Module 3: OS Internals for Defenders
Know what normal looks like — so you can spot what isn't.
Lessons
Windows Process Architecture
Process tree hierarchy, critical system processes, spotting suspicious parent-child relationships
Windows File System & Registry
NTFS fundamentals, MFT, timestamps, registry hive structure, key locations attackers target
Windows Event Log Architecture
Event channels, providers, critical Event IDs, Sysmon event types, log gaps
Windows Authentication & Credential Storage
NTLM vs Kerberos, SAM, LSASS, credential caching, how attackers steal credentials
Windows Services, Tasks & Persistence
Services architecture, scheduled tasks, common persistence locations, ATT&CK mapping
Linux Internals for Defenders
Process model, file system, authentication, logging, persistence mechanisms
Labs
Lab OS.1 — Windows Process Baseline
Use Velociraptor to enumerate running processes on a Windows endpoint, build a baseline of legitimate system processes, and identify a planted C2 beacon masquerading as svchost.exe.
Lab OS.2 — Registry & File System Hunt
Hunt Windows registry keys and file system locations for persistence mechanisms using Velociraptor — including Run key entries, suspicious services, and a planted webshell.
Lab OS.3 — Event Log Deep Dive
Analyze Windows Event Logs using the Wazuh Dashboard — hunt critical Event IDs (4624, 4625, 4688, 7045, 1102), correlate across log channels, and build an Investigation Matrix mapping events to the multi-stage attack.
Lab OS.4 — Credential Theft Detection
Hunt for credential theft indicators on a compromised Windows endpoint using Velociraptor — LSASS dumps, SAM/SYSTEM registry exports, Mimikatz artifacts, and Pass-the-Hash evidence.
Lab OS.5 — Full Persistence Audit
Systematically audit all major Windows persistence mechanisms using Velociraptor — registry keys, scheduled tasks, services, WMI subscriptions, startup folders, and COM hijacking.
Lab OS.6 — Linux System Baseline
Baseline a Linux system using Velociraptor — auditing cron jobs, systemd services, SUID binaries, user accounts, SSH keys, and network connections to detect planted anomalies.