# Windows System Exploration Project

This project is designed to build familiarity with the internal structure of a Windows system. You’ll explore key components used by attackers, defenders, and analysts alike. Your goal is to identify, observe, and document the purpose and behavior of critical directories, services, and tools.

---

## 1. Project Purpose

Understand the layout of a typical Windows system to build intuition for:
- Where attackers hide
- Where defenders monitor
- What system artifacts matter in incident response

---

## 2. Key Areas to Explore

### 2.1. System32 Folder  
- Path: `C:\Windows\System32`  
- Purpose: Core system binaries, drivers, and control utilities  
- Questions: What types of files live here? Can you identify known tools like `cmd.exe`, `powershell.exe`, `taskmgr.exe`?

#### **Expanded Definitions for System32 Contents**

**Core Component Types:**

- **Binaries**  
  Executable program files compiled from source code. In `System32`, binaries are critical Windows executables like `cmd.exe`, `explorer.exe`, or `taskmgr.exe`. These are the actual programs that run system functions.

- **Drivers**  
  Specialized software that allows the operating system to interact with hardware devices (e.g., printers, USB devices, network cards). These files usually have a `.sys` extension and are also stored in `System32\drivers`.

- **Control Utilities**  
  Tools provided by Windows to manage, troubleshoot, or configure system settings. Examples include `diskpart.exe`, `regedit.exe`, and `taskschd.msc`. Many are GUI-based or CLI-based administrative utilities.

---

#### **Common Executable Tools in System32**

- **cmd.exe – Command Prompt**  
  A legacy command-line interface (CLI) that executes text-based system commands. Often used for scripting, troubleshooting, and administrative tasks.

- **powershell.exe – Windows PowerShell**  
  A more advanced CLI and scripting language designed for automation and system administration. It supports complex scripting, remote control, and object-oriented output.

- **taskmgr.exe – Task Manager**  
  A graphical interface used to monitor and manage running processes, system performance, startup items, and more.

---

#### **What is `.exe`?**

- `.exe` stands for **"executable file"**  
  These are compiled programs that can be run by the operating system. In Windows, `.exe` files are the most common form of applications, both user-facing and system-level.

---

#### **Review Questions:**

1. **What types of files live in the System32 directory?**
2. **Can you locate and inspect the properties of known tools like `cmd.exe`, `powershell.exe`, and `taskmgr.exe`?**
3. **Can you distinguish between system binaries, drivers, and control utilities based on their purpose and extensions?**


### 2.2. Task Scheduler  
- Tool: `taskschd.msc` or open via Start Menu  
- Purpose: Automate tasks, commonly abused for persistence  
- Activity: Create a dummy task. Observe how it's recorded.

### 2.3. Registry Editor  
- Tool: `regedit.exe`  
- Purpose: Hierarchical database of system settings  
- Key Paths to Explore:
  - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
  - `HKEY_CURRENT_USER\...`
- Observation: Identify startup entries. Note what runs at boot.

### 2.4. Services Panel  
- Tool: `services.msc`  
- Purpose: List background services running on the system  
- Questions: Which services are set to auto-start? Are there any unusual ones?

### 2.5. Event Viewer  
- Tool: `eventvwr.msc`  
- Purpose: Review system logs (Application, Security, System)  
- Action: Browse logs. Identify 1 security-related event.

### 2.6. Temp and AppData Folders  
- Paths:
  - `C:\Users\<YourUser>\AppData\Local\Temp`  
  - `C:\Users\<YourUser>\AppData\Roaming`  
- Purpose: Used for temporary files, frequently abused by malware  
- Activity: Observe any recent file activity or odd files.

---

## 3. Optional Exploration

### 3.1. Windows Defender History  
- Tool: Windows Security > Virus & threat protection > Protection history  
- Observation: Any past detections?

### 3.2. Command-Line Utilities  
- Try: `netstat -ano`, `tasklist`, `whoami`, `schtasks`  
- Purpose: Get system info without a GUI  
- Observation: Practice reading the output.

