Endpoint Security Monitoring - Part 3

Endpoint Security Monitoring - Part 3

Sysinternals Tool Kit

Now that we have a basic understanding of Core Windows Processes, we can delve into the available tools for analyzing the running artifacts in the background of a Windows machine.

The Sysinternals tools are a collection of more than 70 tools for Windows. Each tool falls into one of the following categories:

  1. File and Disk Utilities: Tools to help with managing files and disks, like checking file activity or analyzing disk space.
  2. Networking Utilities: Tools for fixing network issues, monitoring network activity, or checking network connections.
  3. Process Utilities: Tools to manage and analyze running programs, like monitoring processes or finding and fixing problems.
  4. Security Utilities: Tools for keeping your system safe, like detecting malware or checking for security issues.
  5. System Information: Tools to find out details about your computer, such as hardware, software, and settings.
  6. Miscellaneous: Other helpful tools for specific tasks, like working with virtual machines or accessing remote systems.

These tools are used by IT professionals and system administrators to manage and troubleshoot Windows computers.

In this task, we will focus on introducing three of the most commonly used Sysinternals tools for endpoint investigation. We will explore the other Sysinternals tools in a separate series of articles.

You can download the Sysinternals tool kit by visiting the following link: Sysinternals Suite Download .

For endpoint investigation, commonly used Sysinternals tools are:

  1. Process Explorer: Provides detailed information about running processes, helping to identify suspicious activities.
  2. Autoruns: Manages and controls programs that start automatically during system boot-up, allowing identification and disabling of unwanted entries.
  3. TCPView: is a networking utility tool that displays real-time network connections and associated processes.

These tools aid in analyzing processes and managing startup programs for improved endpoint security.

Process Explorer

Process Explorer is a helpful Sysinternals tool that shows you detailed information about the processes running on your Windows system. It provides insights into memory usage, dependencies, and other important details. It's a great tool for analyzing and troubleshooting processes.

"The?Process Explorer?display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode, you'll see the handles that the process selected in the top window has opened; if Process Explorer is in?DLL?mode you'll see the DLLs and memory-mapped files that the process has loaded."?(official definition)

No alt text provided for this image

Autoruns

Autoruns is a handy tool from Sysinternals that helps you manage programs that start automatically when your Windows system boots up. It shows you a list of all these programs, allowing you to easily disable any unwanted or suspicious ones. It's a great tool for improving system performance and security.

No alt text provided for this image

TCPView

TCPView is a handy tool from Sysinternals that shows you real-time information about network connections on your Windows system. It helps you monitor network activity and identify any suspicious connections. It's a useful tool for troubleshooting network issues.

No alt text provided for this image

As a beginner, it's important to focus on understanding the most commonly used tools for Endpoint Security Monitoring. To make things easier, I will write a separate article series specifically covering the Sysinternals tools. This series will explore their applications in security and important activities like troubleshooting systems and networks. By doing this, you can learn about these tools in a step-by-step manner and gain a solid understanding of their practical use cases. It's a great way to improve your knowledge and skills in endpoint security monitoring.

Continued...

Tharindu Damith

要查看或添加评论,请登录

社区洞察

其他会员也浏览了