Interactive Lab: OS Internals Exploration

This lab applies the OS internals knowledge from this module to a practical examination of a Windows endpoint's security-relevant configuration. You examine process tokens, registry persistence locations, ETW provider status, and LSASS protection configuration on a system, then map your findings to attack techniques and defensive controls.

Deliverable: A completed OS internals security assessment for a Windows endpoint, with findings mapped to attack techniques and recommended defensive controls. Estimated completion: 20 minutes.

Lab exercises

Exercise 1: Process token and parent chain analysis

Examine the security context of running processes on a Windows endpoint. Use the commands from ES1.1:

# Process parent-child chains
Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine | Sort-Object ParentProcessId | Format-Table -AutoSize

# Check for processes with elevated (High integrity) tokens
whoami /groups /fo table

Assessment questions: Are there any processes with unexpected parent-child relationships? (e.g., Office spawning script interpreters, svchost spawning command interpreters). Are there processes running as SYSTEM that seem unusual? Document any anomalous findings.

Exercise 2: Registry persistence audit

Check the most common persistence locations using the commands from ES1.3:

# User and machine Run keys
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue

# Unexpected services
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" -ErrorAction SilentlyContinue | Where-Object { $_.ImagePath -and $_.ImagePath -notmatch "system32|syswow64|windows|program files" } | Select-Object PSChildName, ImagePath, Start

# IFEO debugger entries
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -ErrorAction SilentlyContinue | ForEach-Object { Get-ItemProperty $_.PSPath -Name "Debugger" -ErrorAction SilentlyContinue } | Where-Object { $_.Debugger }

Assessment questions: How many entries are in the Run keys? Are all entries legitimate applications? Do any services have ImagePath values pointing to unusual locations? Are there any IFEO Debugger entries?

Exercise 3: LSASS protection assessment

Check the current LSASS protection configuration using the commands from ES1.2:

# RunAsPPL
(Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -ErrorAction SilentlyContinue).RunAsPPL

# Credential Guard
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue).SecurityServicesRunning

# LSASS ASR rule
$asr = Get-MpPreference; $idx = [array]::IndexOf($asr.AttackSurfaceReductionRules_Ids, "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"); if($idx -ge 0){$asr.AttackSurfaceReductionRules_Actions[$idx]}else{"Not configured"}

Assessment questions: Is RunAsPPL enabled? Is Credential Guard running? What is the LSASS ASR rule state (not configured, audit, block)? For each "not configured" result, identify the module in this course that addresses the gap.

Exercise 4: Map findings to defensive controls

For each finding from Exercises 1-3, complete the mapping:

Finding → OS Internal → ATT&CK Technique → Recommended Control → Course Module

Example: "RunAsPPL not enabled → LSASS process unprotected → T1003.001 LSASS Memory → Enable RunAsPPL + ASR LSASS rule → ES4 (ASR) + ES11 (hardening)"

Operational Artifact — Completed OS Internals Assessment

The completed assessment documents the current state of your endpoint's OS-level security configuration, the gaps identified, and the recommended controls mapped to specific course modules. This assessment complements the gap assessment from ES0 — ES0 assessed the endpoint security STACK (prevention, detection, response, forensic readiness). This assessment examines the OS INTERNALS that the stack protects. Together, they provide the complete baseline against which all subsequent configuration is measured.