---

## 4. Final Notes

This exploration will support:
- Malware detection
- Persistence investigation
- Host-based anomaly triage  

---



## Windows System32 Investigation: cmd.exe Baseline Assessment

### Purpose of This Step

The `System32` directory in Windows (`C:\Windows\System32`) contains the core operating system files, including critical executables, configuration utilities, and system libraries. Because of its importance, attackers often target or mimic files in this folder to hide malicious activity. Establishing a baseline understanding of legitimate files (like `cmd.exe`) helps analysts detect tampering, unauthorized replacements, or persistence mechanisms.

In this step, we examined the file **`cmd.exe`**, which launches the Command Prompt — a foundational tool for executing system-level commands. Knowing how to recognize the authentic version of this file is crucial for identifying signs of compromise or suspicious behavior.

---

### Key Details and Why They Matter

| **Attribute**          | **Value Observed**                     | **Why It Matters**                                                                 |
|------------------------|----------------------------------------|------------------------------------------------------------------------------------|
| **File description**   | Windows Command Processor              | Confirms it's the native command-line tool used for system commands.              |
| **Type**               | Application                            | Indicates it's an executable binary — expected for core tools like `cmd.exe`.     |
| **File version**       | 10.0.22621.5124                        | Should match your Windows build; mismatches could suggest unauthorized changes.   |
| **Product name**       | Microsoft Windows Operating System     | Ensures it originated from Microsoft. Spoofed versions may change this value.     |
| **Product version**    | 10.0.22621.5124                        | Cross-check against file version for consistency.                                 |
| **Date modified**      | 4/8/25 @ 7:21 PM                        | Any recent change to core system files should be validated — may signal tampering.|
| **Language**           | English                                | Should match expected system configuration.                                        |
| **Original filename**  | cmd.exe                                | Verifies the file hasn't been renamed — renamed malware often imitates this file. |

---

By capturing this data now while the system is in a known-good state, we establish a **trusted baseline**. This can later be compared during threat hunting or forensic review.

---

### Follow-Up Observation: Timestamp on `cmd.exe`

While inspecting the properties of `cmd.exe` within the System32 folder, the file was observed to have a `Date Modified` value of **April 8, 2025 at 7:21 PM**. This timestamp is noteworthy because the system was only recently acquired, and no intentional modifications were made by the user at that time.

Although this is **highly likely to be a benign and routine result** of a system update or scheduled maintenance process, the timing stands out and merits further investigation.

This observation will be noted for a **follow-up mini-project**, where we will:
- Validate the file's **integrity** (e.g., digital signature, hash check).
- Correlate the timestamp with any known **Windows Updates** or automated processes.
- Confirm that no unauthorized modification has occurred.

This approach reflects standard analytical caution in security investigations — flagging potentially interesting details even when the probability of malicious behavior is low.

---



### PowerShell.exe – System32 Investigation

**Purpose of Step:**  
PowerShell is a command-line shell and scripting language used extensively for system administration and automation in Windows environments. Because of its deep access to system functions, it is also frequently abused by attackers for post-exploitation activity such as downloading payloads, executing scripts, and evading defenses (a technique often called "Living off the Land"). Observing its properties helps establish a known baseline for legitimate use.

**Collected File Properties:**  
- **File Description:** Windows PowerShell  
- **Type:** Application  
- **File Version:** 10.0.22621.3085  
- **Product Name:** Microsoft Windows Operating System  
- **Product Version:** 10.0.22621.3085  
- **Copyright:** Microsoft Corporation  
- **Size:** 440 KB  
- **Date Modified:** April 10, 2024, 6:28 p.m.  
- **Language:** English  
- **Original Filename:** powershell.exe

**Why It Matters:**  
This file is a frequent target for attackers looking to blend malicious activity into normal system operations. Establishing the file's properties and timestamp can help identify potential tampering or unauthorized replacement. While this timestamp appears typical, it may be revisited during future investigations for correlation with events or updates.


