CIA triad

The CIA triad is a model for classifying the three main components of information security: confidentiality, integrity, and availability. These three components are often referred to as the "CIA triad" because they represent the core principles of information security.


Confidentiality refers to the protection of information from unauthorized access or disclosure. It is important to ensure that only authorized individuals or systems can access sensitive information.

Confidentiality can be achieved through:
    • Encryption
    • Strong authentication systems


Integrity refers to the accuracy and completeness of information, as well as the protection of information from unauthorized modification. It is important to ensure that information is not corrupted or altered in an unauthorized manner.

Integrity can be achieved through:
    • Hashing
    • Digital Signatures
    • Encryption
    • Digital certificates


Availability refers to the accessibility of information and systems. It is important to ensure that authorized users can access the information and systems they need when they need them.

Availability can be achieved through:
    • Redundancy
    • Backups

The CIA triad is a useful framework for understanding the key aspects of information security and for developing strategies to protect against various types of threats. By focusing on confidentiality, integrity, and availability, organizations can ensure that their sensitive information and systems are secure and available to authorized users.

Common Ports

Network ports are identified by a number, ranging from 0 to 65535. The most commonly used ports are assigned specific purposes by the Internet Assigned Numbers Authority (IANA). For example, port 80 is used for HTTP traffic, port 443 is used for HTTPS traffic, and port 25 is used for SMTP email traffic.


Cyber Kill Chain

The Cyber Kill Chain is a model that was developed by Lockheed Martin to describe the stages of a typical cyber attack. The model is designed to help organizations understand how an attack progresses, so that they can take steps to prevent or mitigate the attack at each stage.

The seven stages of the Cyber Kill Chain are as follows:

1. Reconnaissance: The attacker gathers information about the target organization and its systems, often through publicly available sources or through social engineering techniques.

2. Weaponization: The attacker prepares the payload (e.g., a malware or exploit) that will be used to attack the target.

3. Delivery: The attacker delivers the payload to the target, often through email attachments, infected websites, or other means of exploiting vulnerabilities.

4. Exploitation: The attacker takes advantage of a vulnerability in the target's systems to execute the payload.

5. Installation: The payload is installed on the target's systems, often in a way that is hidden from the user.

6. Command and control: The attacker establishes a means of communicating with and controlling the payload, often through a network connection.

7. Actions on objectives: The attacker carries out the objectives of the attack, such as stealing data or disrupting services.

Understanding the Cyber Kill Chain can help organizations identify and respond to attacks at each stage, and can help them develop strategies to prevent or mitigate the impact of future attacks.



MITRE ATT&CK is a knowledge base that provides a comprehensive framework for understanding the actions and behaviors of cyber adversaries. It covers a wide range of tactics, techniques and procedures (TTPs) employed by attackers based on real-world observations.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It documents TTPs that advanced persistent threats use. Att&ck organizes techniques into a set of tactics to provide context. It can be used to profile each step of a cyberattack operation.

Understanding MITRE ATT&CK

There are three major components:
    • Tactics - the adversary’s high-level objectives during a cyberattack
    • Techniques - represent how an adversary achieves a tactical objective by performing an action
    • Sub-techniques - describe more specifically how an adversary achieves a tactical objective

There are 14 tactics in the Enterprise matrix:

ID Tatics Description
TA0043 Reconnaissance The adversary is trying to gather information they can use to plan future operations.
E.g. Active scanning, Gather Victim information
TA0042 Resource Development The adversary is trying to establish resources they can use to support operations.
E.g. Compromise Accounts/Infrastructure, Develop Capabilities (Exploits, Malware)
TA0001 Initial Access The adversary is trying to get into your network.
E.g. Drive-by Compromise, Phishing/Spearphishing
TA0002 Execution The adversary is trying to run malicious code.
E.g. User execution of malicious file
TA0003 Persistence The adversary is trying to maintain their foothold.
E.g. Account manipulation, Creation of accounts
TA0004 Privilege Escalation The adversary is trying to gain higher-level permissions.
E.g. Bypassing user access controls, Sudo caching
TA0005 Defense Evasion The adversary is trying to avoid being detected.
E.g. Modify Registry, Command Obfuscation, Fileless Storage, Process Injection
TA0006 Credential Access The adversary is trying to steal account names and passwords.
E.g. Brute Force, Credential Dumping, Keylogger
TA0007 Discovery The adversary is trying to figure out your environment.
E.g. Accounts discovery, Network sniffing
TA0008 Lateral Movement The adversary is trying to move through your environment.
E.g. Remote Services (SSH, VNC)
TA0009 Collection The adversary is trying to gather data of interest to their goal.
E.g. Data from local system/cloud storage/network drive, Email collection, Screen Capture
TA0011 Command and Control The adversary is trying to communicate with compromised systems to control them.
E.g. Application Layer Protocol (DNS, FTP), Data Encoding, Encrypted Channel, Non-Standard Port, Proxy, Remote Access Software
TA0010 Exfiltration The adversary is trying to steal data.
E.g. Exfiltration over C2 Channel/Web service/Cloud Storage/Code Repository
TA0040 Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data.
E.g. Account access removal, Data destruction/encryption, Disk wipe
The ATT&CK Matrix

The relationship between tactics, techniques, and sub-techniques can be visualized in the ATT&CK Matrix.
Detailed ATT&CK Matrix can be found on Mitre website.


DNS (Domain Name System)

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the internet or a private network. It is used to translate human-readable domain names, such as "," into numerical IP addresses that computers can use to communicate with each other.

DNS consists of a hierarchy of servers that are responsible for mapping domain names to IP addresses. At the top of the hierarchy are the root servers, which are responsible for directing traffic to the correct top-level domain (TLD) servers. TLD servers are responsible for directing traffic to the correct domain name servers (DNS), which are responsible for mapping specific domain names to IP addresses.

DNS is an important infrastructure component of the internet, and it plays a critical role in enabling communication between computers and devices on the internet. Without DNS, users would have to remember the numerical IP addresses of websites and other resources, which would be difficult and inconvenient.

To use DNS, a domain owner must register their domain name and configure it with the appropriate DNS records, which specify the IP addresses and other information about the domain. When a user types a domain name into their web browser or sends an email to an address at a particular domain, the DNS system is used to resolve the domain name to the correct IP address and route the traffic to the appropriate destination.

image image
4 types of DNS servers

1. DNS recursor (a.k.a DNS resolver)

The DNS resolver might be operated by an Internet Service Provider (ISP), or other third party such as Google Public DNS ( The resolver starts by looking in its local cache, if the hostname is found, it is resolved immediately. If not, the resolver starts by querying one of the root DNS servers for the IP of the domain name.

2. Root nameserver

Root servers are DNS nameservers that operate in the root zone and they hold the locations of all the Top Level Domains (TLDs). These servers can directly answer queries for records stored or cached within the root zone, and they can also refer other requests to the appropriate Top Level Domain (TLD) server. The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.
There are 13 logical root name servers specified, with logical names in the form of, where letter ranges from a to m.


3. TLD nameserver

A TLD nameserver maintains information for all the domain names that share a common domain extension, such as .com, .net, or whatever comes after the last dot in a url. For example, a .com TLD nameserver contains information for every website that ends in ‘.com’. If a user was searching for, after receiving a response from a root nameserver, the recursive resolver would then send a query to a .com TLD nameserver, which would respond by pointing to the authoritative nameserver.

4. Authoritative nameserver

An authoritative name server provides actual answer to your DNS queries such as – mail server IP address or web site IP address (A or AAAA address record). It provides original and definitive answers to DNS queries.

DNS record

A Domain Name System (DNS) record is a set of information that is stored in the DNS database and is used to map domain names to IP addresses and other resources. There are many different types of DNS records, each with a specific purpose. Some common types of DNS records include:

Record Type Description
A Maps domain names to IPv4 addresses
AAAA Maps domain names to IPv6 addresses
NS (Name Server) Provides a list of the authoritative name servers responsible for the domain
CNAME (Canonical Name) Maps an alias name to a true or canonical domain name
MX (Mail Exchange) Provides the domain names of mail servers that receive emails on behalf of a domain
TXT (Text) Provides any type of descriptive information in text format.
e.g. A sender policy framework (SPF) record is a type of DNS TXT record that lists all the servers authorized to send emails from a particular domain
SRV (Service Record) Specifies a host and port for specific services
SOA (Start of Authority) Provides important details about a DNS zone; required for every DNS zone
PTR (Pointer Record) Provides the domain name associated with an IP address
CAA (Certification Authority Authorization) Allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain

DNS records are an important part of the infrastructure of the internet, and they are used to enable communication between devices and systems on the internet. By configuring DNS records, domain owners can specify how traffic should be routed to their domain, and they can control how their domain is accessed and used.

Email Security

Domain-based Message Authentication Reporting and Conformance (DMARC)

Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication protocol that is designed to detect and prevent email spoofing. DMARC works by allowing a domain owner to publish a policy in the Domain Name System (DNS) that specifies which mechanisms are used to authenticate email sent from their domain, and how receiving mail servers should handle email that fails authentication.

When an email is received, the receiving mail server can check the DMARC policy of the domain that the email claims to be from. If the email fails authentication using the mechanisms specified in the DMARC policy, the receiving server can take a number of actions, such as rejecting the email, quarantining the email, or flagging the email as potentially suspicious.

In addition to helping prevent email spoofing, DMARC can also help protect against spam and phishing attacks. By requiring email to be authenticated using mechanisms such as SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), DMARC can help ensure that only legitimate email is sent from a domain.

Verification with SPF:

  • DMARC uses SPF to authenticate the origin of an email by checking the Return-Path of the message.
  • It ensures that the domain in the Return-Path matches the domain in the "from" address of the email.
  • If the Return-Path doesn't match the "from" address, the email may fail DMARC's SPF alignment test.
  • Failed SPF alignment can lead to actions such as quarantining or rejecting the email, as specified in the DMARC policy.

Verification with DKIM:

  • DMARC checks DKIM alignment by comparing the "d=" domain in the DKIM signature with the "from" domain of the email.
  • If the "d=" domain matches the "from" domain, the email passes DKIM alignment.
  • Passing DKIM alignment is a positive factor in DMARC validation.

In summary, DMARC enhances email authentication by coordinating the results of SPF and DKIM checks and using alignment tests to ensure that the sending domain aligns with the "from" address. This helps in preventing email spoofing and allows domain owners to specify actions for emails that fail authentication.

How Does DMARC Work?


DMARC Alignment - Pass Example


DMARC Alignment - Fail Example


Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an email authentication protocol that is designed to detect and prevent email spoofing. SPF works by allowing a domain owner to specify which mail servers are authorized to send email on behalf of their domain.

When an email is received, the receiving mail server checks the SPF record of the domain that the email claims to be from. If the mail server that sent the email is not listed in the SPF record, the email may be flagged as potentially suspicious or fraudulent.

To use SPF, a domain owner must publish an SPF record in the Domain Name System (DNS) for their domain. This record lists the mail servers that are authorized to send email for the domain, and it can be used by receiving mail servers to verify the authenticity of incoming email.


