Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

Module 1: ES1 — Endpoint Architecture and OS Internals

· Free tier

Endpoint Architecture and OS Internals

Every endpoint security control exists to defend something specific at the operating system level. ASR rules block certain process behaviors. Credential Guard isolates specific memory regions. Sysmon hooks particular kernel functions. If you do not understand what these controls defend at the OS level, you cannot make informed decisions about which to deploy, how to tune them, or what to do when they fail.

This module takes you inside the operating system — Windows, Linux, and macOS — from a security practitioner’s perspective. Not the developer’s view of how to build software on these platforms. The defender’s view of what attackers target: processes and tokens, LSASS credential storage, the registry as a persistence surface, ETW as the foundation of EDR telemetry, the Linux kernel and eBPF, and macOS security architecture. For each OS component, you will understand the attack technique it enables, the defensive control that protects it, and the detection opportunity it creates.

What you will learn

  • How the Windows process model works and what attackers abuse: process injection, token manipulation, handle duplication
  • Why LSASS is the most targeted process on Windows and how Credential Guard, PPL, and RunAsPPL defend it
  • How the Windows registry serves as a persistence and attack surface
  • Why ETW matters for EDR telemetry and what happens when attackers tamper with it
  • The Windows security subsystem architecture from authentication to Kerberos ticket
  • Linux kernel security: namespaces, cgroups, and eBPF as the foundation for modern monitoring
  • Linux authentication and privilege escalation paths: PAM, sudo, capabilities, SUID
  • macOS security architecture: TCC, Gatekeeper, SIP, and the endpoint security framework
  • The mapping from OS internals to ATT&CK techniques to defensive controls

Subsections

ES1.1 Windows Process Model for Security Practitioners · ES1.2 LSASS and Credential Storage · ES1.3 Windows Registry as an Attack Surface · ES1.4 Event Tracing for Windows (ETW) · ES1.5 Windows Security Subsystem Architecture · ES1.6 Linux Kernel and eBPF for Security · ES1.7 Linux Authentication and Privilege Model · ES1.8 macOS Security Architecture · ES1.9 What Attackers Actually Target · ES1.10 From Internals to Controls · ES1.11 Interactive Lab: OS Internals Exploration · ES1.12 Module Summary · ES1.13 Check My Knowledge

Sections in this module

ES1.1 Windows Process Model for Security Practitioners

ES1.2 LSASS and Credential Storage

ES1.3 Windows Registry as an Attack Surface

ES1.4 Event Tracing for Windows (ETW)

ES1.5 Windows Security Subsystem Architecture

ES1.6 Linux Kernel and eBPF for Security

ES1.7 Linux Authentication and Privilege Model

ES1.8 macOS Security Architecture

ES1.9 What Attackers Actually Target

ES1.10 From Internals to Controls

ES1.11 Interactive Lab: OS Internals Exploration

ES1.12 Module Summary

ES1.13 Check My Knowledge

Start: ES1.1 Windows Process Model for Security Practitioners →