Interview Prep
OSI Model

5 Main Registry Hives
Security Operation Model (SOC Lifecycle)
Tier 1: Triage
Tier 2: Investigate
Tier 3: Hunt

MITRE ATT&CK Framework
Scheduled Task Protection & Mitigation
Configure OS to force scheduled tasks to only run under the authenticated users instead of system accounts. This is done by editing the HKLM/SYSTEM registry key. For orgs, this can be configured globally through the GPO for all workstations.
Set the GPO to only allow admins to schedule tasks.
Registry Run Keys Protection & Mitigation
An adversaries goal with registry run keys is to quickly establish permissions and persistence on a system. By adding a registry run key to the startup folder, the process will launch everytime an authenticated user logs in.
Note: There are startup folders for both local and system-level accounts.
Last updated