Specify SPF version at start of record
Mechanisms for specifying authorised senders
Mechanisms Explanation
ALL Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
IP4 If the sender is in a given IPv4 address range, match.
IP6 If the sender is in a given IPv6 address range, match.
MX If the domain name has an MX record resolving to the sender's address, it will match.
A If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.
PTR If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match. This mechanism is discouraged and should be avoided, if possible.
EXISTS If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE References the policy of another domain. If that domain's policy passes, this mechanism passes. However, if the included policy fails, processing continues. To fully delegate to another domain's policy, the redirect extension must be used.
Qualifiers Explanation
+ PASS regardless of match - accept anything from the domain. This can be omitted; e.g., +mx is the same as mx.
- FAIL, the mail should be rejected - don't deliver the email if anything does not match.
? NEUTRAL - accept it, result interpreted like NONE (no policy).
~ SOFTFAIL - accept them, but mark it as 'suspicious'.
Modifiers Explanation If an SMTP receiver rejects a message, it can include an explanation. An SPF publisher can specify the explanation string (ASCII) that senders see. This feature is rarely used. Tells the receiving server to check the SPF record of instead of the originating domain.

Allow domain’s MXs to send mail for the domain, prohibit all others
              v=spf1 mx ~all
The domain sends no mail at all
              v=spf1 -all
The domain allows all IP addresses on the internet to send mail. Though ‘valid’, this is not recommended
              v=spf1 +all
Allow any IP address between and
              v=spf1 ip4: ~all
The current domain is used
              v=spf1 a ~all
Allow mail from specific domain
              v=spf1 ~all
Tells the receiving server to check the SPF record of instead of the originating domain
Tells the receiving server to also consider the IP addresses listed in the SPF record of another domain (This is commonly set up with multi-domain organizations)
              v=spf1 ~all 

Domain Keys Identified Mail (DKIM)

Domain Keys Identified Mail (DKIM) is an email authentication protocol that is designed to detect and prevent email spoofing. DKIM works by allowing a domain owner to add a digital signature to the headers of outbound email messages. The signature is used to verify the authenticityand integrity of the email to ensure that the email has not been modified in transit.

To implement DKIM, a domain owner must generate a private key and a public key. The private key is used to sign the outbound email messages, and the public key is published in the Domain Name System (DNS) for the domain. When an email is received, the receiving mail server uses the public key from the DNS to verify the digital signature on the email.

DKIM contributes in protecting against spam and phishing attacks by ensuring only legitimate emails, verified by their digital signatures, are sent from a specific domain.

DKIM is widely used by email service providers and organizations to enhance the security and integrity of email communication.


HTTP Status Codes

HTTP status codes are standardized numerical codes that are used to communicate the status of a HTTP request. HTTP (Hypertext Transfer Protocol) is a protocol for transferring data over the internet, and HTTP status codes are used to indicate the status of a request made using HTTP.

Some of the most commonly used HTTP status codes include:

200 OK: The request was successful and the requested information has been transmitted.

301 Moved Permanently: The requested resource has been moved to a new URL.

400 Bad Request: The request was invalid or could not be understood by the server.

401 Unauthorized: The request requires authentication in order to be processed.

404 Not Found: The requested resource could not be found.

Status code Meaning
#1xx Informational
100 Continue
101 Switching protocols
102 Processing
103 Early Hints
#2xx Succesful
200 OK
201 Created
202 Accepted
203 Non-Authoritative Information
204 No Content
205 Reset Content
206 Partial Content
207 Multi-Status
208 Already Reported
226 IM Used
#3xx Redirection
300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
306 Switch Proxy
307 Temporary Redirect
308 Permanent Redirect
#4xx Client Error
400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Precondition Failed
413 Payload Too Large
414 URI Too Long
415 Unsupported Media Type
416 Range Not Satisfiable
417 Expectation Failed
418 I'm a Teapot
421 Misdirected Request
422 Unprocessable Entity
423 Locked
424 Failed Dependency
425 Too Early
426 Upgrade Required
428 Precondition Required
429 Too Many Requests
431 Request Header Fields Too Large
451 Unavailable For Legal Reasons
#5xx Server Error
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
506 Variant Also Negotiates
507 Insufficient Storage
508 Loop Detected
510 Not Extended
511 Network Authentication Required
598 Network read timeout error
599 Network connect timeout error

IPV4 Subnet

Subnetting is a way to divide a single network into smaller networks, or subnets, in order to increase security and efficiency.

An IPv4 subnet is identified by a network address and a subnet mask. The network address defines the range of IP addresses that are included in the subnet, and the subnet mask defines which portion of the IP address represents the network and which portion represents the host.

For example, consider the following IP address and subnet mask:

IP address:
Subnet mask:

The subnet mask of indicates that the first three octets (192.168.1) represent the network portion of the IP address, and the fourth octet (100) represents the host portion. In this case, the subnet would include all IP addresses from to

Prefix size Network mask # of IP Addresses # of Usable IP addresses
/1 2,147,483,648 2,147,483,646
/2 1,073,741,824 1,073,741,822
/3 536,870,912 536,870,910
/4 268,435,456 268,435,454
/5 134,217,728 134,217,726
/6 67,108,864 67,108,862
/7 33,554,432 33,554,430
Class A
/8 16,777,216 16,777,214
/9 8,388,608 8,388,606
/10 4,194,304 4,194,302
/11 2,097,152 2,097,150
/12 1,048,576 1,048,574
/13 524,288 524,286
/14 262,144 262,142
/15 131,072 131,070
Class B
/16 65,536 65,534
/17 32,768 32,766
/18 16,384 16,382
/19 8,192 8,190
/20 4,096 4,094
/21 2,048 2,046
/22 1,024 1,022
/23 512 510
Class C
/24 256 254
/25 128 126
/26 64 62
/27 32 30
/28 16 14
/29 8 6
/30 4 2
/31 2 0
/32 1 0

Private IP addresses

Private IP addresses are IP addresses that are used for communication within a private network, such as a home or corporate network. They are not routed on the Internet and are not reachable from the outside. Private IP addresses are used to identify devices within a private network and to route traffic between devices.

Private IP addresses are often used in conjunction with Network Address Translation (NAT), which allows devices within a private network to communicate with the Internet using a single, shared public IP address. This allows multiple devices to share a single Internet connection and helps to conserve the limited pool of publicly routable IP addresses.

Addresses Description - Private IPv4 Addresses - Private IPv4 Addresses - Private IPv4 Addresses - Local Host - APIPA This network Private IPv4 Address Block Carrier-grade NAT Loopback Name collision occurrence Link local Private IPv4 Address Block IETF protocol assignments TEST-NET-1 Private IPv4 Address Block Network benchmark testing TEST-NET-2 TEST-NET-3 Multicast Reserved Limited broadcast

Private Information

Private information is any data or personal details that are intended to be kept confidential and are not meant to be shared with others without the owner's consent. Private information can include things like a person's name, address, phone number, date of birth, financial information, medical history, and other sensitive data. It is important to protect private information because it can be used for identity theft or other nefarious purposes if it falls into the wrong hands. It is generally recommended to be cautious about sharing private information online or with anyone you do not know or trust.

Types of private information:

PII stands for "Personally Identifiable Information." It is any information that can be used to identify a specific individual, such as their name, address, phone number, date of birth, social security number, or other personal details. PII is considered to be sensitive information because it can be used to locate, contact, or obtain information about an individual. As a result, it is important to protect PII and handle it with care to prevent it from being accessed or used without the owner's consent. There are also legal requirements in place in many countries that regulate the collection, use, and storage of PII, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.

PPI stands for "Personally Protected Information". It is a term that is sometimes used to refer to personal data that is considered to be sensitive or confidential, and that requires special protection in order to ensure the privacy and security of individuals. PPI may include information such as a person's name, address, phone number, date of birth, financial information, medical history, and other details that are considered to be private and should not be shared without the owner's consent. It is important to handle PPI with care and to take appropriate measures to protect it from unauthorized access or use. This may include measures such as encrypting data, using secure servers, and implementing other security measures to prevent data breaches or unauthorized access to PPI.

PHI stands for "Protected Health Information." It is any information that relates to a person's health, medical history, or treatment that is collected, used, or disclosed by a healthcare provider, health plan, or other covered entity in the course of providing healthcare services. PHI is considered to be sensitive information because it can reveal intimate details about a person's health and medical history, and it is protected by laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. HIPAA sets strict rules for how PHI can be collected, used, and disclosed, and it requires covered entities to implement appropriate safeguards to protect the privacy and security of PHI. HIPAA also gives individuals certain rights with regard to their PHI, such as the right to access, correct, and request restrictions on the use of their PHI.

PCI stands for "Payment Card Industry." PCI refers to a set of security standards that were developed by the major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) to ensure the secure handling of credit card transactions and protect sensitive financial information. The PCI Data Security Standard (PCI DSS) is a set of requirements that apply to all organizations that accept, process, store, or transmit credit card information. It sets out guidelines for the secure handling of credit card data, including requirements for physical security, network security, access controls, and data protection. The PCI DSS is intended to help reduce the risk of credit card fraud and protect the security of sensitive financial information. Compliance with the PCI DSS is mandatory for all merchants and service providers that accept credit cards as a form of payment.

OSI Model

The OSI (Open Systems Interconnection) model is a framework for understanding how communication occurs between different systems in a network. It is a seven-layer model that represents the different stages of communication, from the physical connection between devices to the application layer where the actual communication takes place.

The OSI model is a useful tool for understanding how communication occurs in a network, and it helps to define the roles and responsibilities of the different layers of a networked system.

Types of Cyber Attacks on Each Layer of the OSI Model:


Layer architecture (wikipedia)

Layer Protocol data unit (PDU) Function
7 Application Data High-level protocols such as for resource sharing or remote file access, e.g. HTTP.
6 Presentation Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption
5 Session Managing communication sessions, i.e., continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes
4 Transport Segment, Datagram Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing
3 Network Packet Structuring and managing a multi-node network, including addressing, routing and traffic control
2 Data link Frame Transmission of data frames between two nodes connected by a physical layer
1 Physical Bit, Symbol Transmission and reception of raw bit streams over a physical medium

Active Directory Basics

What is Active Directory?

Microsoft Active Directory is both a database and a directory service, simplifying identity and access management for efficient network administration. Enterprises rely on Active Directory to define and regulate user permissions within their networks.

As a database, Active Directory stores essential user information, including emails, phone numbers, and passwords. As a directory service, it enables user authentication for accessing resources and authorizes network-wide access based on defined permissions.

Active Directory Services Overview:

AD is made up of a number of different directory services

  • Active Directory Domain Services (AD DS): The core service managing users and resources.
  • Active Directory Lightweight Directory Services (AD LDS): Provides only a subset of the capabilities of AD DS. This makes it a leaner and more independent directory service that we can run as a stand-alone directory without integration with an existing AD.
  • Active Directory Certificate Services (AD CS): Deals with issuing and managing digital security certificates.
  • Active Directory Federation Services (AD FS): Facilitates sharing identity and access management information across organizations.
  • Active Directory Rights Management Services (AD RMS): Focuses on information rights management, controlling access permissions to documents, workbooks, presentations, etc.

Active Directory Domain Services (AD DS) Overview:

Active Directory Domain Services (AD DS) serves as the primary Active Directory service. It plays a pivotal role in authenticating users and controlling access to network resources. A server running AD DS is referred to as a domain controller.

Most Windows domain networks incorporate two or more domain controllers, including a primary domain controller and one or more backup domain controllers to ensure resiliency. During the login process, users authenticate to a domain controller and gain access to specific resources based on administratively defined policies.

AD Data Structures:

Active Directory stores information about network users (names, phone numbers, passwords, etc.) and resources (servers, storage volumes, printers, etc.) in a hierarchical structure consisting of domains, trees, and forests.