## System32 - Task Scheduler Snap-In (`taskschd.msc`)

### Purpose:
`taskschd.msc` is the Microsoft Management Console (MMC) snap-in for the Task Scheduler. It allows users and administrators to create and manage scheduled tasks—an essential mechanism used for automation, maintenance, and potentially persistence in attacks.

### Primary System File Located:
- **Path:** `C:\Windows\System32\taskschd.msc`
- **Last Modified:** May 6, 2022, 10:19 PM

### Notes:
- Multiple localized versions were found (e.g., `fr-FR`, `es-ES`, `en-US`)—these serve language interface purposes.
- The primary system version (above) is the one relevant for most analysis.
- No unusual modification timestamps noted. File appears consistent with Windows system file norms.



### Registry Persistence Review: `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`

**Purpose of Key:**  
This Registry key causes listed executables to **launch automatically at system startup**. It’s a common location for both legitimate startup programs and malware persistence mechanisms.

**Observed Entries:**

- **(Default)**  
  - **Type:** `REG_SZ`  
  - **Data:** *(value not set)*  
  - **Explanation:** Placeholder with no active value. Can be ignored unless changed.

- **RTKAUDUSERVICE**  
  - **Type:** `REG_SZ`  
  - **Data:** `C:\Windows\System32\DriverStore\...`  
  - **Interpretation:** Realtek audio service. This is a **legitimate driver** commonly installed by the system or OEM.

- **SecurityHealth**  
  - **Type:** `REG_EXPAND_SZ`  
  - **Data:** `%WINDIR%\System32\SecurityHealthSystray.exe`  
  - **Interpretation:** Launches the **Windows Security notification icon**. This is **normal system behavior**.


### **Step 4: Scheduled Task Review – BitLocker**

**Objective:**  
Review a legitimate Windows system task to understand how scheduled tasks are structured and how attackers may imitate them for persistence.

**What is BitLocker?**  
BitLocker is a built-in Windows encryption feature that protects data by encrypting entire drives. It helps prevent unauthorized access to data on lost or stolen devices by requiring authentication (e.g., password, TPM, or USB key) before unlocking the drive during startup.

**What is a TPM (Trusted Platform Module)?**  
A TPM is a dedicated hardware chip that securely stores cryptographic keys, passwords, and other sensitive data. It is commonly used by BitLocker to verify system integrity and unlock encrypted drives without requiring a password at every boot. Because it's hardware-based, it provides stronger protection against tampering compared to software-only security.

TPM Role in BitLocker Protection
The Trusted Platform Module (TPM) is a secure hardware chip built into most modern computers. It protects encryption keys used by BitLocker without storing them on the hard drive itself. Even if the device is stolen, the TPM:

Prevents offline access: Attackers can’t decrypt the drive by removing it or copying it to another system.

Requires authentication: TPM can be configured with a PIN or USB key to require user input at startup.

Detects tampering: If boot files or firmware are altered, TPM blocks access to the encryption keys, preventing the system from unlocking.

This hardware-rooted trust model strengthens data protection even when the physical device is lost or stolen.

--

**Task Path:**  
`Task Scheduler > Task Scheduler Library > Microsoft > Windows > BitLocker`

---

**Key Observations:**

- **Triggers:**
  - Custom trigger is **enabled**.
  - Indicates a specific condition must be met for the task to run (e.g., logon, idle time, or system event).
  - Custom triggers are not inherently malicious but may warrant closer review in unknown or suspicious tasks.

- **Actions:**
  - Uses a **custom handler**, not a typical executable or script.
  - This is expected for Microsoft system components, but attackers may mimic this to disguise malware.
  - Always verify the **path and file integrity** when dealing with non-standard handlers.

- **Conditions:**
  - Configured to **start only if a network connection is available**.
  - May imply that the task interacts with a remote service — a tactic mirrored by malware awaiting a command-and-control (C2) connection.

