’s a waste of resource if you’re not using it or if you are not on a Mac device.

2. WDDriveService.exe

It should be known to most of us that once you buy WD devices, there is an option to install the “WD Drive Utilities” in order to keep the device driver up to date and to obtain some other functionalities. The service actually sends out two different network connections:

1. A UPnP signal which is blocked by major ISP and DSL, so it never reaches the internet. Although, if you are a control freak, you can have this tool (thanks to Steve Gibson) to block any such broadcasts.

2. Next is an attempt to connect to seemingly different IPs which I’m guessing is its call for trying to get the update of the internet. However, you can go ahead and block the incoming connections from here off as well.

3. APSDaemon.exe

This little service is for syncing Apple devices wirelessly. I know this may seem trivial but seeing what is happening under the hood of iTunes is still pretty cool to me. Technically, it’s called Apple Push. I couldn’t have guessed that from its service name.

4. lsass.exe

Local Security Authority Subsystem Service (LSASS) is what it is called and it looks like a very important System32 file. After doing, (easy) googling one can easily find out that it is supposed to generate security tokens when the user logs on to his computer. This security token is used to generate a shell and then any other process which user starts inherits the same token. Another responsibility of this service is to log windows security events. So pretty important file with an unlikely name! Oh and one more thing, it was working with port 88 (kerberos), whatever that is.

5. FMAPP.exe

If your hardware is running RealTek Audio embedded in your el cheap CPU, you really don’t have a choice but to keep this app. I was able to see multiple process creation from this service with parent command being:

“C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe” -s

The only purpose this entry serves is to detect and allow you to configure any devices plugged into the jacks — such as headphones and a microphone. With the System Tray icon enabled it will also inform you when devices are removed and give you access to the Sound Manager and other multimedia functions.

It’s your audio driver and you can do things with it. Don’t know just what, but try doing without it. No such luck. To use a Realtek embedded or OEM version sound card, the operating system typically requires a specific device driver, a low-level program that handles the data connections between the physical hardware and the operating system.

6. poolsv.exe

I am guessing many will not bother with this particular service and will straightaway ignore it. But I’ll just to have that “Well! Now you know!” moment. Anyways, spool service is basically used to manage printer/fax jobs without the computer being tied to it.

Thank you for reading till here! This is day 1 from me doing something productive in security field and sharing it along the way. I will update this list as and when I find something interesting.