  • A collection of objects (e.g. users, devices) that share the same Active Directory database. A domain is identified by a DNS name like
  • Think of a domain as a labeled section in a library where books related to a specific topic are neatly organized, helping users easily find and access relevant information.


  • A collection of one or more domains with a contiguous namespace (they have a common DNS root name like,, and
  • Imagine a family tree where everyone is connected. In a network, a tree is a structure of domains that are related, like branches of a big family.


  • A collection of one or more trees that share a common schema, global catalog, and directory configuration—but aren’t part of a contiguous namespace. The forest typically serves as the security boundary for an enterprise network.
  • A forest is like a big park with many trees. Each tree (domain) might have its own family, but they all share the same overall environment, rules, and even a map (global catalog).

Objects within a domain can be grouped into organizational units (OUs) to simplify administration and policy management. Administrators can create arbitrary organizational units to mirror functional, geographical, or business structures, and then apply group policies to OUs to simplify administration. OUs also make it easier to delegate control over resources to various administrators.


Machine Account vs User Account
Aspect Machine Account User Account
Purpose A machine account is created for each computer that joins the Active Directory domain. It represents a computer or device rather than an individual user. A user account represents an individual user within the Active Directory domain. Used for authenticating individual users to the domain.
Naming Convention Machine accounts typically follow a specific naming convention, where the computer's name is used with a dollar sign ($) suffix (e.g. ComputerName$). User accounts typically follow a standard naming convention based on the user's name or a username chosen during account creation.
Authentication Used for authenticating the computer or device to the domain. Allows the computer to access domain resources and services. Used for authenticating individual users to the domain. Allows users to access domain resources, log in to computers, and use network services.
SID (Security Identifier) Each machine account is associated with a unique Security Identifier (SID) that is used for authentication and authorization. Each user account is associated with a unique Security Identifier (SID) used for authentication and authorization.
Permissions Machine accounts are often granted permissions to access network resources based on their role or membership in security groups. User accounts are granted permissions based on their individual roles, group memberships, and assigned rights within the domain.
Group Memberships Can be a member of security groups that define its level of access and permissions within the domain. Can be a member of security groups that define their level of access and permissions within the domain.
Group Policy Objects (GPOs) GPOs can be applied to machine accounts to enforce security settings, configurations, and restrictions on computers within the domain. GPOs can be applied to user accounts to enforce security settings, configurations, and restrictions based on the user's role and organizational policies.

Machine accounts: Represent computers or devices, authenticate the computer to the domain, and are associated with a specific computer.

User accounts: Represent individual users, authenticate users to the domain, and are associated with specific individuals. They control access, permissions, and settings for individual users.

Both machine accounts and user accounts play crucial roles in Active Directory, contributing to the secure and efficient functioning of the network.

Group Policies and GPO:
  • Group Policies: Configuration settings that define how computers and users operate in the AD environment.
  • Group Policy Objects (GPO): Containers for group policies, applied to sites, domains, or OUs. Used to manage security settings, software deployment, and more.
GPO Distribution via SYSVOL:
  • SYSVOL: A shared folder on DCs that stores system files, including Group Policy objects. Facilitates GPO distribution across the network.
  • GPOs are distributed to the network via a network share called SYSVOL, which is stored in the DC. All users in a domain should typically have access to this share over the network to sync their GPOs periodically. By default, the SYSVOL share is directed to the C:\Windows\SYSVOL\sysvol\ directory on each of the DCs in our network.

Authentication Methods:

In Windows domains, user credentials are stored in Domain Controllers. When someone logs in or accesses a service using their domain username and password, the service checks with the Domain Controller to confirm if the login details are correct. This process of double-checking happens centrally to ensure security and access control in a Windows domain setup. There are two common protocols which are utilized for network authentication:

  • Kerberos: A secure authentication protocol that uses tickets for verifying the identity of users and services within the domain. It provides strong security features and is the primary authentication method in Windows environments.
  • NTLM (NT LAN Manager): An older authentication protocol used for backward compatibility purposes. While less secure than Kerberos, NTLM is still employed in certain scenarios, especially in mixed or legacy environments.

Advantages of Active Directory:

1. Centralized Management:

  • User and Resource Management: Enables centralized management of user accounts, computers, printers, and other network resources, streamlining administration.

2. Authentication and Authorization:

  • Secure Authentication: Utilizes robust authentication protocols like Kerberos, enhancing the security of user logins and network access.
  • Authorization: Manages access control through security groups, ensuring users have appropriate permissions.

3. Single Sign-On (SSO):

  • Unified Credentials: Users can access multiple network resources using a single set of credentials, enhancing user experience and reducing password fatigue.

4. Group Policies:

  • Policy Enforcement: Group Policy Objects (GPOs) allow administrators to enforce security settings, configurations, and restrictions across the network, ensuring consistency.

5. Scalability:

  • Supports Large Environments: Scales effectively to accommodate the growth of users, devices, and resources in large and complex network infrastructures.

6. Redundancy and Fault Tolerance:

  • Multiple Domain Controllers: Supports the deployment of multiple Domain Controllers, ensuring redundancy and fault tolerance. If one Domain Controller fails, others can continue to provide services.

7. Integration with Other Microsoft Services:

  • Exchange, SharePoint, and More: Seamless integration with other Microsoft services such as Exchange for email, SharePoint for collaboration, and more.

8. Directory Replication:

  • Replication Services: Utilizes directory replication services to ensure consistent data across multiple Domain Controllers, supporting distributed environments.

9. Security Features:

  • Secure LDAP: Supports LDAP over SSL (LDAPS) for secure directory access.
  • Auditing and Logging: Provides auditing capabilities to track changes, log events, and enhance security.

10. Dynamic Access Control:

  • Fine-Grained Access Control: Allows for the implementation of dynamic access control policies, enabling granular control over resource access based on attributes.

11. Support for Multi-Forest Environments:

  • Forest Trusts: Enables secure collaboration between different Active Directory forests through trust relationships.

12. Resource Location Services:

  • Global Catalog: The Global Catalog provides a searchable index of objects across the entire forest, facilitating efficient resource location.

Common Attacks Against Active Directory
Attack Description
Pass-the-Hash Attacks A Pass-the-Hash (PtH) attack is a security threat prevalent in Active Directory environments, exploiting the authentication process. During this attack, an assailant gains access to the hashed password of an authenticated user without the need to crack the actual password. This captured hash serves as a pseudo-ticket, enabling the attacker to authenticate themselves within the network and access resources using the compromised user's credentials. Notably, PtH attacks grant unauthorized access to systems and data, especially if the compromised user possesses elevated privileges. The stealthy nature of PtH attacks, coupled with the ability to move laterally across the network, poses a significant challenge for detection. Mitigation strategies involve implementing robust security measures, including multi-factor authentication, regular system updates, and vigilant monitoring for anomalous activities to fortify defenses against PtH threats in Active Directory environments.
Kerberoasting Kerberoasting in an Active Directory environment involves an attacker requesting a Ticket-Granting Service (TGS) ticket for service accounts from the Key Distribution Center (KDC) using the Target Service Principal Name (TSPN) of the service. Upon capturing the TGS ticket, encrypted with the service account's password hash, the attacker employs offline brute-force techniques to crack the password. If successful, the attacker decrypts the TGS ticket, revealing the compromised service account's credentials. Subsequently, armed with these credentials, the attacker gains unauthorized access to the associated service. The critical vulnerability lies in weak or easily guessable passwords, underscoring the necessity for robust password policies and heightened security measures to thwart Kerberoasting attacks.
Golden Ticket Attacks A Golden Ticket attack is a sophisticated and stealthy threat within an Active Directory (AD) environment. In this attack, adversaries create forged Kerberos tickets, which are normally used for authentication within the Windows domain. These forged tickets are crafted with arbitrary expiration times and group memberships, effectively granting the attacker long-term, persistent access with elevated privileges. Unlike traditional Kerberoasting attacks that focus on service accounts, Golden Ticket attacks enable unauthorized users to generate their own tickets, essentially bypassing the need for valid authentication. Once a Golden Ticket is in possession, an attacker can move laterally across the network, access sensitive resources, and execute malicious actions with the same level of authority as the compromised account. Detecting Golden Ticket attacks can be challenging, emphasizing the importance of proactive security measures, such as monitoring for anomalous activity, regularly updating and rotating cryptographic keys, and enforcing robust password policies to mitigate the risk of such advanced threats in AD environments.
Pass-the-Ticket Attacks A Pass-the-Ticket attack is a form of exploitation within an Active Directory (AD) environment that involves the illicit circulation of Kerberos tickets for unauthorized access. In this attack, adversaries leverage compromised ticket-granting tickets (TGTs) or service tickets to gain entry to resources without legitimate authentication. By surreptitiously passing around these tickets, attackers can move laterally across the network, accessing various systems and services undetected. Pass-the-Ticket attacks are particularly concerning as they allow adversaries to impersonate users and services, posing a significant threat to the integrity of authentication mechanisms in AD. Mitigation strategies against such attacks involve closely monitoring ticket usage, enforcing robust access controls, and implementing measures such as multi-factor authentication to enhance the overall security posture of the AD environment.
Brute Force Attacks on Domain Accounts Brute Force Attacks on Domain Accounts represent a persistent and straightforward method employed by attackers within an Active Directory (AD) environment. In this type of assault, adversaries systematically attempt to guess usernames and passwords by cycling through an exhaustive list of possible combinations. Leveraging automated tools, attackers exploit weak or easily guessable credentials, aiming to gain unauthorized access to user accounts and subsequently compromise the AD domain. Such attacks can be particularly effective against users with simplistic passwords, emphasizing the critical importance of enforcing strong password policies. Mitigation against Brute Force Attacks involves implementing account lockout policies, employing multi-factor authentication to add an extra layer of security, and conducting regular security audits to identify and rectify potential vulnerabilities within the AD environment.
Lateral Movement Lateral Movement is a strategic and stealthy maneuver employed by attackers within an Active Directory (AD) environment. Once initial access is gained, typically through methods like phishing or exploiting vulnerabilities, attackers use Lateral Movement techniques to navigate horizontally across the network. The objective is to compromise multiple systems and escalate privileges systematically. By moving laterally, attackers can explore and exploit interconnected systems, seeking sensitive data and expanding their control within the AD domain. This maneuverability allows them to remain undetected as they traverse the network, posing a serious threat to the overall security and integrity of the AD environment. Defending against Lateral Movement involves implementing network segmentation, robust access controls, continuous monitoring for anomalous activity, and deploying security measures like intrusion detection systems to swiftly identify and respond to potential breaches.
Distributed Denial of Service (DDoS) Attacks Distributed Denial of Service (DDoS) Attacks targeting an Active Directory (AD) environment involve overwhelming AD services with a flood of traffic, rendering them temporarily or completely unavailable. The primary aim of a DDoS attack is to disrupt the normal functioning of AD services, causing service degradation or downtime. Attackers may exploit vulnerabilities in AD infrastructure or flood the network with a massive volume of requests, hindering the ability of AD servers to respond to legitimate authentication requests. DDoS attacks on AD can result in significant operational disruptions, preventing users from accessing critical resources, and potentially creating security vulnerabilities during service outages. Mitigating DDoS attacks in an AD environment involves implementing robust network defenses, such as firewalls and intrusion prevention systems, to filter and mitigate malicious traffic, as well as employing content delivery networks (CDNs) for scalable and distributed service delivery to absorb and mitigate the impact of large-scale attacks.
Zero-Day Exploits Zero-Day Exploits in an Active Directory (AD) environment refer to the exploitation of unknown vulnerabilities in AD components. These vulnerabilities, known as "zero-days," are so named because attackers leverage them before developers have had the opportunity to create and distribute patches, leaving organizations defenseless against these undisclosed threats. In the context of AD, a zero-day exploit could target weaknesses in the directory service or associated components, potentially leading to unauthorized access, data breaches, or system compromise. The challenge with zero-day exploits lies in their unpredictability and the absence of pre-existing defenses, making it crucial for organizations to stay vigilant through continuous monitoring, threat intelligence, and proactive security measures. Rapid incident response and collaboration with security communities are essential for minimizing the impact of zero-day exploits in AD environments.