- **Settings:**
  - **Allow task to be run on demand**: This setting is normal, but can be abused to trigger malicious payloads manually or via script.
  - **Stop the task if it runs longer than 3 days**: Suggests long-running tasks are expected.
  - **Force stop if it doesn't respond**: Adds resiliency, but also removes logs if abused.

- **History:**
  - **Disabled**: A legitimate system configuration in some cases, but disabling task history is also a common attacker technique to hide execution.

---

**Why This Matters:**

- This task represents a **clean baseline example** of how Windows schedules system-level operations.
- Attackers often attempt to **replicate system task structures**, using familiar names (e.g., “Windows Update” or “BitLocker”) to avoid detection.
- Identifying what is **normal** helps you later spot subtle deviations — such as:
  - Unsigned binaries
  - Unexpected authors
  - Modified system paths (e.g., a `.ps1` or `.exe` stored in unusual folders like `%TEMP%` or `%APPDATA%`)
- Scheduled tasks are a **high-value forensic artifact** when investigating persistence.

---




## 3.0 Windows Defender & Security Services Review

In this section, we investigated three key Windows services related to system protection and antivirus monitoring: **Advanced Threat Protection**, **Firewall**, and **Security Center**. These services are often evaluated in system audits or incident response to assess the current state of protection, identify potential tampering, or confirm if defense mechanisms are functioning as expected.

We noted service status, startup behavior, and executable paths, which can help detect signs of deactivation, unauthorized changes, or misconfigurations.

---

### 3.1 Windows Defender Advanced Threat Protection Service

- **Service Name:** `Sense`
- **Display Name:** *Windows Defender Advanced Threat Protection Service*
- **Description:** Helps protect against advanced threats by monitoring and reporting security events that happen on the computer.
- **Path to Executable:**  
  `C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
- **Startup Type:** Manual  
- **Service Status:** **Stopped**  
- **Note:** This may be normal for non-enterprise systems, but it's flagged for review in a mini-project.

---

### 3.2 Windows Defender Firewall

- **Service Name:** `mpssvc`
- **Display Name:** *Windows Defender Firewall*
- **Description:** Helps protect the computer by blocking unauthorized access over the internet or local network.
- **Path to Executable:**  
  `C:\Windows\System32\svchost.exe -k LocalServiceNoNetworkFirewall -p`
- **Startup Type:** Automatic  
- **Service Status:** **Running**

---

### 3.3 Windows Security Center (Security Health Service)

- **Service Name:** `SecurityHealthService`
- **Display Name:** *Windows Security Service*
- **Description:** Handles unified device protection and health information.
- **Path to Executable:**  
  `C:\Windows\System32\SecurityHealthService.exe`
- **Startup Type:** Manual  
- **Service Status:** **Running**

---


### 4.0 Scheduled Task Investigation – Windows Defender Cache Maintenance

**Objective:**  
Review a security-relevant scheduled task to understand how Windows uses Task Scheduler to automate background system and security processes.

**Task Selected:**  
**Windows Defender Cache Maintenance**

---

**Key Findings:**

- **Location:**  
  `Task Scheduler Library > Microsoft > Windows > Windows Defender`

- **Task Name:**  
  *Windows Defender Cache Maintenance*

- **Author:**  
  `DESKTOP-UPKRV33\Steve` *(system automatically records user context)*

- **Run Conditions:**  
  - **Triggers:** *(None shown – likely scheduled via internal system policy or external trigger)*
  - **Actions:**  
    Starts a program:  
    `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25030.2-0\MpCmdRun.exe`  
    *(This is a core Windows Defender command-line utility.)*

  - **Conditions:**  
    - Only runs if the system is **on AC power**.
  
  - **Security Options:**  
    - Runs with **highest privileges** (elevated permission level).
    - Configured for **Windows 10** (backward-compatible with Windows 11 environments).

---

**Interpretation:**  
This task is part of Windows Defender's regular background maintenance, designed to manage its internal cache. While the **lack of a visible trigger** might initially seem unusual, this behavior is common for internal system tasks that use dynamic scheduling or event-based triggers. The execution path and configuration indicate this is **normal system behavior**.

