Interview Prep

OSI Model

5 Main Registry Hives

Security Operation Model (SOC Lifecycle)

  • Tier 1: Triage

  • Tier 2: Investigate

  • Tier 3: Hunt

MITRE ATT&CK Framework

Scheduled Task Protection & Mitigation

  • Configure OS to force scheduled tasks to only run under the authenticated users instead of system accounts. This is done by editing the HKLM/SYSTEM registry key. For orgs, this can be configured globally through the GPO for all workstations.

  • Set the GPO to only allow admins to schedule tasks.

Registry Run Keys Protection & Mitigation

An adversaries goal with registry run keys is to quickly establish permissions and persistence on a system. By adding a registry run key to the startup folder, the process will launch everytime an authenticated user logs in.

Note: There are startup folders for both local and system-level accounts.

Last updated