NTLM (NT LAN Manager) is a Microsoft authentication protocol that is used to provide secure network communication and to authenticate users in a Windows network environment. It is a challenge-response protocol that allows a client to prove its identity to a server, and it is typically used to authenticate users on a Windows domain.

NTLM uses hashed passwords and encrypted challenge-response exchanges to authenticate users, and it can also provide authentication for other protocols such as HTTP, FTP, and SMTP. NTLM is generally considered to be less secure than more modern authentication protocols, such as Kerberos, and it is generally recommended to use these newer protocols whenever possible.

The following examples show how the NTLM flow works.



Kerberos is a network authentication protocol that is designed to provide secure communication over a non-secure network, such as the internet. It is named after the three-headed dog of Greek mythology that guarded the gates of the underworld.

In a Kerberos system, a client authenticates itself to a trusted third-party server known as the Key Distribution Center (KDC). The KDC issues a ticket-granting ticket (TGT) to the client, which the client can then use to request access to other resources on the network. These requests are made using service tickets, which are issued by the KDC and contain a cryptographic key that can be used to securely access the desired resource.

Kerberos is widely used in Windows and Linux operating systems, as well as in other networked systems such as Apache and OpenVPN. It is generally considered to be more secure than other authentication protocols, such as NTLM, because it uses strong encryption and does not transmit plaintext passwords over the network.


Kerberos Error Codes

Windows event log entries often contain Kerberos failure codes

Result code Kerberos RFC description Notes on common failure codes
0x0 No error  
0x1 Client's entry in database has expired  
0x2 Server's entry in database has expired  
0x3 Requested protocol version # not supported  
0x4 Client's key encrypted in old master key  
0x5 Server's key encrypted in old master key  
0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not replicated to DC yet
0x7 Server not found in Kerberos database  New computer account has not replicated yet or computer is pre-w2k
0x8 Multiple principal entries in database  
0x9 The client or server has a null key  administrator should reset the password on the account
0xA Ticket not eligible for postdating  
0xB Requested start time is later than end time  
0xC KDC policy rejects request Workstation restriction
0xD KDC cannot accommodate requested option  
0xE KDC has no support for encryption type  
0xF KDC has no support for checksum type  
0x10 KDC has no support for padata type  
0x11 KDC has no support for transited type  
0x12 Clients credentials have been revoked Account disabled, expired, locked out, logon hours.
0x13 Credentials for server have been revoked  
0x14 TGT has been revoked  
0x15 Client not yet valid - try again later  
0x16 Server not yet valid - try again later  
0x17 Password has expired The user’s password has expired.
0x18 Pre-authentication information was invalid Usually means bad password
0x19 Additional pre-authentication required*  
0x1F Integrity check on decrypted field failed  
0x20 Ticket expired Frequently logged by computer accounts
0x21 Ticket not yet valid  
0x21 Ticket not yet valid  
0x22 Request is a replay  
0x23 The ticket isn't for us  
0x24 Ticket and authenticator don't match  
0x25 Clock skew too great Workstation’s clock too far out of sync with the DC’s
0x26 Incorrect net address  IP address change?
0x27 Protocol version mismatch  
0x28 Invalid msg type  
0x29 Message stream modified  
0x2A Message out of order  
0x2C Specified version of key is not available  
0x2D Service key not available  
0x2E Mutual authentication failed  may be a memory allocation failure
0x2F Incorrect message direction  
0x30 Alternative authentication method required*  
0x31 Incorrect sequence number in message  
0x32 Inappropriate type of checksum in message  
0x3C Generic error (description in e-text)  
0x3D Field is too long for this implementation  


Computer Networking Basics

The Internet is a network of connecting devices. Each device, whether it's your smartphone or a server, communicate through the internet protocol suite. The internet protocol suite is a collection of different protocols, or methods, for devices to communicate with each other. Both TCP and UDP are major protocols within the internet protocol suite:


TCP: connection oriented, header file: 20 bytes, speed is less than UDP, used in high reliability services. TCP is heavy-weight. Require three packets to set up a socket connection (Three way handshake: SYN- Synchronize, SYN-ACK, ACK). TCP handles reliability and congestion control, have Acknowledgement segments.

UDP: connectionless oriented, header file: 8 bytes, more speed than TCP, used in real-time services, UDP is lightweight. There is no ordering message, no tracking connection, UDP does not have an option for flow control (Does not have three way handshake), No Acknowledge.

Full Form Transmission Control Protocol User Datagram Protocol or Universal Datagram Protocol
Connection TCP is a connection-oriented protocol. UDP is a connectionless protocol.
Half-Closed connection TCP allows half closed connections Not applicable for UDP protocol
Function As a message makes its way across the internet from one computer to another. This is connection based. UDP is also a protocol used in message transport or transfer. This is not connection based which means that one program can send a load of packets to another and that would be the end of the relationship.
Usage TCP is suited for applications that require high reliability, and transmission time is relatively less critical. UDP is suitable for applications that need fast, efficient transmission, such as games. UDP's stateless nature is also useful for servers that answer small queries from huge numbers of clients.
Use by other protocols HTTP, HTTPs, FTP, SMTP, Telnet, SSH DNS, DHCP, TFTP, SNMP, RIP, VOIP, IPTV
Multiplexing & Demultiplexing Using TCP port number Using UDP port numbers
Ordering of data packets TCP rearranges data packets in the order specified. UDP has no inherent order as all packets are independent of each other. If ordering is required, it has to be managed by the application layer.
Speed of transfer The speed for TCP is slower than UDP. UDP is faster because error recovery is not attempted. It is a "best effort" protocol.
Reliability There is absolute guarantee that the data transferred remains intact and arrives in the same order in which it was sent. There is no guarantee that the messages or packets sent would reach at all.
Header Size TCP header size is 20 bytes UDP Header size is 8 bytes
Common Header Fields Source port, Destination port, Check Sum Source port, Destination port, Check Sum
Streaming of data Data is read as a byte stream, no distinguishing indications are transmitted to signal message (segment) boundaries. Packets are sent individually and are checked for integrity only if they arrive. Packets have definite boundaries which are honoured upon receipt, meaning a read operation at the receiver socket will yield an entire message as it was originally sent.
Weight TCP is heavy-weight. TCP requires three packets to set up a socket connection, before any user data can be sent. TCP handles reliability and congestion control. UDP is lightweight. There is no ordering of messages, no tracking connections, etc. It is a small transport layer designed on top of IP.
Data Flow Control TCP does Flow Control. TCP requires three packets to set up a socket connection, before any user data can be sent. TCP handles reliability and congestion control. UDP does not have an option for flow control
Error Checking TCP does error checking and error recovery. Erroneous packets are retransmitted from the source to the destination. UDP does error checking but simply discards erroneous packets. Error recovery is not attempted.
Fields 1. Sequence Number
2. AcK number
3. Data offset
4. Reserved
5. Control bit
6. Window
7. Urgent Pointer
8. Options
9. Padding
10.Check Sum
11. Source port
12. Destination port
1. Length
2. Source port
3. Destination port
4. Check Sum
Acknowledgement Acknowledgement segments No Acknowledgment
Handshake SYN, SYN-ACK, ACK No handshake (connectionless protocol)
A three-way handshake

A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server.
A three-way handshake is also known as a TCP handshake or SYN-SYN-ACK, which requires both the client and server to exchange SYN (synchronization) and ACK (acknowledgment) packets before actual data communication begins.


Step 1: A connection between server and client is established
Step 2: The server receives the SYN packet from the client node
Step 3: Client node receives the SYN/ACK from the server and responds with an ACK packet

For UDP, no three-way handshake is necessary before transmitting data to the intended recipient. So, all or some of the data might arrive — and it may (or may not) arrive in the order as intended. As such, it’s often described as a “best effort.”

When does DNS use TCP?

DNS uses TCP port 53 for Zone transfer (ensure zone data is consistent across DNS servers) and UDP for name, and queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes.

Cyber Attack Techniques

Cyber attacks encompass a diverse array of malicious strategies employed by cybercriminals to exploit vulnerabilities in computer systems, networks, and individuals. These techniques range from the deployment of malicious software (malware) and denial-of-service attacks to social engineering tactics such as phishing, vishing, and smishing. The objective is to compromise the confidentiality, integrity, or availability of digital assets, often leading to unauthorized access, data breaches, financial losses, or disruption of services.

Technique Definition Examples
Malware Attacks Malicious software designed to harm or exploit computer systems. Viruses, Trojans, ransomware, spyware
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks Overwhelming a system or network to disrupt normal functioning. Flooding a website with traffic to make it unavailable
Man-in-the-Middle (MitM) Attacks Intercepting and possibly altering communication between two parties without their knowledge. Eavesdropping on Wi-Fi networks, session hijacking
SQL Injection Exploiting vulnerabilities in database queries to gain unauthorized access or manipulate data. Injecting malicious SQL code into input fields
Cross-Site Scripting (XSS) Injecting malicious scripts into web pages viewed by others. Exploiting vulnerabilities in web applications to execute scripts in users' browsers
Social Engineering Manipulating individuals to disclose confidential information. Phishing, vishing, impersonation
Zero-Day Exploits Exploiting software vulnerabilities that are unknown to the vendor. Using undisclosed weaknesses before a patch is available
Password Attacks Attempting to obtain passwords through various methods. Brute force attacks, dictionary attacks
DNS Spoofing Providing false DNS responses to redirect traffic to malicious sites. Redirecting users from legitimate websites to phishing sites
Cryptojacking Illegally using someone else's computer to mine cryptocurrency. Injecting mining scripts into websites or software
Eavesdropping Intercepting and monitoring communication between parties. Wiretapping, packet sniffing
IoT Exploitation Targeting vulnerabilities in IoT devices to gain unauthorized access. Hacking into smart home devices, industrial IoT systems
Phishing (including Smishing) Cyber attacks using fraudulent emails, messages, or SMS to trick individuals into revealing sensitive information. Fake emails, text messages claiming to be from banks or legitimate sources
Vishing Voice phishing attack using phone calls or voice messages to deceive individuals into providing sensitive information. Caller claiming to be from a bank, asking for personal information
Credential Stuffing Using previously stolen usernames and passwords to gain unauthorized access. Reusing login credentials across accounts
Watering Hole Attacks Compromising websites likely to be visited by target individuals to deliver malware. Exploiting trust in specific websites
Rogue Software Updates Distributing fake software updates to introduce malware or compromise security. Installing malicious updates
Typosquatting Registering domain names similar to popular websites to capture mistyped traffic. Creating deceptive URLs
AI-Generated Deepfakes Using AI to create realistic but fake audio or video content for impersonation or disinformation. Creating deceptive multimedia content
Supply Chain Attacks Compromising the security of a product or service through vulnerabilities in its supply chain. Affecting users downstream

Types of Malware

Malware is short for "malicious software," and it refers to any software that is designed to harm or exploit a computer system. Malware can take many forms, including viruses, worms, trojan horses, ransomware, spyware, and adware.