---

**Note:**  
Other similar tasks under `Windows Defender`—such as **Cleanup**, **Scheduled Scan**, and **Verification**—follow the same pattern. For efficiency, we analyzed only one task in depth, but the investigation method can be applied to the others if needed.

---

**Conclusion:**  
Windows Defender Cache Maintenance is a legitimate, security-relevant scheduled task with expected configuration. Its analysis demonstrates how defenders can trace scheduled activity and verify system integrity.


### **Section: Windows Event Log Service Review**

The **Windows Event Log** service is a foundational component of the Windows operating system that handles all event logging operations. It is critical for both system troubleshooting and security monitoring, as it captures logs from various system processes, applications, and security events. Stopping this service may significantly compromise visibility and forensic capabilities.

#### **Key Details**
- **Service Name:** `eventlog`
- **Display Name:** Windows Event Log
- **Description:**  
  This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It can display events in both XML and plain text format. **Stopping the service may compromise the security and reliability of the system.**
- **Path to Executable:**  
  `C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p`
- **Startup Type:** Automatic
- **Log On As:** Local Service

#### **Recovery Settings**
- **First Failure:** Restart the service  
- **Second Failure:** Restart the service  
- **Subsequent Failures:** Take no action  
- **Reset Fail Count After:** 1 day  
- **Restart Service After:** 1 minute  
- **Enable Actions for Stops with Errors:** Checked

#### **Dependencies**
- **This service depends on:** *(None listed)*  
- **Services that depend on it:**  
  - Microsoft Update Health Service  
  - Windows Event Collector


## Windows Event Viewer: System Log Sample

As part of this system exploration project, the goal was to **learn how to access and interpret basic entries in Windows Event Viewer**, rather than perform a full log analysis. Understanding how to locate logs is essential for later cybersecurity investigations and aligns directly with CySA+ topics like host-based detection, log correlation, and anomaly detection.

### Access Path:
- Open **Event Viewer** (`eventvwr.msc`)
- Navigate to: **Windows Logs > System**
- Review individual log entries for source, event ID, and description.

---

### Sample Log Entry: Bluetooth USB Adapter Warning

**Log Name:** System  
**Source:** BTHUSB  
**Event ID:** 34  
**Level:** Warning  
**Date:** 4/10/2025 5:33:25 AM  
**Computer:** DESKTOP-UPKRV33  
**Description:**  
The local Bluetooth adapter does not support a required Low Energy (LE) controller state, which disables LE peripheral functionality.

> **Note:** This warning is common and not a security threat. It's a hardware limitation noted by the system driver.

---

This step concludes the introductory log exploration phase. The goal was to gain comfort accessing the **Event Viewer**, understand what types of logs are stored where, and recognize that Windows logs are a primary source of host-based indicators.


## Windows System Exploration Project — Final Conclusion

This project successfully met its goal of providing a practical, hands-on introduction to the most critical areas of the Windows operating system that are frequently targeted by attackers — and are essential for defenders to understand. Rather than focusing on deep analysis or specific findings, the purpose was to **become familiar with system navigation**, understand the **purpose of each component**, and recognize how these areas are leveraged in real-world attacks.

### Key System Areas Explored and Their Relevance:

- **System32 Folder**
  - **Purpose:** Contains core operating system files, executables, and utilities.
  - **Attacker Use:** Common target for malware hiding in plain sight (e.g., masquerading as `cmd.exe` or `svchost.exe`).
  - **Analyst Role:** Inspect file locations, timestamps, and legitimacy of system binaries.

- **PowerShell and Command Prompt (cmd.exe)**
  - **Purpose:** Built-in command-line interfaces used for administration and automation.
  - **Attacker Use:** Frequently used in living-off-the-land attacks, such as executing scripts or downloading payloads.
  - **Analyst Role:** Monitor use of scripting engines and unusual launch patterns.

- **Windows Registry (Run Key)**
  - **Purpose:** Central configuration database for Windows.
  - **Attacker Use:** Used to establish persistence by modifying Run keys or creating malicious startup tasks.
  - **Analyst Role:** Investigate registry paths for unauthorized persistence mechanisms.

