Module 3: OS Internals for Defenders
Know what normal looks like — so you can spot what isn't.
You'll investigate what the attacker left behind on WS-HR-01 — Sysmon process chains, persistence, and credential access.
Lessons & Labs
Lesson 3.1 — Windows Process Architecture
Process tree hierarchy, critical system processes, spotting suspicious parent-child relationships
Lab OS.1 — Windows Process Baseline
Use Wazuh with Sysmon Event ID 1 (Process Create) to analyze process creation telemetry from a Windows endpoint, build a baseline of legitimate system processes, and identify a planted C2 beacon masquerading as svchost.exe.
Lesson 3.2 — Windows File System & Registry
NTFS fundamentals, MFT, timestamps, registry hive structure, key locations attackers target
Lab OS.2 — Registry & File System Hunt
Hunt Windows registry and file system persistence using Sysmon events in the Wazuh Dashboard — query Event IDs 12/13/14/11 to find Run key entries, malicious services, and suspicious file drops.
Lesson 3.3 — Windows Event Log Architecture
Event channels, providers, critical Event IDs, Sysmon event types, log gaps
Lab OS.3 — Event Log Deep Dive
Analyze Windows Event Logs using the Wazuh Dashboard — hunt critical Event IDs (4624, 4625, 4688, 7045, 1102), correlate across log channels, and build an Investigation Matrix mapping events to the multi-stage attack.
Lesson 3.4 — Windows Authentication & Credential Storage
NTLM vs Kerberos, SAM, LSASS, credential caching, how attackers steal credentials
Lab OS.4 — Credential Theft Detection
Hunt for credential theft indicators on a compromised Windows endpoint using Velociraptor — LSASS dumps, SAM/SYSTEM registry exports, Mimikatz artifacts, and Pass-the-Hash evidence.
Lesson 3.5 — Windows Services, Tasks & Persistence
Services architecture, scheduled tasks, common persistence locations, ATT&CK mapping
Lab OS.5 — Full Persistence Audit
Hunt for all persistence mechanisms planted during Operation Shadow Broker across Windows and Linux hosts — services, registry Run keys, WMI subscriptions, scheduled tasks, and cron jobs.
Lesson 3.6 — Linux Internals for Defenders
Process model, file system, authentication, logging, persistence mechanisms
Lab OS.6 — Linux System Baseline
Baseline a Linux system using Velociraptor — auditing cron jobs, systemd services, SUID binaries, user accounts, SSH keys, and network connections to detect planted anomalies.