Malware can be spread through a variety of means, including email attachments, infected websites, malicious software downloads, and infected removable media such as USB drives. Once it is installed on a computer, malware can perform a variety of malicious actions, such as deleting files, stealing sensitive information, corrupting data, and using the infected computer to attack other systems.

Type Description Real-World Example
Ransomware Disables victim's access to data until ransom is paid RYUK
Fileless Malware Malicious software that operates in memory rather than on a computer's hard drive, making it more challenging to detect Astaroth
Spyware Collects user activity data without their knowledge DarkHotel
Adware Serves unwanted advertisements Fireball
Trojans Disguises itself as desirable code Emotet
Worms Spreads through a network by replicating itself Stuxnet
Virus Unlike worms, which are self-contained, viruses need to infect another program in order to operate. ILOVEYOU
Rootkits Gives hackers remote control of a victim's device Zacinlo
Keyloggers Monitors users' keystrokes Olympic Vision
Bots Launches a broad flood of attacks Echobot
Mobile Malware Infects mobile devices Triada
Exploits An exploit is a piece of software or data that opportunistically uses a defect in an operating system or an app to provide access to unauthorized actors. zero-day (0day)
Scareware Scareware tricks users into believing their computer is infected with a virus. Typically, a user will see scareware as a pop-up warning them that their system is infected. spysheriff
Malvertising Injects malicious code within digital ads. Difficult to detect by both internet users and publishers, these infected ads are usually served to consumers through legitimate advertising networks. Angler
Polymorphic Virus Type of malware that is programmed to repeatedly mutate its appearance or signature files through new decryption routines. Storm Worm


Clear Network Cache

This will clear your DNS cache on Windows, release your IP address, and renew it.

ipconfig /flushdns
ipconfig /release
ipconfig /renew

Active Directory PowerShell Commands

Retrieve information about an Active Directory user

Get-ADUser -Identity $username -Properties *
Get-ADUser -Identity $username -Server $domain_controller -Properties *

Retrieve information about an Active Directory computer

Get-ADComputer -Identity $hostname -Properties *

Check Secure Channel for Domain-Joined Computer / Check whether the computer is domain-joined or not

Test-ComputerSecureChannel -ComputerName $hostname | Write-Host "The computer $hostname is $($? -as [bool]) domain-joined."

Regex Cheat Sheet

Regex (short for "Regular Expression") is a special syntax or notation used to match patterns of characters in text. Regular expressions are often used in text processing and data manipulation tasks, such as search and replace operations, data validation, and data scraping.

A regular expression is a sequence of characters that defines a search pattern. It can be used to search for and match specific patterns in text, or to extract specific pieces of information from a larger body of text.

A quick reference guide for regular expressions (regex)

Expression Description Example
^ Matches the beginning of a line
This is a string
$ Matches the end of a line
This is a string
+ Match the preceding character one or more times
This is a string
. Wildcard represents any character
This is a string
* Matches everything
This is a string
| Matches either (OR)
This is a string
? Optional quantifier
? - non lazy
?? - lazy
\s Matches any space, tab or newline character This is a string
\S+ Matches anything other than whitespaces This is a string
\d Matches any digits 0-9 This is 1 string
\D+ Matches anything other than digits This is 1 string
\w+ Matches any alphanumeric or underscore [a-zA-Z0-9_] This is a string
\W+ Matches anything that is not alphanumeric or underscore This is #1 string!
\b Marks the beginning or end of a word
This is a string
(...) Capture group (Matches everything enclosed)
Group 1: "https"
Group 2: ""
Group 3: "/test"
(?:...) Non-capture group (Matches everything enclosed)
Group 1: ""
Group 2: "/test"
[x] Character Classes/Sets (Matches a range of characters)
This is 123 string
This is 123 string
This is 123 string
{x} Matches exactly x number of times where x is a number
{x,y} Matches between x and y characters
(?=) Positive lookahead
This is a string
(?<=) Positive Lookbehind
This is a string
(?<=x).*(?=y) Match all characters between 2 strings
This is a string
(?!) Negative Lookahead
aa ab ac ad ae af ag
Match all "a" that are not followed by a "b"
(?<!) Negative Lookbehind
debt cab bar back bad
Match all "b" that are not preceded by an "a"

Useful Linux Commands


Useful Linux command-line utilities

image image

Useful Windows Commands


Useful Windows command-line utilities


findstr is a built-in tool of the Windows operating system that you may run from the command line to find text in files or in command-line outputs.

Parameters Description
/B Matches pattern if at the beginning of a line
/E Matches pattern if at the end of a line
/L Uses search strings literally
/R Uses search strings as regular expressions
/S Searches for matching files in the current directory and all subdirectories
/I Specifies that the search is not to be case-sensitive
/X Prints lines that match exactly
/V Prints only lines that do not contain a match
/N Prints the line number before each line that matches
/M Prints only the filename if a file contains a match
/O Prints character offset before each matching line
/P Skip files with non-printable characters
/F:file Reads file list from the specified file
/C:string Uses specified string as a literal search string
/G:file Gets search strings from the specified file
/D:dir Search a semicolon delimited list of directories
strings Text to be searched for
[drive:][path]filename Specifies a file or files to search

For example:

netstat | findstr ""

findstr /c:"windows 10" file.txt -- Searches the document file.txt for the string "windows 10"

findstr "windows" c:\documents\*.* -- Searches any file under c:\documents for the string "windows"

findstr /s /i Windows *.* -- Searches every file in the current directory and all subdirectories for the word Windows ignoring letter case

findstr /g:criteria.txt /f:filelist.txt > results.out -- search criteria in criteria.txt to search the files listed in filelist.txt

findstr /g:"test.txt" "test2.txt" -- Compare contents of two files and print out their commonalities

Vim text editor


Threat Hunt

Default Windows Processes

Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware. Use the information below as a reference to know what’s normal in Windows and to focus your attention on the outliers.
When searching for malicious processes, look for any of these anomalous characteristics:
    • Started with the wrong parent process
    • Image executable is located in the wrong path
    • Misspelled processes
    • Processes that are running under the wrong account (incorrect SID)
    • Processes with unusual start times (i.e., starts minutes or hours after boot when it should be within seconds of boot)
    • Unusual command-line arguments
    • Packed executables


Process view on a Windows 10 machine

Process Process name Description
Alg.exe Application Layer Gateway Service This process is used for Internet connection sharing (ICS) and firewall. If you end this program using the Task Manager, you will lose all Internet connectivity until your next system restart or login.
Audiodg.exe Windows Audio Device Graph Isolation This process is the audio component for Windows Vista/7/8/10. This process prevents other software applications from modifying or changing and content or plug-in enhancements.
Csrss.exe Client Server Runtime Process The csrss.exe process is an important part of the Windows operating system. This file is responsible for console windows and the shutdown process, which are critical functions in Windows. The csrss also responsible for creating and/or deleting threads and implementing some portions of the 16-bit virtual MS-DOS environment.
Ctfmon.exe Alternative User Input Text Input Processor for Office Ctfmon.exe controls Alternative User Input and the Office Language bar. It monitors active windows and provides text input service support for speech recognition, handwriting recognition, keyboard translation, and other alternate user input forms. In fact, this file is how you can control the computer via speech or a pen tablet, or using the onscreen keyboard inputs for asian languages.
Dllhost.exe DCOM DLL host process Dllhost.exe is a host for DLL files and binary executables. The COM+ hosting process controls processes in Internet Information Services (IIS) and is used by many programs. There can be multiple instances of the DLLhost.exe process running. Dllhost.exe is typically safe as long as the computer is up to date on all security patches and a reliable antivirus is installed.
Dwm.exe Microsoft Desktop Window Manager Dwm.exe is a compositing window manager that renders all those pretty effects in Windows: transparent windows, live taskbar thumbnails, and even high resolution monitor support. In other words, dwm responsible for the graphical effects such as live window previews and a glass-like frame around windows (Aero Glass or Windows Aero), without draining CPU.
Explorer.exe Windows Explorer This is the user shell, which we see as the familiar taskbar, desktop, file manager and other user interface features. Explorer.exe is a Windows process that is run automatically at startup and remains an active process.
This Graphical Shell component is responsible for displaying a user-friendly interface that allows access, copy, delete, cut, and perform other actions with files located on the system, as well as connected networks.
LogonUI.exe Windows Logon User Interface Logonui.exe is a legitimate file that is used for facilitating user login into a PC. LogonUI.exe implements the graphical user interface shown when a user is asked to log in to the local machine.
Lsass.exe Local security authentication server Lsass.exe is the Local Security Authority Subsystem Service. It has the file description LSA shell. This file verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. So, Lsass.exe is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on computer.
Lsm.exe Local Session Manager Service LSM is the Local Session Manager Service in Microsoft Windows. The purpose of the genuine lsm.exe process is to manage all connections related to a server. Lsm.exe is considered a section of core Windows functionality. This key process is issued by default on Windows 7, Windows 8 and Windows 10.
msdt.exe Microsoft Diagnostic Troubleshooting Wizard msdt.exe is an executable exe file which belongs to the Diagnostics Troubleshooting Wizard process which comes along with the Microsoft Windows Operating System Software developed by Microsoft Windows Operating System software developer.
The Microsoft Support Diagnostic Tool (MSDT) collects information to send to Microsoft Support. Microsoft Support will then analyze this information and use it to determine the resolution to any problems that you may be experiencing on your computer.
Rundll32.exe Run a DLL as an App This program is part of Windows, and is used to run program code in DLL files as if they were within the actual program. Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This file is also commonly used by spyware to launch its own malicious code.
RuntimeBroker.exe Runtime Broker Runtime Broker is a Windows process in Task Manager that helps manage permissions on your PC for apps from Microsoft Store.
Services.exe Services and Controller app This is the Services Control Manager, which is responsible for running, ending, and interacting with system services. Use this program to start services, stop them, or change their default from automatic to manual startup. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program should not be terminated because it is a system process that is needed for your PC to work properly.
Smss.exe Session Manager Subsystem This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the main system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes, and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens normally, the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
Spoolsv.exe Print+Fax Spooler The spooler service is responsible for managing spooled print/fax jobs. Spooling allows you to print in the background without your computer being tied up. Spoolsv.exe is an executable file that runs the Print Spooler Service, a process that caches printing jobs into system memory as images. When you print something, the print job is sent to the print spooler, which is responsible for handing it off to the printer.
This process should normally not use many of your computer’s resources but this process sometimes takes a huge amount of system resources as processing different file formats into an image suitable for printing often takes time and a lot of memory.
Svchost.exe Service Host This file is an integral part of Windows OS. It cannot be stopped or restarted manually. Windows uses svchost.exe files to launch the DLLs (dynamic-link libraries) that help Windows processes run efficiently. This process manages system services (like Automatic Updates, Windows Firewall, Plug and Play, Windows Themes and many more) that run from .dll files.
At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously.
If this process uses high cpu resources, it is mostly due because the service “Automatic Updates” is downloading some new Windows update. Of course, if this process uses 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer.
System System process The “system” process is an executable file on your computer’s hard drive. This file contains machine code. The “system” process is responsible for the system memory and compressed memory in the NT kernel. This system process is a single thread running on each processor. It is the host of all kind of drivers (network, disk, USB).
Of course, this system process in Windows 10 has a additional task, it is compressing old pages of memory so that you have more free memory to use. Non-system processes like [system process] originate from software you installed on your system. Since most applications store data on your hard disk and in your system’s registry, it is likely that your computer has suffered fragmentation and accumulated invalid entries which can affect your PC’s performance.
With start the Windows OS on a PC, the commands contained in “system” process will be executed on your PC. For this purpose, the file is loaded into the main memory (RAM) and runs there as a “System Idle Process” process (also called a task).
taskhostw.exe Task Host for Windows Taskhostw.exe is a Windows operating system file. The main function of taskhostw.exe is to start the Windows Services based on DLLs whenever the computer boots up. It is a host for processes that are responsible for executing a DLL rather than an Exe or Executable file.
Userinit.exe Userinit Logon Application file The userinit.exe is a program that is launched directly after a user logs into Windows. This program restores your profile, fonts, colors, etc for your username. This startup is a required and important system file for Windows.
Winlogon.exe Windows Logon Application The winlogon.exe process is a critical part of the Windows operating system. This process runs in the background. Winlogon is a part of the Windows Login subsystem, and is necessary for user authorization and Windows activation checks.
When you sign in, the winlogon.exe process is responsible for loading your user profile into the registry. This allows programs to use the keys under HKEY_CURRENT_USER, which are different for each Windows user account. The Windows Logon also is responsible for locking your PC and starting screen savers after a period of inactivity.
wininit.exe Windows Initialization WinInit.exe is a Windows system process that is started during the system startup phase by another process, smss.exe. Wininit itself runs processes like services.exe to start services, lsass.exe, lsm.exe, winlogon.exe - in other words, other system processes that prepare the system for operation and login.
Winmgmt.exe Windows Management Instrumentation (WMI) Winmgmt.exe is a core component of client management in Windows that provides management information and control in an enterprise environment. The WMI service automatically starts when the first management application or script requests connection to a WMI namespace. Winmgmt is the WMI service within the SVCHOST process running under the “LocalSystem” account. Administrators can employ WMI to query and set information on desktop systems, applications, networks and other enterprise components.
Wmiprvse.exe Windows Management Instrumentation The wmiprvse.exe process is the WMI Provider host. It’s a part of what’s known as the Windows Management Instrumentation (WMI) component within Microsoft Windows that provides management information and control in an enterprise environment. In other words, the WMI Provider Host process allows other applications on your computer to request information about your system. The wmiprvse.exe process runs alongside the WMI core process, WinMgmt.exe. Multiple instances of Wmiprvse.exe can run at the same time under different accounts: LocalSystem, NetworkService or LocalService. The WMI core WinMgmt.exe is loaded into the shared Local Service host named Svchost.exe.