- **Task Scheduler**
  - **Purpose:** Automates task execution based on triggers and conditions.
  - **Attacker Use:** Used to maintain persistence, execute malware on boot, or schedule lateral movement steps.
  - **Analyst Role:** Review scheduled tasks for legitimacy and unusual trigger patterns.

- **Windows Services**
  - **Purpose:** Long-running background processes supporting core system functions.
  - **Attacker Use:** Can be disabled to evade detection or hijacked for malicious execution.
  - **Analyst Role:** Check status, startup type, and file paths of sensitive services like:
    - Windows Defender
    - Security Health Service
    - Event Log Service

- **Event Viewer**
  - **Purpose:** Displays detailed logs from the OS and applications.
  - **Attacker Use:** Sometimes cleared to cover tracks.
  - **Analyst Role:** Crucial for reviewing host-based indicators, service errors, system warnings, and application behavior.

---

### Summary:

This exploration provided foundational familiarity with core **Windows security-relevant systems**, how attackers interact with them, and where defenders should look for signs of compromise. It laid the groundwork for future host-based investigations and will reinforce understanding when encountering these elements in CySA+ studies, threat detection labs, and real-world SOC workflows.



### System Coverage Summary

This summary outlines the critical Windows system areas explored during the project, explaining their cybersecurity relevance and highlighting key areas for potential future investigation.

---

#### **Core Areas Explored**

- **System32 Folder**  
  - **Status:** Explored  
  - **Why it matters:** Core system binaries live here, including tools like `cmd.exe` and `powershell.exe`, which are frequently abused by attackers for execution, lateral movement, or obfuscation.

- **Command-Line Interfaces (`cmd.exe`, `powershell.exe`)**  
  - **Status:** Explored  
  - **Why it matters:** Script-based attacks and fileless malware frequently use these tools to execute commands silently or escalate privileges.

  ### Clarification: Relationship Between `System32` and Command-Line Interfaces

During this project, we explored both the **System32 folder** and the **command-line tools** `cmd.exe` and `powershell.exe`. While these were discussed in two different sections, they are directly related:

- **`cmd.exe` and `powershell.exe` are stored in the System32 folder.**
  - The System32 directory contains essential Windows binaries, including the executables for both Command Prompt and PowerShell.
  **Essential Windows binaries** are low-level executable files (.exe, .dll, etc.) that provide core functionality for the operating system — such as system management, configuration, input/output operations, and user interface support. These are typically written in binary machine code and interpreted directly by the Windows OS kernel.
  - When we inspected their file properties earlier, we were viewing them as static files that reside in this core system directory.

- **In the "Command-Line Interfaces" section, we focused on their usage rather than their location.**
  - This part emphasized how attackers utilize these tools for:
    - Executing malicious scripts (fileless attacks)
    - Bypassing traditional antivirus
    - Escalating privileges or moving laterally across the network
  - This shows that while these tools are legitimate Windows components, their misuse is a well-known tactic in post-exploitation stages.

**In summary**, our analysis of `cmd.exe` and `powershell.exe` in both sections was complementary:
- First, identifying them as core binaries in System32.
- Then, understanding how they function as powerful interfaces that can be leveraged — or abused — within a live system.

This layered approach reinforces not only the structure of Windows but also the tactics attackers use to operate within it.




- **Registry Editor – `Run` Keys**  
  - **Status:** Explored  
  - **Why it matters:** A classic persistence mechanism; malware and legitimate software can configure automatic startup behavior via this location.
 
Run keys in the Windows Registry are a classic mechanism used to **configure programs to automatically start when a user logs in**. This is useful for legitimate software (like antivirus tools or update checkers), but it's also **frequently abused by attackers** to maintain persistence on a compromised system.

