Windows for SOC Analysts
A basic overview and refresher
Hi everyone, this is just a brief overview of what anyone on the blue team or an SOC analyst should know about the Microsoft Windows operating system for their Blue Team analyst job. This is just the basics and nothing too technical or in depth. Let's get started.
A deep understanding of the Windows operating system's functionalities and features is crucial for effective defense. Attackers often target these systems, exploiting existing features to gain unauthorized access or steal sensitive information. During such security incidents, Security Operations Center (SOC) analysts need some familiarity with the operating system to interpret the threats and resolve the case efficiently.
Debuting in 1985, the Windows operating system has seen numerous iterations over the years. With each version, it has undergone consistent refinements, and its development continues to this day.
Windows Filesystems
A file system acts as an organizational framework for digital storage, managing and structuring files. Without this system, the operating system would be unable to interpret the data on the disk. It wouldn't be able to recognize and locate specific file groups stored on the disk.
FAT:
Pioneered in 1977, the File Allocation Table (FAT) file system became a staple for personal computers. Today, it's commonly found in USB flash drives and other embedded systems.
Microsoft's exFAT file system, launched in 2006, is optimized for flash memory in devices like USB drives and SD cards.
New Technology File System (NTFS) a more advanced system designed for modern technologies, replaced the FAT file system. NTFS also boasts compatibility with Linux and BSD systems, unlike FAT.
Directory Structure
Windows employs a hierarchical folder and file system, established during setup, to organize information on your computer.
PerfLogs
The PerfLogs folder is a system directory created by Windows to store performance logs. This information helps diagnose issues, analyze system behavior, and optimize performance.
ProgramData
The ProgramData folder in Windows acts like a central library for applications. It stores program settings, configurations, and other shared data that all users on the computer need to access, ensuring applications function smoothly for everyone who uses the system.
Program Files
The Program Files folder in Windows serves as the main storage location for installed programs and their associated files. This includes executable files (.exe), libraries, and other resources that applications need to function properly. Having a centralized location keeps your system organized and simplifies program management and updates.
The Program Files (x86) folder on Windows systems specifically stores programs designed for 32-bit architectures. This separation from the regular Program Files folder, which holds 64-bit programs, ensures compatibility and proper functioning of these 32-bit applications within a 64-bit Windows environment.
Users
The Users folder in Windows acts as a personal storage space for each user on the computer. It contains individual user accounts, including their Documents, Pictures, Desktop, and other folders, allowing them to organize and manage their own files and settings.
Command Prompt
The Windows command line, also known as Command Prompt (CMD), is a text-based interface that allows you to interact with your computer by typing commands. Unlike the graphical user interface (GUI) with icons and menus, CMD offers a more direct way to control your system, launch programs, automate tasks, and access advanced functionalities.
Here are some of the most beginner commands for SOC Analysts:
Dir
The dir command lists the contents of a directory, with the most common switches being /s for displaying files in subdirectories, /a for showing hidden files, and /w for displaying filenames in a wider format.
cd
The cd command in Windows allows you to change directories.
..: Move up one directory level.
Ipconfig
the ipconfig command becomes a valuable tool for understanding your network configuration and identifying potential security risks. It displays all active network interfaces (Wi-Fi, Ethernet) on your computer. Attackers might exploit vulnerabilities in unused or misconfigured interfaces to gain access to your system.
/all: This displays all available information for each network adapter, including IP address, subnet mask, default gateway, DHCP server, and DNS servers.
Netstat
Netstat is a command-line tool in Windows used to monitor network activity. It displays information about active connections, listening ports, and data transfer on your computer. This information helps diagnose network issues, identify suspicious connections, and monitor potential security risks.
-a: Shows all connections, including listening and established connections.-o: parameter : Displays the owning process ID associated with each connection.
-t: Lists only TCP connections, the most common type of network traffic.
Tree
The tree command visually displays the directory structure of your drives in a hierarchical format. Imagine an upside-down tree, where the root directory is at the top, and branches extend downwards, representing subfolders within each directory, providing a clear overview of your entire folder organization.
Whoami
When investigating a security incident, SOC analysts might remotely connect to compromised systems. Running whoami quickly reveals the username of the account they are currently logged in as. This is crucial for understanding the level of access the attacker potentially possessed and determining appropriate remediation steps.
Net user
SOC analysts can use net user to list all user accounts on a system, including usernames, account types (administrator, user, etc.), and account status (active, disabled). This helps identify unauthorized accounts, inactive accounts that could be exploited.
Net accounts
net accounts provides information about system-wide password policies. This includes details like:
Minimum password length
Password complexity requirements
Number of allowed login attempts
Account lockout duration
Analyzing these settings helps SOC analysts identify a potential imbalance between security and user experience. They can recommend adjustments to make it more difficult for attackers to crack passwords while minimizing inconvenience for legitimate users.
net localgroup
The net localgroup command empowers SOC analysts to investigate user privileges, identify suspicious group memberships, establish baselines, and perform limited group management tasks. This functionality plays a vital role in maintaining a secure system by ensuring appropriate access control and identifying potential security risks.
SOC analysts can use
net localgroupto investigate unusual group memberships. For instance, a standard user account shouldn't be a member of the Administrators group. Identifying such discrepancies can be a red flag for potential privilege escalation attempts or compromised accounts added to powerful groups.
lusrmgr.msc in run (windows button + r)
Also known as the Local Users and Groups Management Console, lusrmgr.msc is a tool in Windows for managing user accounts and local groups. It allows you to view, create, modify, and delete user accounts and group memberships, providing granular control over user privileges and system access.
New users can be added through the "Actions" tab on the right:
Permissions Types
Strong permission controls limit user access to system resources and data. This makes it more difficult for attackers, even if they gain access to a user account, to steal sensitive information, modify critical settings, or install malware. By restricting unauthorized access, SOC analysts can significantly reduce the potential impact of a cyberattack.
Unusual attempts to access unauthorized resources can be a red flag for potential security incidents. SOC analysts can monitor permission changes and access attempts. Deviations from normal user behavior, such as a standard user trying to access administrative files, could indicate a compromised account or privilege escalation attempt.