Ransomware Encrypted File Extensions List

File extensions (Click to sort) Description
micro TeslaCrypt 3.0 ransomware encrypted data
zepto Locky ransomware affected data
cerber Cerber ransomware affected data
locky Locky ransomware affected data
cerber3 Cerber 3 ransomware affected data
cryp1 CryptXXX ransomware affected data
mole CryptoMix (variant) ransomware affected data
onion Dharma ransomware affected data
axx AxCrypt encrypted data
osiris Locky (variant) ransomware affected data
crypz CryptXXX ransomware affected data
crypt Scatter ransomware affected data
locked Various ransomware affected data
odin Locky ransomware affected file
ccc TeslaCrypt or Cryptowall encrypted data
cerber2 Cerber 2 ransomware affected file
sage Sage ransomware affected data
globe Globe ransomware affected file
exx Alpha Crypt encrypted file
good Scatter ransomware affected file
wallet Globe 3 (variant) ransomware affected file
1txt Enigma ransomware affected file
decrypt2017 Globe 3 ransomware affected file
encrypt Alpha ransomware affected file
ezz Alpha Crypt virus encrypted data
zzzzz Locky ransomware affected file
MERRY Merry X-Mas ransomware affected file
enciphered Malware (ransomware) encoded file
r5a 7ev3n ransomware affected file
aesir Locky ransomware affected file
ecc Cryptolocker or TeslaCrypt virus encrypted file
enigma Coverton ransomware affected file
cryptowall Encrypted file by Cryptowall ransomware
encrypted Various ransomware affected file
loli LOLI RanSomeWare ransomware affected file
breaking_bad Files1147[@]gmail[.]com ransomware affected data
coded Anubis ransomware affected file
ha3 El-Polocker affected file
damage Damage ransomware affected file
wcry WannaCry ransomware affected file
lol! GPCode ransomware affected file
cryptolocker CryptoLocker encrypted file
dharma CrySiS ransomware affected file
MRCR1 Merry X-Mas ransomware affected file
sexy PayDay ransomware affected files
crjoker CryptoJoker ransomware affected file
fantom Fantom ransomware affected file
keybtc[@]inbox_com KeyBTC ransomware affected file
rrk Radamant v2 ransomware affected file
legion Legion ransomware affected file
kratos KratosCrypt ransomware affected file
LeChiffre LeChiffre ransomware affected file
kraken Rakhni ransomware affected file
zcrypt ZCRYPT ransomware affected file
maya HiddenTear (variant) ransomware affected file
enc TorrentLocker ransomware affected file
file0locked Evil ransomware affected file
crinf DecryptorMax or CryptInfinite ransomware affected file
serp Serpent (variant) ransomware affected file
potato Potato ransomware affected file
ytbl Troldesh (variant) ransomware affected file
surprise Surprise ransomware affected file
angelamerkel Angela Merkel ransomware affected file
windows10 Shade ransomware affected file
lesli CryptoMix ransomware affected file
serpent Serpent ransomware affected file
PEGS1 Merry X-Mas ransomware affected file
dale Chip ransomware affected file
pdcr PadCrypt Ransomware script
zzz TeslaCrypt ransomware encrypted file
xyz TeslaCrypt ransomware encrypted file
1cbu1 Princess Locker ransomware affected file
venusf Venus Locker ransomware affected file
coverton Coverton ransomware affected file
thor Locky ransomware affected file
rnsmwr Gremit ransomware affected file
evillock Evil-JS (variant) ransomware affected file
R16m01d05 Ransomware affected data
wflx WildFire ransomware affected file
nuclear55 Nuke ransomware affected file
darkness Rakhni ransomware affected file
encr FileLocker ransomware affected file
rekt HiddenTear (variant) ransomware affected file
kernel_time KeRanger OS X ransomware
zyklon ZYKLON ransomware affected file
Dexter Troldesh (variant) ransomware affected file
locklock LockLock ransomware affected file
cry CryLocker ransomware affected file
VforVendetta Samsam (variant) ransomware affected file
btc Jigsaw Ransomware affected file
raid10 Globe [variant] ransomware affected file
dCrypt DummyLocker ransomware affected file
zorro Zorro ransomware affected file
AngleWare HiddenTear/MafiaWare (variant) ransomware affected file
EnCiPhErEd Xorist Ransomware affected file
purge Globe ransomware affected file
realfs0ciety[@]sigaint[.]org[.]fs0ciety Fsociety ransomware affected file
shit Locky ransomware affected file
atlas Atlas ransomware affected file
exotic Exotic ransomware affected file
crypted Nemucod ransomware affected file
padcrypt PadCrypt ransomware affected file
xxx TeslaCrypt 3.0 ransomware encrypted file
hush Jigsaw ransomware affected file
bin Alpha/Alfa ransomware affected file
vbransom VBRansom 7 ransomware affected file
RMCM1 Merry X-Mas ransomware affected file
cryeye DoubleLocker ransomware affected data
unavailable Al-Namrood ransomware affected file
braincrypt Braincrypt ransomware affected file
fucked Manifestus ransomware affected file
crypte Jigsaw (variant) ransomware affected file
_AiraCropEncrypted AiraCrop Ransomware affecte file
stn Satan ransomware affected file
paym Jigsaw Ransomware affected file
spora Spora ransomware affected file
dll FSociety ransomware affected file
RARE1 Merry X-Mas ransomware affected file
alcatraz Alcatraz Locker ransomware affected file
pzdc Scatter ransomware affected file
aaa TeslaCrypt ransomware encrypted file
encrypted Donald Trump ransomware affected file
ttt TeslaCrypt 3.0 ransomware encrypted file
odcodc ODCODC ransomware affected file
vvv TeslaCrypt 3.0 ransomware encrypted file
ruby Ruby ransomware affected file
pays Jigsaw Ransomware affected file
comrade Comrade ransomware affected file
enc Cryptorium ransomware affected file
abc TeslaCrypt ransomware encrypted file
xxx help_dcfile ransomware affected file
antihacker2017 Xorist (variant) Ransomware affected file
herbst Herbst ransomware affacted file
szf SZFLocker ransomware affected file
rekt RektLocker ransomware affected file
bript BadEncriptor ransomware affected file
crptrgr CryptoRoger ransomware affected file
kkk Jigsaw Ransomware affected file
rdm Radamant ransomware affected file
BarRax BarRax (HiddenTear variant) ransomware affected file
vindows Vindows Locker ransomware affected file
helpmeencedfiles Samas/SamSam ransomware affected file
hnumkhotep Globe 3 ransomware affected file
CCCRRRPPP Unlock92 ransomware affected file
kyra Globe ransomware affected file
fun Jigsaw Ransomware affected file
rip KillLocker ransomware affected file
73i87A Xorist Ransomware affected file
bitstak Bitstak ransomware affected file
kernel_complete KeRanger OS X ransomware file
payrms Jigsaw Ransomware affected file
a5zfn Alma Locker ransomware affected file
perl Bart ransomware affected file
noproblemwedecfiles​ Samas/SamSam ransomware affected file
lcked Jigsaw (variant) ransomware affected file
p5tkjw Xorist Ransomware affected file
paymst Jigsaw Ransomware affected file
magic Magic ransomware affected file
payms Jigsaw Ransomware affected file
d4nk PyL33T ransomware affected file
SecureCrypted Apocalypse ransomware affected file
paymts Jigsaw Ransomware affected file
kostya Kostya ransomware affected file
lovewindows Globe (variant) ransomware affected file
madebyadam Roga ransomware affected file
powerfulldecrypt Samas/SamSam ransomware affected file
gefickt Jigsaw (variant) ransomware affected file
kernel_pid KeRanger OS X ransomware file
ifuckedyou SerbRansom ransomware affected file
grt Karmen HiddenTear (variant) ransomware affected file
conficker Conficker ransomware affected file
edgel EdgeLocker ransomware affected file
PoAr2w Xorist Ransomware affected file
oops Marlboro ransomware affected file
adk Angry Duck ransomware affected file
encrypted KeRanger OS X ransomware affected file
Whereisyourfiles Samas/SamSam ransomware affected file
czvxce Coverton ransomware affected file
theworldisyours Samas/SamSam ransomware affected file
info PizzaCrypts Ransomware affected file
razy Razy ransomware affected file
rmd Zeta ransomware affected file
fun Jigsaw (variant) ransomware affected file
kimcilware KimcilWare ransomware affected file
paymrss Jigsaw Ransomware affected file
dxxd DXXD ransomware affected file
pec PEC 2017 ransomware affected file
rokku Rokku ransomware affected file
lock93 Lock93 ransomware affected file
vxlock vxLock ransomware affected file
pubg PUBG ransomware affected data
crab GandCrab ransomware affected data


Svchost.exe (Service Host) is a generic host process name for services that run on Windows operating systems. It is responsible for running many of the background services that are necessary for the operating system and other programs to function properly.

There can be multiple instances of the Service Host process running at the same time, each one hosting one or more services.

Why are there so many Service Host processes running?

When you start a Windows computer, multiple instances of Svchost.exe are usually launched, each one hosting one or more services. This allows the operating system to manage the services more efficiently by running them in a separate process, rather than as individual programs.

It is normal for there to be multiple Service Host processes running on a Windows computer. These processes are responsible for running many of the background services that are necessary for the operating system and other programs to function properly. Some examples of services that might be hosted by a Service Host process include the Windows Update service, the Network Location Awareness service, and the Remote Procedure Call (RPC) service.

Since it is normal to see many svchost.exe processes in the background, some malicious programs make use of the confusion and masquerade as a legitimate svchost.exe process. svchost.exe is located in C:\Windows\System32 folder. Any file named “svchost.exe” located in another folder can be considered malware. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of “svchost.exe” (Windows allows multiple processes to all display the same name). Some malware injects a .dll file into the authentic svchost process, for example, Win32/Conficker worm.


If we take a look at one of the running “svchost.exe” instance and check its command line, we’ll see something similar to the following:


This instance is hosting four services.

The "-k" flag

In this example, the “svchost.exe” process used the "-k UnistackSvcGroup" parameter. This request will be made to the following registry location:

					 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

It locates the key which matches the parameter entry "UnistackSvcGroup" and reads it. This string contains the names of the services it will load and run within the context of that svchost.exe instance.


The "-s" flag

The “svchost.exe” process can also be used with the “-s” flag.


When the “-s” flag is used with the "-k" flag, it will tell the “svchost.exe” process to only load a specific service from the specified group. In this example, only the "WpnUserService" will be loaded from the "UnistackSvcGroup".


Sigma is a tool that allows you to create rules to identify patterns in log events. It is named after the Greek letter Sigma (Σ), which is often used to represent the sum of a series of numbers or the standard deviation of a set of data in statistics. Sigma is designed to be used with a variety of different log sources, including system logs, network logs, and security logs.

Sigma rules are written in a specialized language that allows you to specify the patterns that you want to identify in log events. Once you have created your Sigma rules, you can use them to scan log files for specific patterns or to generate alerts when certain patterns are detected.

Sigma is often used in conjunction with other security tools, such as Snort, which is a network intrusion detection and prevention system. Snort can be used to analyze network traffic for signs of malicious activity and to trigger alerts when suspicious activity is detected. By combining Sigma and Snort, you can create a more comprehensive security system that can help protect against a wide range of cyber threats.



Yara is a tool that allows you to create, analyze, and identify malware and other malicious software. A Yara rule is a set of criteria used to identify and classify malware. Yara rules are written in a specialized language that allows you to specify the characteristics of the malware you are looking for, such as specific strings of text, patterns of code, or other identifying features.

Yara rules are used by cybersecurity professionals to identify and classify malware, and to help protect against cyber threats. Yara rules can be used to scan files, network traffic, and other sources for signs of malware, and can be used in conjunction with other security tools and techniques to help defend against cyber attacks.

Yara rules are typically used to identify specific types of malware, such as viruses, worms, trojans, and other malicious software. They can be used to identify both known and unknown malware, and can be updated and modified as new threats emerge.


Windows Privilege

What is Windows privilege?

In the context of Windows operating systems, a privilege refers to a specific right or permission granted to a user account, allowing it to perform certain actions or access particular resources on the system. Privileges are essential for controlling and managing user interactions with the operating system, and they are often associated with security-related tasks.

Windows privileges are defined in the security policy settings and can include actions such as the ability to shut down the system, modify system time, debug programs, or manage user rights. These privileges help ensure proper system functionality, maintain security, and control access to sensitive operations.

Common examples of Windows privileges include the SeShutdownPrivilege for shutting down the system and the SeDebugPrivilege for debugging programs. Users or groups with specific privileges have elevated rights beyond the standard user, and the assignment of privileges is typically managed through Group Policy settings.

For more details, please visit Microsoft documentation on User Rights Assignment.

Constant name Group Policy Setting Concerns
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Potential misuse for unauthorized access to stored credentials.
SeNetworkLogonRight Access this computer from the network Manage network logon rights, controlling access from the network.
SeTcbPrivilege Act as part of the operating system Extensive control may lead to potential misuse and unauthorized actions.
SeMachineAccountPrivilege Add workstations to the domain Potential for unauthorized additions to the domain.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process May be abused for DoS attacks by consuming excessive resources.
SeInteractiveLogonRight Allow logon locally Control interactive logon rights, managing local access.
SeRemoteInteractiveLogonRight Allow logon through Remote Desktop Services Control remote interactive logon rights, managing Remote Desktop access.
SeBackupPrivilege Back up files and directories Improper use may lead to unauthorized access during backups.
SeChangeNotifyPrivilege Bypass traverse checking May lead to unauthorized access to files and directories.
SeSystemtimePrivilege Change the system time May lead to unauthorized changes in system time settings.
SeTimeZonePrivilege Change the time zone May lead to unauthorized changes in the time zone settings.
SeCreatePagefilePrivilege Create a pagefile May impact system performance and be misused for DoS attacks.
SeCreateTokenPrivilege Create a token object Potential misuse for creating unauthorized tokens.
SeCreateGlobalPrivilege Create global objects Potential misuse for creating malicious objects.
SeCreatePermanentPrivilege Create permanent shared objects Potential misuse for creating persistent threats.
SeCreateSymbolicLinkPrivilege Create symbolic links Potential for abuse in creating symbolic links to malicious locations.
SeDebugPrivilege Debug programs Misuse can lead to reverse engineering and code analysis.
SeDenyNetworkLogonRight Deny access to this computer from the network Deny network logon rights, restricting access from the network.
SeDenyBatchLogonRight Deny logon as a batch job Deny batch logon rights, preventing unauthorized batch job execution.
SeDenyServiceLogonRight Deny logon as a service Deny service logon rights, preventing unauthorized service access.
SeDenyInteractiveLogonRight Deny logon locally Deny interactive logon rights, restricting local access.
SeDenyRemoteInteractiveLogonRight Deny logon through Remote Desktop Services Deny remote interactive logon rights, preventing unauthorized remote access.
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Potential misuse for unauthorized delegation.
SeRemoteShutdownPrivilege Force shutdown from a remote system May lead to unauthorized shutdowns and service interruptions.
SeAuditPrivilege Generate security audits Potential for log tampering and hiding malicious activities.
SeImpersonatePrivilege Impersonate a client after authentication May lead to unauthorized access as another user.
SeIncreaseWorkingSetPrivilege Increase a process working set May lead to resource exhaustion and performance issues if misused.
SeIncreaseBasePriorityPrivilege Increase scheduling priority Potential for misuse in resource-intensive attacks.
SeLoadDriverPrivilege Load and unload device drivers May lead to loading malicious drivers and compromising the system.
SeLockMemoryPrivilege Lock pages in memory Potential for misuse in memory-related attacks.
SeBatchLogonRight Log on as a batch job Potential misuse may lead to unauthorized batch job execution.
SeServiceLogonRight Log on as a service Potential misuse may lead to unauthorized service access.
SeSecurityPrivilege Manage auditing and security log Misuse can lead to log tampering and hiding malicious activities.
SeRelabelPrivilege Modify an object label May lead to unauthorized modification of object labels.
SeSystemEnvironmentPrivilege Modify firmware environment values May lead to unauthorized modifications of firmware values.
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Potential misuse for creating a deceptive service to mislead a client into connecting to the service, and then impersonate that computer to elevate the attacker's access to that of the compromised device.
SeManageVolumePrivilege Perform volume maintenance tasks May be misused for unauthorized volume modifications.
SeProfileSingleProcessPrivilege Profile single process Potential misuse for profiling sensitive processes.
SeSystemProfilePrivilege Profile system performance Potential misuse for profiling sensitive system performance data.
SeUndockPrivilege Remove computer from docking station May lead to unauthorized undocking actions.
SeAssignPrimaryTokenPrivilege Replace a process-level token Misuse can lead to unauthorized access to sensitive data during debugging.
SeRestorePrivilege Restore files and directories Improper use may lead to unauthorized access during restoration.
SeShutdownPrivilege Shut down the system May lead to unauthorized shutdowns and service interruptions.
SeSyncAgentPrivilege Synchronize directory service data May be misused for unauthorized synchronization activities.
SeTakeOwnershipPrivilege Take ownership of files or other objects May lead to unauthorized ownership changes and modifications.

Windows Built-in Service Accounts

Network Service Account:

  • Has a relatively low level of privileges.
  • Accesses network resources as a machine account.
  • Mainly used for running Windows services and processes that require network access.
  • E.g. Database Server, File Sharing Service, Print Spooler Service, Web Proxy Service.

Local Service Account:

  • Similar to the Network Service account but has fewer privileges.
  • Mainly used for running Windows services with reduced privileges and do not require extensive network access.
  • E.g. Windows Update Service, Task Scheduler Service (tasks that don't require extensive system privileges), Print Spooler Service (when network access is not required).

Local System Account:

  • Has extensive privileges, often used for running critical system services.
  • Operates with the highest level of access rights on the local system.
  • E.g. Core Windows Services (Windows Event Log service, Plug and Play, Task Scheduler), Anti-Virus or Security Software, Device Drivers.

These accounts are managed by the operating system, and their passwords are handled internally, reducing the risk associated with password management for services. They are designed to follow the principle of least privilege, ensuring that services run with the minimum necessary permissions to perform their tasks securely.

Windows User Accounts

Built-in Administrator Account:

  • The default administrative account created during Windows installation.
  • Has full control over the system and can make system-wide changes.
  • Users may set a password during installation, and it can be disabled or have its password changed later.

Standard User Account:

  • A user account with standard privileges.
  • Requires a user-set password for authentication.
  • Best practice for regular users who do not need elevated system access.

Default Rights and Privileges

Windows Registry

The Windows Registry is a database that stores configuration settings and options for the Microsoft Windows operating system and for applications that run on Windows. It contains information about hardware and software configuration, user preferences, and other data that is used by the operating system and by applications.

The Windows Registry is an important source of information for forensic investigations because it can provide valuable evidence about the activities that have taken place on a computer. For example, the Registry can reveal information about:

• Installed software and hardware: The Registry can contain information about the software and hardware that has been installed on a computer, including the version numbers and installation dates. This can be useful for determining what programs and devices were in use on a computer at a particular time.

• User activity: The Registry can contain information about the user accounts that have been created on a computer and the actions that have been taken by those users. This can include information about file and folder access, network connections, and other activities.

• System configuration: The Registry can contain information about the configuration of the operating system and other software, including the settings and options that have been selected. This can be useful for understanding how a computer was set up and how it was being used.


Windows Registry Structure

The Registry is organized into a tree-like structure. The top-level keys in the Registry are called hives.


HKEY_CLASSES_ROOT (HKCR): This hive contains information about file associations and COM object classes. It is used to associate files with the applications that can open them and to register COM objects so that they can be used by other applications.

HKEY_CURRENT_USER (HKCU): This hive contains information about the current user's preferences and settings. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to the current user.

HKEY_LOCAL_MACHINE (HKLM): This hive contains information about the hardware, software, and security settings of the computer. It also contains information about the user profiles and groups on the computer.

HKEY_USERS (HKU): This hive contains information about all the user profiles on the computer. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to each user.

HKEY_CURRENT_CONFIG (HKCC): This hive contains information about the hardware configuration of the computer. It is used to store information about the devices that are installed on the computer, as well as the configuration settings for those devices.


Wireshark is a free and open-source packet analyzer. It is a tool that allows you to capture and analyze network traffic in order to troubleshoot network problems, examine security issues, and learn more about how networks work.

Wireshark uses a network protocol analyzer to capture and display packets in real-time. It supports a wide range of protocols and can decode and display the contents of the packets in a variety of formats. Wireshark also includes a wide range of filters and display options that allow you to focus on specific packets or types of traffic, and to view the data in a variety of formats.



System Enumeration

Check system information

Displays a list of details about the operating system, computer hardware and software components.

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Check installed updates

Displays all installed Windows and software updates applied to that computer.

					 wmic qfe
wmic qfe get Caption, Description, HotFixID, InstalledOn
List all drives in the machine
					 wmic logicaldisk get Caption
fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
[Powershell] Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
List all env variables

Displays the current environment variable settings.

[Powershell] Get-ChildItem Env: | ft Key,Value
List Architecture
wmic os get osarchitecture
List installed apps
					 wmic product get name, version, vendor
List scheduled tasks
					 Schtasks /query /fo LIST /v
List running services
					 net start
List running processes
					 tasklist /SVC
List installed device drivers
Query the registry for specific keys, values and/or data

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

					 reg query [Root]
    • HKLM = HKey_Local_machine (default)
    • HKCU = HKey_current_user
    • HKU = HKey_users
    • HKCR = HKey_classes_root

Scanning registry hives for the value password.
Internal recon, hunting for passwords in Windows registry.
The Windows registry often stores clear-text or encoded passwords used by various applications.

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
List GPO settings (Group Policy Discovery)
					 gpresult /Z

User Enumeration

List current username

Displays a user name associated with the effective user ID.

set computername
[Powershell] $env:username
Check current user privileges/groups
					 whoami /priv
whoami /groups
List all users
					 net users
whoami /all
[Powershell] Get-LocalUser | ft Name,Enabled,LastLogon
[Powershell] Get-ChildItem C:\Users -Force | select Name
Check account policies and password policies
					 net accounts
View user information

Displays user account information.

					 net users %username%
List all groups

Displays the name of the server and the names of local groups on the computer.

					 net localgroup
net localgroup Administrators
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>
[Powershell] Get-LocalGroup | ft Name
[Powershell] Get-LocalGroupMember Administrators | ft Name, PrincipalSource
View user domain
					 set userdomain
List information about the configuration of the Server or Workstation
					 net config server
net config workstation

Network Enumeration

List all network interfaces, IP, and DNS

Displays the full TCP/IP configuration for all adapters.

					 ipconfig /all
wmic nicconfig get description,IPAddress,MACaddress
[Powershell] Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
[Powershell] Get-DnsClientServerAddress -AddressFamily IPv4 | ft
List Routing Table

Displays the entire contents of the IP routing table.

					 route print
netstat -nr
[Powershell] Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
List ARP table

Displays all ARP mapping entries.

					 arp -a
[Powershell] Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
List Network status

Displays active TCP connections, ports on which the computer is listening.

					 netstat -ano
List network shares

Displays information about all of the resources that are shared on the local computer.

					 net share
List all shared resources

Displays detailed information about the currently mapped drives and devices.

					net use
List Wi-Fi Credentials

List available AP SSID

netsh wlan show profile

Get the clear-text password use

netsh wlan show profile key=clear

Windows Firewall Enumeration

Displays Windows Firewall Rules
					netsh advfirewall firewall show rule name=all
Displays Current Profile Status
					netsh advfirewall show currentprofile
Displays programs that are allowed by the host
					netsh firewall show allowedprogram
Displays status of firewall configurataions
					netsh firewall show config
Displays the location of the firewall logs
					netsh firewall show logging
List firewall's blocked ports

					[Powershell] $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports

Defense Evasion

Windows Firewall Defense Evasion

Disable Windows firewall

Windows firewall can be enabled/disabled from command line using netsh command.

							 netsh firewall set opmode mode=DISABLE
netsh advfirewall set allprofiles state off
netsh advfirewall set currentprofile state off
Delete Firewall Rules
							 netsh advfirewall firewall delete rule name=""
netsh advfirewall firewall delete rule name="Block Ports"

Web Proxy Defense Evasion

Disable proxy for browsers

Overrides any proxy settings that are provided.

							 start chrome --no-proxy-server
start msedge --no-proxy-server



Base64 encoding is traditionally used to convert binary data to printable text characters. The Base64 encoding scheme is often used to hide the plaintext elements in the early stages of an attack that can't be concealed under the veil of encryption.

Common Base64 Encodings


btoa() and atob() Method

The atob (ASCII to binary) and btoa (binary to ASCII) methods transform content to and from the base64 encoding.
The atob() function decodes a string of data which has been encoded using Base64 encoding.
The btoa() function creates a Base64-encoded ASCII string from a binary string.

HTML Entities

Adversary take advantage of HTML encoding to obfuscate payloads for client-side attacks, hiding them from any server-side defences that are in place.



Powershell encoded command

Adversary commonly hide commands by encoding them using Base64.

							 powershell.exe -EncodedCommand %redacted base64%
cmd /c powershell.exe -nop -w hidden -encodedcommand %redacted base64%

Example UTF-16 encoding


Example Gunzip


Commandline Obfuscation

Command obfuscation may render rule-based detection useless and can make both static and dynamic detection more difficult.

Environment variables:

Static detection could be bypassed.

							 set a=/c & set b=calc
cmd %a% %b%

Double quotes:

Static and dynamic detection could be bypassed.



Static detection could be bypassed.

							 n^e^t u^s^er


Static and dynamic detection could be bypassed.


Incident Response

Frameworks - NIST vs SANS


The difference between the NIST and SANS frameworks lies in how they approach the phases of containment, eradication, and recovery in incident response:

NIST Perspective:

NIST considers containment, eradication, and recovery as interconnected components within a single step. Unlike SANS, NIST doesn't insist on containment before eradication. This approach could be advantageous for organizations with a lower tolerance for threats, where the immediate removal of threats is prioritized over understanding and containing them beforehand.

SANS Perspective:

SANS treats containment, eradication, and recovery as distinct and independent steps. According to SANS, containment should come before eradication. This methodology allows for a more structured approach to isolating the threat and preventing its spread before focusing on eliminating it.

In summary, NIST's approach integrates containment, eradication, and recovery as interconnected actions, potentially suited for organizations prioritizing threat removal. SANS, on the other hand, treats these steps separately, advocating for containment before eradication to ensure controlled response to threats. The choice between these perspectives depends on an organization's risk tolerance and preferred incident response strategy.

Incident Response Guide

1. Preparation:

Employee Training: Ensuring staff are trained in their incident response roles and responsibilities in the event of a data breach. Well-prepared employees are less likely to make critical errors during an incident.

Tabletop Exercises: Developing incident response tabletop exercises and conducting mock data breaches periodically to assess the effectiveness of the response plan. These exercises help identify gaps and refine the plan.

Thorough Documentation: Creating a comprehensive incident response plan that thoroughly outlines the roles and responsibilities of all involved parties. This documentation serves as a guide during real incidents.

Testing and Training: Regularly testing the incident response plan through simulations to ensure that the team understands their roles and the necessary notifications to be made.

2. Identification:

Incident Confirmation: Determine if a breach or incident has taken place, understanding that they can stem from diverse origins.

Timing and Discovery: Establish the timing of the event and how it was detected. Identify who found it and through which means.

Extent of Impact: Investigate whether other areas or systems have been affected and gauge the overall scope of the compromise.

Operational Impact: Assess whether the incident is impacting regular operations.

Source Identification: Strive to determine the source or point of entry through which the event occurred.

3. Containment:

Preserving Evidence: Refrain from deleting data to maintain valuable evidence for understanding the breach origin and prevention planning.

Preventing Spread: Isolate the breach to prevent further damage. Disconnect affected devices from the Internet if possible.

Short-term and Long-term Strategies: Have both short-term and long-term containment strategies ready. A redundant system backup can aid in data restoration.

Backup Strategies: Maintain redundant backups to facilitate data recovery and ensure compromised data isn't permanently lost.

Enhanced Security Measures: Update and patch systems, review remote access protocols with mandatory multi-factor authentication, and strengthen all access credentials and passwords.

4. Eradication:

Root Cause Elimination: Identify and eliminate the source of the breach, including securely removing all malware and traces of malicious activity.

System Refortification: Harden the affected systems by implementing security measures, and apply necessary patches and updates to minimize vulnerabilities.

Thoroughness: Whether conducted internally or by a third party, the eradication process must be meticulous. Leaving remnants of malware or vulnerabilities can lead to data loss and increased liability.

5. Recovery:

System Restoration: Return affected systems and devices to production in a timely manner, prioritizing a secure and efficient restoration process.

Security Measures: Ensure systems are patched, hardened, and thoroughly tested before they are brought back into the operational environment.

Backup Restoration: Consider restoring systems from trusted backups to a known, clean state, reducing the risk of persistent malware.

Monitoring and Safeguards: Define a monitoring period for affected systems, observing for any signs of anomalous activity or breaches. Implement tools like file integrity monitoring and intrusion detection/protection systems to prevent future occurrences.

6. Lessons Learned:

After-Action Meeting: Convene an after-action meeting involving all Incident Response Team members to discuss insights gained from the data breach incident.

Analysis and Documentation: Thoroughly analyze and document the incident details, identifying successes and areas needing improvement. These insights stem from both actual incidents and tabletop exercises.

Plan Refinement: Identify strengths and weaknesses in the incident response plan and the organization's security posture. Utilize these findings to refine the response plan and address vulnerabilities.

Enhanced Training and Security: Determine necessary changes to security measures and employee training based on lessons learned. Focus on rectifying weaknesses exploited by the breach.

Prevention Strategies: Develop strategies to prevent a recurrence of a similar breach by implementing corrective actions and enhancing preventive measures.

Ransomware Incident Response Guide

1. Preparation:

• Develop an incident response plan that includes specific procedures for ransomware incidents.

• Implement security measures like regular patching, network segmentation, and user training.

• Establish a backup strategy to ensure critical data and systems are regularly backed up and stored offline.

2. Identification:

• Monitor network traffic, system logs, and endpoint behavior.

• Quickly assess incoming alerts and prioritize them based on severity.

• Detect signs of potential ransomware activity, such as unusual encryption patterns or file changes.

• Analyze the attack vector and vulnerabilities exploited by the ransomware.

• Determine the ransomware variant to understand its behavior and capabilities.

3. Containment:

• Isolate affected systems from the network to prevent further ransomware spread.

• Identify the extent of the infection and determine which systems have been compromised.

• Reset passwords for compromised accounts to prevent unauthorized access and hinder the attacker's movement.

4. Eradication:

• Eliminate the source of the ransomware.

• Patch and update systems to prevent future infections through known vulnerabilities.

5. Recovery:

• Restore data and systems from clean backups, ensuring backups are free from malware.

• Implement additional security measures to reinforce the resilience of recovered systems.

6. Lessons Learned:

• Conduct a post-incident review to identify strengths and weaknesses in the response process.

• Update the incident response plan based on lessons learned from the incident.