These keys are located at:
- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run`
- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run`

**Why attackers use it:**  
- **Stealthy Persistence:** Allows malware to auto-launch at startup without user interaction.
- **Low-friction Access:** No special privileges are needed to add entries to the current user’s Run key.
- **Blends with Legitimate Behavior:** Since many legitimate apps also use this mechanism, malicious entries may go unnoticed.

**Security Relevance:**  
- Defenders routinely inspect Run keys during incident response and threat hunting.
- SIEM tools and EDR platforms often flag new or unexpected entries in these keys.
- Some malware variants even overwrite or remove existing Run key entries to disable security tools.
> Understanding this Registry location is crucial for spotting unauthorized startup behaviors and validating system integrity.


- **Task Scheduler**  
  - **Status:** Explored  
  - **Why it matters:** Scheduled tasks are often created to maintain persistence or launch payloads at specific times or on system events.
  
Task Scheduler is a built-in Windows utility that allows the operating system and applications to **schedule tasks**—such as launching programs, running scripts, or performing maintenance—based on triggers like time, login, idle state, or system startup.

**Used legitimately for:**  
- System maintenance (e.g., Windows Updates, disk cleanup)
- Software updates
- Automated security scans

**Why attackers use it:**  
- **Persistence:** Malicious tasks can be scheduled to run at boot or user login to re-establish presence after reboots.
- **Stealth:** Tasks can be configured to run silently in the background using legitimate Windows utilities like `powershell.exe` or `cmd.exe`.
- **Flexibility:** Attackers can use custom triggers (e.g., idle time, time-based scheduling) to avoid detection during normal usage hours.

**Common Techniques:**  
- Creating a task that launches malware under the guise of a legitimate filename.
- Modifying an existing task to point to a malicious binary.
- Hiding tasks under obscure or system-sounding names to avoid user suspicion.

**Security Relevance:**  
- **Threat hunters and incident responders** inspect the Task Scheduler for unusual task names, unfamiliar paths, or suspicious triggers.
- SIEMs and EDR platforms often alert on new scheduled tasks or modified ones—especially when they execute known living-off-the-land binaries (LOLBins) like `powershell.exe`.
- Windows logs task events under **Event ID 4698** (task created) and **Event ID 4702** (task updated), which are monitored by defenders.

> Understanding Task Scheduler is crucial for spotting persistence mechanisms, investigating silent task executions, and verifying that scheduled tasks align with legitimate administrative functions.


- **Windows Services (`services.msc`)**  
  - **Status:** Explored  
  - **Why it matters:** Attackers may disable defensive services (like antivirus), install malicious services, or exploit weak permissions.
  
Windows Services are long-running background processes that are crucial for the operating system's core functionality. These include networking, security, user login, system updates, and more. Services typically run with **elevated privileges**, making them powerful targets for attackers.

**Used legitimately for:**  
- Antivirus and firewall protection (e.g., Windows Defender services)  
- System event logging (e.g., Windows Event Log service)  
- Networking and remote access (e.g., Remote Desktop Services, DHCP Client)  
- Scheduled maintenance, updates, and telemetry reporting  

**Why attackers use or target services:**  
- **Persistence:** A malicious service can be created to auto-start on boot, keeping the attacker’s payload running indefinitely.  
- **Defense Evasion:** Attackers may **disable or modify legitimate services**, especially those related to antivirus, firewall, or telemetry, to avoid detection.  
- **Privilege Escalation:** Poorly secured services (e.g., misconfigured permissions or weak paths) can be hijacked or replaced to execute code with SYSTEM-level privileges.  
- **Masquerading:** Malicious services may use legitimate-looking names to blend in with real system processes.

**Common Techniques:**  
- Creating a new service using `sc.exe` or PowerShell that points to a malicious executable.  
- Modifying the **binary path** of an existing service to point to attacker-controlled code.  
- Exploiting **unquoted service paths** where spaces allow injection of rogue executables.  
- Disabling security services like **Windows Defender (SENSE, MPSSVC)** or **Event Log (eventlog)**.

