Interview Prep

OSI Model

5 Main Registry Hives

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER.
HKEY_LOCAL_MACHINE.
HKEY_USERS.
HKEY_CURRENT_CONFIG.

Security Operation Model (SOC Lifecycle)

Tier 1: Triage
Tier 2: Investigate
Tier 3: Hunt

MITRE ATT&CK Framework

Scheduled Task Protection & Mitigation

Configure OS to force scheduled tasks to only run under the authenticated users instead of system accounts. This is done by editing the HKLM/SYSTEM registry key. For orgs, this can be configured globally through the GPO for all workstations.
Set the GPO to only allow admins to schedule tasks.

Registry Run Keys Protection & Mitigation

An adversaries goal with registry run keys is to quickly establish permissions and persistence on a system. By adding a registry run key to the startup folder, the process will launch everytime an authenticated user logs in.

Note: There are startup folders for both local and system-level accounts.

PreviousTemplates & Cheat Sheets NextTools

Last updated 9 months ago