Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cybersecurity Blue Team > Windows Fundamentals > Flashcards

Windows Fundamentals Flashcards

1
Q

What is the file system used in modern versions of Windows?

A

NTFS, New Technology File System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Alternate Data Streams

A

File attribute specific to NTFS. Allows files to have more than one stream of data.
For example when you download a file from the internet there are identifiers written to ADS to identify it as a download.
Bad actors sometimes use ADS to hide data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In Windows, what folder holds the important files that are critical for the operating system?

A

System32

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Where are user profiles kept in Windows?

A

C:\Users
Example- C:\Users\Dylan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What Windows feature prevents operations requiring higher-level privileges from executing without confirmation from the local admin?

A

UAC, User Account Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

System process- what is it, what is its file name?

A

System is responsible for the system memory and compressed memory in the NT kernel.
File name is ntoskrnl.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

smss.exe

A

Windows Session Manager, responsible for creating new sessions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What should be the parent process for smss.exe?

A

System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does smss.exe start in Session 0?

A

An isolated Windows session for the operating system, with two processes:
csrss.exe
wininit.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does smss.exe start in Session 1?

A

The user session, with two processes:
csrss.exe
winlogon.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

csrss.exe

A

Client Server Runtime Process
The user-mode side of the Windows subsystem. This process is always running and is critical to system operation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What should csrss.exe show for a parent process?

A

It shouldn’t. csrss.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

wininit.exe

A

Another critical Windows process that runs in the background, along with its child processes.
Responsible for launching services.exe (Service Control Manager), lsass.exe (Local Security Authority), and lsaiso.exe within Session 0.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What should wininit.exe show for a parent process?

A

It shouldn’t. wininit.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

services.exe

A

Service Control Manager (SCM)
Primary responsibility is to handle system services: loading services, interacting with services and starting or ending services.
It maintains a database that can be queried using a Windows built-in utility, sc.exe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should services.exe show for a parent process?

A

wininit.exe

17
Q

How many instances of services.exe should be running on a Windows system?

A

1

18
Q

svchost.exe

A

Responsible for hosting and managing Windows services

19
Q

How many instances of svchost.exe should be running on a Windows system?

A

There can be many.
Since svchost.exe will always have multiple running processes on any Windows system, this process has been a target for malicious use. Adversaries create malware to masquerade as this process and try to hide amongst the legitimate svchost.exe processes.

20
Q

What parameter should svchost.exe always use to call upon

A

-k

21
Q

What should svchost.exe show for a parent process?

A

services.exe

22
Q

lsass.exe

A

Local Security Authority Subsystem Service
Responsible for enforcing the security policy on the system.
It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

23
Q

How many instances of lsass.exe should be running on a Windows system?

A

1

24
Q

What should lsass.exe show for a parent process?

A

wininit.exe

25
Q

winlogon.exe

A

Windows Logon
Responsible for handling the Secure Attention Sequence (SAS)- the CTRL+ALT+DEL combo
This process is also responsible for loading the user profile, locking the screen and running the user’s screensaver.

26
Q

What should winlogon.exe show for a parent process?

A

It shouldn’t. winlogon.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”

27
Q

explorer.exe

A

Windows Explorer
The process that manages the Desktop. This process gives the user access to their folders and files. It also provides functionality for other features, such as the Start Menu and Taskbar.

28
Q

What should explorer.exe show for a parent process?

A

It shouldn’t. explorer.exe is started by userinit.exe which then self-terminates, so it will show as “non-existent process”

29
Q

What would be particularly concerning behavior for explorer.exe?

A

Seeing outbound TCP/IP connections

30
Q

What are some things to look for with any of the core Windows processes to ensure they are legitimate?

A

The file path- typically C:\Windows\System32
The parent process- most should have a specific parent process or none listed at all
The number of instances- some should only have one
The spelling of process names- hackers may try to masquerade as a process and use a close but not accurately spelled name

31
Q

Sysinternals

A

A compilation of over 70+ Windows-based tools. Includes File and Disk Utilities, Networking Utilities, Process Utilities, Security Utilities, System Information, etc

32
Q

PsExec

A

Lightweight replacement for Telnet that allows remote process execution on another system.
This can be utilized by adversaries

33
Q

Get-WinEvent

A

One of three primary methods of accessing event logs on a Windows system. This one is a Powershell cmdlet.

34
Q

DLL

A

A DLL file, short for Dynamic Link Library, is a library that contains code and data that can be used by more than one program at the same time.
For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box. It helps promote code reuse and efficient memory usage.

35
Q

Shadow Copies

A

Used to create manual and automatic backups of files and drives
Threat actors may target these to prevent restoration of encrypted files during a ransomware attack

36
Q

What is the difference between Program Files and Program Files (x86)?

A

Program Files- 64 bit Windows programs
Program Files (x86)- 32 bit Windows programs

Cybersecurity Blue Team (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions