Sr SOC Analyst Interview Questions
What is the folder \ProgramData used for?
This folder contains application data for all users. The folder is hidden by default and normally at the root of C:\. Most programs use this folder as a caching location for data the application uses that needs to be available for all users, or to store basic settings that should be applied to all users.
What is the folder [username]\AppData used for?
This folder contains application data for specific users. Every Windows user has its own AppData folder generally located at C:\Users\username\AppData\. The folder is hidden by default and has three hidden sub-folders: Local/LocalLow/Roaming. The applications that you install decide which folder to write to and sometimes incorrectly.
C:\Users\username\AppData\Local
Used for applications to save data for a specific user and specific computer. Does not sync with other computers if you were to export your user profile.
C:\Users\username\AppData\LocalLow
Used for applications to save data for a specific user and specific computer and does not have the access rights to save data to Local. Does not sync with other computers if you were to export your user profile. For example, data saved here might be for virtual machines, or if you are running a web browser in a protected or safe mode the browser will only access data from the LocalLow folder.
C:\Users\username\AppData\Roaming
Used for applications to save data for a specific user that can be used on multiple computers.
How can someone hide information in a file?
Steganography is the hiding of secret information in files (or other things) that are not secret. Such as embedding malware into an image file. When the image file is received, the malware can be extracted from the file and executed. Other documents such as Word files can contain macros (scripts) that when the document is opened the user (victim) clicks to run. There are legitimate reasons to use macros and scripts in documents, but as is everything else they can be abused maliciously. Malicious exploits and payloads, such as shellcode, can be embedded in executables and repackaged where the software would run as intended, albeit with an additional exploit.
Why are there so many svchost.exe processes?
The process svchost.exe starts when Windows starts. Upon booting the svchost.exe process checks the registry to know which processes to start. Prior to Windows 10, many services were grouped together for better system performance and svchost.exe managed that grouping. In Windows 10 and after, and if the system has more than 3.5 GB of ram, it is common to see many instances of svchost.exe because the system can afford it. This allows for more reliable and resilient services because multiple services aren’t interconnected, and better security because of the isolation of services amongst other benefits.
What is lsass.exe?
The Local Security Authentication Subsystem Service (lsass.exe) process is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log. Only one instance of this process should occur and it should rarely have child processes.
What is a registry hive?
A Windows Registry, or Registry, is a hierarchical database that contains information, settings, and options about all of the software and hardware installed on the Windows Operation System. A Registry Hive is the first level in a Windows Registry. Registry Hives cannot be created, deleted or modified. The subkey structure within a Registry Hive is called a tree.
There are five Registry Hives:
HKEY_CLASSES_ROOT — This Registry Hive contains the data used by the system to know what program to use to open what file. Associates file extensions with the program to open it.
HKEY_CURRENT_USER — This Registry Hive contains the data about the current logged-in user. When a user logs into the system, it loads the associated profile from HKEY_USERS.
HKEY_USERS — This Registry Hive contains information about ALL users on a Windows system. There is one key per user created on the system.
HKEY_CURRENT_CONFIG — This Registry Hive contains all the configuration information about the hardware currently in use.
HKEY_LOCAL_MACHINE — This Registry Hive contains hardware and software related information about the system that is general to all of the users created on the system.
Malware is known to maintain persistence by hiding in the HKEY_LOCAL_MACHINE hive.
Especially the run keys like:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Terminology
Hive — HKEY_CURRENT_USER\Control Panel\Desktop
Key — HKEY_CURRENT_USER\Control Panel\Desktop
Subkey — HKEY_CURRENT_USER\Control Panel\Desktop
Value Name — MenuShowDelay
Value Type — REG_SZ
Value Data — 400
Where are the registry hives located on a system?
The registry is a collection of databases. There are several files associated with each registry hive. System-wide registry settings are located in files in C:\Windows\System32\config. Additionally each Window’s User account has its own NTUSER.dat file containing user-specific keys and its location is in the User’s home directory at C:\Users\insertusername. When Windows goes through the shut-down or restart process, the system saves the state of the registry that is in memory to the hard drive in one of several database files in these locations. Lastly, when someone boots Windows, the system loads the registry settings into memory.
Note
Today, and starting in Windows 10 version 1803, Windows does NOT automatically back up the registry by default. The tool and ability to back up a registry remains available for system administrators, however automatic registry backups are not enabled by default as they were before. Microsoft now recommends that frequent and regularly scheduled restore points are created and if your registry gets corrupt that you should revert to a restore point. Backing up a registry is today considered “legacy backup behavior.” Before this change, the registry was backed up regularly to this location: C:\System32\config\RegBack
What set of tools can you use to check more information about a system and perform live analysis?
Native to windows and most commonly used on-the-fly, Windows contains Task Manager which will give you information about system processes, system performance, application metrics, startup items, user metrics, process details, and services. You can access Task Manager quickly by pressing Ctl-Alt-Del, Ctl-Alt-Esc, right-click on the taskbar, type “taskmgr” at run dialog or cmd prompt, from the start menu > Windows System > Task Manager, and other ways.
Note
The Task Manager executable is located in C:\Windows\System32\Taskmgr.exe
Also natively in Windows, there is a collection of additional tools for Administrators that can be accessed from the Control Panel (System and Security section). In Windows 10 this section is titled Administrative Tools. In Windows 11 this section is titled Windows Tools.
Note
Control Panel (control.exe) is just an executable file that helps users to navigate and complete common tasks.
The Administrative tools are all located in C:\Windows\System32 (or its subfolders). C:\Windows\System32 contains important Operating Systems files that Windows needs in order to function properly. All modern versions of Windows have it. The majority of System32’s contents can be described in two groups:
- EXE files — Portable Executable (PE) files with the extension “.exe” are the main execution point for a Windows computer program. Important executables for Windows to run properly are contained in C:\Windows\System32.
- DLL files — Also Portable Executable (PE) files that contain efficient code (libraries) to assist other executable files in completing a common action. DLLs are reused by many programs.
An executable file is defined as just a file that contains code that is run when the file is opened. This can be windows programs, mac programs, scripts, macros, binaries, etcetera…etcetera. Executable files is a broad term and can have one of many different file extensions to be used on many different Operating Systems. A Portable Executable (PE) is a Windows file format that has wrapped executable code so that it can be run on all (or most) architectures of Windows Operating Systems. Portable Executable (PE) files can have many different file extensions such as EXE, DLL, SYS (device drive), MUI and others. In the same way, Linux has Executable and Linkable Format (ELF) and Apple (macOS and iOS) has Mach object file format (Mach-O).
Lastly, Windows Sysinternals is a collection of advanced system utilities not native to Windows that can be used to manage, troubleshoot and diagnose your Windows systems and applications. This set of tools is now owned and supported by Microsoft and to access them enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as live.sysinternals.com/<toolname> (to download the file) or \\live.sysinternals.com\tools\<toolname> (to run it live). The list of tools can be found here: https://live.sysinternals.com/
Tyler Wall is the founder of Cyber NOW Education by night and works full time in the cybersecurity industry as his day job. He creates cybersecurity training material in his free time, often after feeling the need to shout what he’s just learned and also because a little bit of passive income never hurt anyone.
He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications
You can connect with him on LinkedIn.
Download the free eBook to the popular course SOC Analyst NOW! for free at www.cybernoweducation.com
