{"id":247,"date":"2023-06-26T22:03:51","date_gmt":"2023-06-26T22:03:51","guid":{"rendered":"https:\/\/justatrainingblog.co.uk\/?p=247"},"modified":"2023-06-26T22:03:51","modified_gmt":"2023-06-26T22:03:51","slug":"windows-system-processes-what-they-are-and-detecting-malicious-intrusion-or-fakes","status":"publish","type":"post","link":"https:\/\/justatrainingblog.co.uk\/?p=247","title":{"rendered":"Windows System Processes &#8211; what they are and detecting malicious intrusion or fakes"},"content":{"rendered":"\n<p>I&#8217;m currently learning the &#8216;Core Windows Processes&#8217; module on TryHackMe and a topic which stuck out to me is the detection and eradication of Malicious Windows Processes. For the examples used in this article I have used <a href=\"https:\/\/processhacker.sourceforge.io\/\" title=\"\">Process Hacker<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">What is a malicious Windows process?<\/span><\/h2>\n\n\n\n<p>Commonly deployed as part of a root kit which compromises the kernel a malicious system process is a background process which can exploit it&#8217;s abused system privilege in a number of says such as acting as a APT, C&amp;C, ransomware or providing a ledge for lateral movement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">System.exe<\/span><\/h2>\n\n\n\n<p>The System thread is unique which runs in the kernel. This process primarily handles threads that run in system and Kernel NT memory. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"451\" height=\"576\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-72.png\" alt=\"\" class=\"wp-image-249\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-72.png 451w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-72-235x300.png 235w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-72-300x383.png 300w\" sizes=\"(max-width: 451px) 100vw, 451px\" \/><\/figure>\n\n\n\n<p>While there are lot of variables here we need to be able to determine if these processes are real or fake. Some ways we can determine this are as follows: <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>System Idle Process (0) is the only possible parent<\/li>\n\n\n\n<li>Multiple instances of the &#8216;System&#8217; process<\/li>\n\n\n\n<li>PID different from 4<\/li>\n\n\n\n<li>Not running in Session 0 <\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">smss.exe<\/span><\/h2>\n\n\n\n<p>smss.exe is short for the Session Manager Subsystem. It is alternatively known as the Windows Session Manager and is responsible for the creation and management of new sessions. <\/p>\n\n\n\n<p>This is a <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/gettingstarted\/user-mode-and-kernel-mode\" title=\"\">user-mode<\/a> process and starts the follow up processes winlogon.exe and csrss.exe. It runs a number of functions including: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Launching any subsystems specified in <strong>HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\Subsystems<\/strong><\/li>\n\n\n\n<li>Creating enviromental variables<\/li>\n\n\n\n<li>Creating virtual memory paging files<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"738\" height=\"102\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-73.png\" alt=\"\" class=\"wp-image-250\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-73.png 738w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-73-300x41.png 300w\" sizes=\"(max-width: 738px) 100vw, 738px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"447\" height=\"580\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-74.png\" alt=\"\" class=\"wp-image-251\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-74.png 447w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-74-231x300.png 231w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-74-300x389.png 300w\" sizes=\"(max-width: 447px) 100vw, 447px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes: <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Variance in the image path which should be: %SystemRoot%\\System32\\smss.exe<\/li>\n\n\n\n<li>Parent process differing from System<\/li>\n\n\n\n<li>Multiple instances<\/li>\n\n\n\n<li>Alternative user account than Local System<\/li>\n<\/ol>\n\n\n\n<p>It&#8217;s also worth being wary about the contents of the above mentioned registry entry for unauthorised additions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">csrss.exe<\/span><\/h2>\n\n\n\n<p>The Client Server Runtime Process is another user-mode subsystem process. This is a persistent process and is required at all times. The process handles the Win32 console Window (cmd prompt and others) and threat creation\/deletion. <\/p>\n\n\n\n<p>This process additionally provides other applications access to Windows systems via an API allowing functions such as drive mapping and shutdowns. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"447\" height=\"570\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-75.png\" alt=\"\" class=\"wp-image-252\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-75.png 447w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-75-235x300.png 235w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-75-300x383.png 300w\" sizes=\"(max-width: 447px) 100vw, 447px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes: <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>This must always have a parent process of some form<\/li>\n\n\n\n<li>A imagine path which differs from C:\\Windows\\System32<\/li>\n\n\n\n<li>A different user than &#8216;System&#8217;<\/li>\n<\/ol>\n\n\n\n<p>An additional point worth noting is that attackers sometimes masquerade processes with a similar but slightly different spelling. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">wininit.exe<\/span><\/h2>\n\n\n\n<p>Windows Initialization Process is a persistent System process which is responsible for the launching of services.exe, lsaas.exe and lsaiso.exe. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"449\" height=\"578\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-76.png\" alt=\"\" class=\"wp-image-253\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-76.png 449w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-76-233x300.png 233w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-76-300x386.png 300w\" sizes=\"(max-width: 449px) 100vw, 449px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>This must always have a parent process of some form<\/li>\n\n\n\n<li>A imagine path which differs from C:\\Windows\\System32<\/li>\n\n\n\n<li>A different user than &#8216;System&#8217;<\/li>\n\n\n\n<li>Multiple instances<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">services.exe<\/span><\/h2>\n\n\n\n<p>A child service to wininit.exe, Services.exe is perhaps the most recognisable to fellow IT practitioners. This process handles the loading \/ starting \/stopping services. For it&#8217;s data-table it references the registry table <strong>HKLM\\System\\CurrentControlSet\\Services<\/strong>. <\/p>\n\n\n\n<p>Services.exe is parent to several other processes including svchost.exe, msmpeng.exe, dllhost.exe. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"761\" height=\"88\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-77.png\" alt=\"\" class=\"wp-image-254\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-77.png 761w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-77-300x35.png 300w\" sizes=\"(max-width: 761px) 100vw, 761px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"449\" height=\"574\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-78.png\" alt=\"\" class=\"wp-image-255\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-78.png 449w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-78-235x300.png 235w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-78-300x384.png 300w\" sizes=\"(max-width: 449px) 100vw, 449px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Parent process which isn&#8217;t &#8220;wininit.exe&#8221;<\/li>\n\n\n\n<li>A imagine path which differs from C:\\Windows\\System32<\/li>\n\n\n\n<li>A different user than &#8216;System&#8217;<\/li>\n\n\n\n<li>Multiple instances<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">svchost.exe<\/span><\/h2>\n\n\n\n<p>Service Host is a child process which hosts running services. As mentioned previously it is a child process to services.exe<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"759\" height=\"385\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-79.png\" alt=\"\" class=\"wp-image-256\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-79.png 759w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-79-300x152.png 300w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><\/figure>\n\n\n\n<p>As this is not a unique process and can be launched at any time the PID number varies significantly.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"445\" height=\"576\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-80.png\" alt=\"\" class=\"wp-image-257\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-80.png 445w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-80-232x300.png 232w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-80-300x388.png 300w\" sizes=\"(max-width: 445px) 100vw, 445px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Parent process which isn&#8217;t &#8220;wininit.exe&#8221;<\/li>\n\n\n\n<li>A imagine path which differs from C:\\Windows\\System32<\/li>\n\n\n\n<li>The absence of the -K parameter<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">lsass.exe<\/span><\/h2>\n\n\n\n<p>Local Security Authority Subsystem Service (LSASS) is a Windows Process that enforces security policy on the machine. It handles a wide variety of security related Windows services including logon verification, password changes, access tokens. Actions made with involvement of LSASS are recorded to the Windows Security log. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"388\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-82-1024x388.png\" alt=\"\" class=\"wp-image-260\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-82-1024x388.png 1024w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-82-300x114.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-82-768x291.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-82-1536x582.png 1536w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-82-850x322.png 850w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-82.png 1572w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>LSASS additionally creates security tokens for SAM, AD and NETLOGON. It utilises authentication packages in <strong>HKLM\\System\\CurrentControlSet\\Control\\Lsa<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"450\" height=\"577\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-83.png\" alt=\"\" class=\"wp-image-261\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-83.png 450w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-83-234x300.png 234w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-83-300x385.png 300w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Parent process which isn&#8217;t &#8220;wininit.exe&#8221;<\/li>\n\n\n\n<li>A imagine path which differs from C:\\Windows\\System32<\/li>\n\n\n\n<li>Multiple running instances<\/li>\n\n\n\n<li>Not running as user &#8216;system&#8217;<\/li>\n<\/ol>\n\n\n\n<p>This is a common target for attackers. <a href=\"https:\/\/yungchou.wordpress.com\/2016\/03\/14\/an-introduction-of-windows-10-credential-guard\/\" title=\"\">More reading on this can be found here. <\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">winlogon.exe<\/span><\/h2>\n\n\n\n<p>Windows Logon is a service which handles the Secure Attention Sequence (SAS). This is a system that handles a number of functions and is accessed via CTRL + ALT + DELETE. <\/p>\n\n\n\n<p>While we typically use this to lock a screen it can also execute task manager, change a password, perform shutdowns and log users out. <\/p>\n\n\n\n<p>This function is used by NT and protects against Trojan Horse applications as the SAS is incapable of executing any other programmes meaning the hotkey will remain uncorrupted. It also provides protection against logon scripts which limits access to the OS. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"449\" height=\"576\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-84.png\" alt=\"\" class=\"wp-image-262\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-84.png 449w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-84-234x300.png 234w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-84-300x385.png 300w\" sizes=\"(max-width: 449px) 100vw, 449px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A missing parent process of any sort<\/li>\n\n\n\n<li>A imagine path which differs from C:\\Windows\\System32<\/li>\n\n\n\n<li>Multiple running instances<\/li>\n\n\n\n<li>Not running as user &#8216;system&#8217;<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">explorer.exe<\/span><\/h2>\n\n\n\n<p>Along with services Windows Explorer is likely the most well known of what we&#8217;ve covered in this article. Responsible for providing the end user with a navigation UI to access files and folders it&#8217;s an essential function for the majority of users. <\/p>\n\n\n\n<p>This process also handles other graphical functions such as the start and task bars. The parent of Windows Explorer is executed by the ephemeral process userinit.exe.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"448\" height=\"575\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-85.png\" alt=\"\" class=\"wp-image-263\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-85.png 448w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-85-234x300.png 234w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-85-300x385.png 300w\" sizes=\"(max-width: 448px) 100vw, 448px\" \/><\/figure>\n\n\n\n<p>Steps for detecting malicious versions includes<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>If a parent process is there. This is executed by userinit which exits after. <\/li>\n\n\n\n<li>A imagine path which differs from C:\\Windows\\System32<\/li>\n\n\n\n<li>Multiple running instances<\/li>\n\n\n\n<li>Running as an unknown user<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<p>Additional reading referenced for this post:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Windows_Console\">https:\/\/en.wikipedia.org\/wiki\/Windows_Console<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/gettingstarted\/user-mode-and-kernel-mode\">https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/gettingstarted\/user-mode-and-kernel-mode<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/medium.com\/chingu\/an-introduction-to-environment-variables-and-how-to-use-them-f602f66d15fa#:~:text=An%20environment%20variable%20is%20a,at%20a%20point%20in%20time.\">https:\/\/medium.com\/chingu\/an-introduction-to-environment-variables-and-how-to-use-them-f602f66d15fa#:~:text=An%20environment%20variable%20is%20a,at%20a%20point%20in%20time.<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Architecture_of_Windows_NT\">https:\/\/en.wikipedia.org\/wiki\/Architecture_of_Windows_NT<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/nasbench.medium.com\/windows-system-processes-an-overview-for-blue-teams-42fa7a617920\">https:\/\/nasbench.medium.com\/windows-system-processes-an-overview-for-blue-teams-42fa7a617920<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.techtarget.com\/searchenterprisedesktop\/definition\/Security-Accounts-Manager#:~:text=The%20Security%20Accounts%20Manager%20(SAM)%20is%20a%20database%20file%20in,case%20the%20system%20is%20stolen.\">https:\/\/www.techtarget.com\/searchenterprisedesktop\/definition\/Security-Accounts-Manager#:~:text=The%20Security%20Accounts%20Manager%20(SAM)%20is%20a%20database%20file%20in,case%20the%20system%20is%20stolen.<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/networkencyclopedia.com\/secure-attention-sequence-sas\/\">https:\/\/networkencyclopedia.com\/secure-attention-sequence-sas\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.threathunting.se\/tag\/windows-process\/\">https:\/\/www.threathunting.se\/tag\/windows-process\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sans.org\/security-resources\/posters\/hunt-evil\/165\/download\">https:\/\/www.sans.org\/security-resources\/posters\/hunt-evil\/165\/download<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/resources\/windows-internals\">https:\/\/docs.microsoft.com\/en-us\/sysinternals\/resources\/windows-internals<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;m currently learning the &#8216;Core Windows Processes&#8217; module on TryHackMe and a topic which stuck out to me is the&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[7,2,6,3],"tags":[],"class_list":["post-247","post","type-post","status-publish","format-standard","hentry","category-knowledge","category-learning","category-practice","category-tryhackme"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=247"}],"version-history":[{"count":1,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/247\/revisions"}],"predecessor-version":[{"id":264,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/247\/revisions\/264"}],"wp:attachment":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}