ES1.11 Interactive Lab: OS Internals Exploration

· Module 1 · Free

Interactive Lab

This lab applies the OS internals knowledge from this module to a practical examination of a Windows endpoint's security-relevant configuration. You will examine process tokens, registry persistence locations, ETW provider status, and LSASS protection configuration on a system, then map your findings to attack techniques and defensive controls.

Deliverable: A completed OS internals security assessment for a Windows endpoint, with findings mapped to attack techniques and recommended defensive controls.

Estimated completion: 20 minutes

Figure ES1.11 — Lab workflow: examine process security context, audit registry persistence locations, check LSASS protection status, and map findings to defensive controls.

Lab exercises

Exercise 1: Process token and parent chain analysis

Examine the security context of running processes on a Windows endpoint. Use the commands from ES1.1:

1
2
3
4
5
# Process parent-child chains
Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine | Sort-Object ParentProcessId | Format-Table -AutoSize

# Check for processes with elevated (High integrity) tokens
whoami /groups /fo table

Assessment questions: Are there any processes with unexpected parent-child relationships? (e.g., Office spawning script interpreters, svchost spawning command interpreters). Are there processes running as SYSTEM that seem unusual? Document any anomalous findings.

Exercise 2: Registry persistence audit

Check the most common persistence locations using the commands from ES1.3:

1
2
3
4
5
6
7
8
9
# User and machine Run keys
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue

# Unexpected services
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" -ErrorAction SilentlyContinue | Where-Object { $_.ImagePath -and $_.ImagePath -notmatch "system32|syswow64|windows|program files" } | Select-Object PSChildName, ImagePath, Start

# IFEO debugger entries
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -ErrorAction SilentlyContinue | ForEach-Object { Get-ItemProperty $_.PSPath -Name "Debugger" -ErrorAction SilentlyContinue } | Where-Object { $_.Debugger }

Assessment questions: How many entries are in the Run keys? Are all entries legitimate applications? Do any services have ImagePath values pointing to unusual locations? Are there any IFEO Debugger entries?

Exercise 3: LSASS protection assessment

Check the current LSASS protection configuration using the commands from ES1.2:

1
2
3
4
5
6
7
8
# RunAsPPL
(Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -ErrorAction SilentlyContinue).RunAsPPL

# Credential Guard
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue).SecurityServicesRunning

# LSASS ASR rule
$asr = Get-MpPreference; $idx = [array]::IndexOf($asr.AttackSurfaceReductionRules_Ids, "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"); if($idx -ge 0){$asr.AttackSurfaceReductionRules_Actions[$idx]}else{"Not configured"}

Assessment questions: Is RunAsPPL enabled? Is Credential Guard running? What is the LSASS ASR rule state (not configured, audit, block)? For each “not configured” result, identify the module in this course that addresses the gap.

Exercise 4: Map findings to defensive controls

For each finding from Exercises 1-3, complete the mapping:

Finding → OS Internal → ATT&CK Technique → Recommended Control → Course Module

Example: “RunAsPPL not enabled → LSASS process unprotected → T1003.001 LSASS Memory → Enable RunAsPPL + ASR LSASS rule → ES4 (ASR) + ES11 (hardening)”

Operational Artifact — Completed OS Internals Assessment

The completed assessment documents the current state of your endpoint’s OS-level security configuration, the gaps identified, and the recommended controls mapped to specific course modules. This assessment complements the gap assessment from ES0 — ES0 assessed the endpoint security STACK (prevention, detection, response, forensic readiness). This assessment examines the OS INTERNALS that the stack protects. Together, they provide the complete baseline against which all subsequent configuration is measured.

Your lab assessment reveals: RunAsPPL not enabled, LSASS ASR rule not configured, Credential Guard not running, and 3 unexpected entries in the HKLM Run key. Which finding should you investigate first?

The 3 unexpected Run key entries. The LSASS protection gaps are configuration deficiencies — they represent POTENTIAL risk. Unexpected Run key entries represent POSSIBLE active compromise — something has already written to a persistence location. Investigate the Run key entries immediately: identify the executable path, verify the binary's signature, check when the registry value was created, and determine whether the entry is a legitimate application or potential malware persistence. The LSASS protection gaps should be addressed as part of the deployment plan, but active persistence indicators require immediate investigation.

The missing Credential Guard — this is the most impactful LSASS protection control and should be the top priority.

The missing LSASS ASR rule — this is the fastest control to deploy and should be enabled immediately.

All findings are equally important and should be addressed in the deployment sequence from ES0.7.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← Previous Next →