Windows File System
This folder is the root folder (highest directory) by default on the majority of Windows machines.
What is C:\ ?
When working with a file or directory with a space, i.e. the directory My Documents, what would you surround the text with?
What are quotes? ""
"My Documents"
This process is often targeted by malware as a means of dumping passwords.
LSASS.exe (Local Security Authority)
Discretionary Access Control Lists (DACLs) control access to files and objects.
These are the four file permissions in precedence order (highest on top).
What are:
Explicit Deny
Explicit Allow
Inherited Deny
Inherited Allow?
An attacker will be very familiar with the directory structure and know where interesting files are kept. For example, this location is where a user's browser cache kept.
What is NTUSER.DAT (registry database)?
This type of file helps automate frequently used commands in the command line.
What is a batch (.bat)?
This process is the first user mode process with a parent process of System. Only one should be running at a time in session 0.
What is smss.exe (Session Manager)?
This is the requisite file permission for an SSH key.
Mandatory Integrity Controls (MIC) prevent processes with one trust level from modifying those of another trust level. Example: browser (low trust) can't modify operating system files (high trust).
Operating system services have what integrity level?
What is SYSTEM?
If the directory you are trying to remove contains any files or directories, you'll receive an error. To prevent this error, use this option.
/s
Example: rmdir /s secretstuff
This process is often targeted by malware. Malware will often times inject into this process. One indication of this is if it is connecting out to the internet
If a user is a member of two groups, one of which has explicit "ALLOW Read & Execute" of a file and the other has explicit "DENY Read & Execute" the user will/will not be able to read the file.
What is no?
Both permissions are explicit and the Deny has precedence.
By default, users have this Integrity Level.
What is Medium?
Caveat, because it's Windows - the Operating System will drop the user to Low Integrity when the user does things like browsing the web or reading email.
The operating system and some applications such as Internet Explorer also create a "LOW" directory to make files available to the user when their integrity level is demoted.
To view the contents of a file, most versions of the command line use this command.
What is edit?
For 64-bit versions of Windows that do not support this command, you can use the start command (e.g., type start notepad hijackthis.log) to open the file in Notepad
This process could have a child process of LogonUI if smartcard, etc. are used to authenticate.
LogonUI will terminate once the user enters their password. Once password is entered the verification is sent over to LSASS and it’s verified via Active Directory or SAM (the registry hive SAM), which stores local users and group information.
What is WINLOGON.EXE — Windows Logon Process?
If a user is a member of two groups, one of which has inherited "ALLOW Read & Execute" of a file and the other has explicit "DENY Read & Execute", the user will/will not be able to read the file.
What is no?
The explicit Deny is more specific and has a greater priority.
This function to store metadata, originally introduced to the Windows File system to support Apple, gives an attacker the ability to inject/add file data into existing files without affecting their functionality, size, or display in utilities like Windows Explorer or even "dir" under command line.
What are Alternate Data Streams (ADS)?
In Windows these three types of files are executable files?
Hint- One has already been mentioned in this category
Executables (.exe), Batch (.bat) and .com
For SVCHOST.exe, a legitimate username should be one of these three options.
NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE
Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match one of the three
If a user is a member of two groups, one of which has explicit "ALLOW Read & Execute" of a file and the other has inherited "DENY Read & Execute", the user will/will not be able to read the file.
What is YES?
Usually a Deny will take precedence over an Allow; however, as the Deny is inherited the explicit Allow will take precedence. This is the only case where Deny will be overridden by an Allow