**Security Relevance:**  
- Defenders review service configurations using tools like **Services.msc**, **PowerShell**, or **Autoruns**.  
- Investigators look for services that were **recently added**, **set to start automatically**, or have **binaries in suspicious locations**.  
- Windows logs service creation and changes under **Event ID 7045** (new service) and **Event ID 7036** (service state changes).

> Understanding Windows Services is critical for identifying malicious persistence, detecting disabled security controls, and validating system integrity in any post-compromise analysis.


- **Windows Event Viewer (System Logs)**  
  - **Status:** Explored  
  - **Why it matters:** Event logs are essential for forensics. They show evidence of login activity, service behavior, system errors, and potential attacker footprints.
 
**Windows Event Logs serve as the authoritative audit trail for system activity. They are the **primary source of forensic evidence** when investigating security incidents. Everything from service changes, driver issues, login attempts, to scheduled task execution is recorded here. Security professionals rely on these logs to understand what happened, when, and by whom.

### Expanded Definitions of Logged Activities in Windows Event Viewer

- **Service changes**:  
  Events that track when a Windows service is installed, started, stopped, or modified. These entries can help detect when an attacker disables defenses (e.g., antivirus) or installs a malicious service to maintain persistence.

- **Driver issues**:  
  Logs related to the loading or failure of system drivers—low-level software that communicates between the operating system and hardware. Driver errors can indicate system instability or potentially malicious kernel-level activity.

- **Login attempts**:  
  Recorded events that track successful and failed user logins. Failed logins (e.g., Event ID 4625) are especially important for identifying brute-force attempts, unauthorized access, or lateral movement.

- **Scheduled task execution**:  
  Events showing when a task in the Task Scheduler was triggered, whether by time, login, or system event. These entries are critical for detecting persistence mechanisms or timed malware payloads.


**Used legitimately for:**  
- Auditing **login activity**, both successful and failed  
- Tracking **service lifecycle events** (starts, stops, crashes)  
- Capturing **hardware and driver issues**  
- Recording **scheduled task executions**, application errors, and updates  
- Alerting for **system integrity violations** or unusual behavior

**Why attackers care about logs:**  
- **Log tampering or clearing** (Event ID 1102) may be used to hide evidence  
- **System log silence** or missing expected entries may itself be suspicious  
- Sophisticated attackers may manipulate or **inject false entries** to confuse defenders  
- Post-exploitation tools like **Mimikatz**, privilege escalation scripts, or malware often generate detectable log artifacts

**Important Log Sources:**  
- **System Log:** Kernel-level events, driver failures, power state transitions  
- **Security Log:** Authentication attempts, account lockouts, privilege use  
- **Application Log:** Crashes, errors from installed apps  
- **Windows Defender / Microsoft-Windows-Security-Auditing:** AV and threat-related events

**Common Security-Relevant Events:**  
- **4624:** Successful login  
- **4625:** Failed login attempt  
- **7045:** New service installed  
- **1102:** Event log cleared  
- **4697:** New scheduled task created  
- **4688:** New process creation (if auditing is enabled)

**Security Relevance:**  
- Logs are used during both **real-time detection** (e.g., SIEM correlation) and **post-incident investigation**  
- Analysts frequently pivot between events to trace activity timelines, identify attacker IPs, and correlate with other system changes  
- Many detection rules in tools like **Splunk**, **Elastic**, or **Microsoft Defender** are triggered by patterns in these logs

> Mastering the structure and content of Windows Event Logs is essential for incident detection, investigation, and response. Logs are one of the few immutable records defenders can rely on—unless attackers erase or manipulate them.


---

#### **Optional Areas for Future Exploration (Not Covered in This Project)**

- **AppData & User Profile Directories**  
  - Malware frequently drops payloads here due to user-level write permissions.

  ### AppData and User Profile Directories  
**Why It Matters:**  
The `AppData` folder and broader user profile directories (e.g., `C:\Users\<Username>\`) are high-value areas for attackers because they provide a writable space that is often overlooked by security tools and users alike. These locations are routinely used by legitimate applications to store configurations, cached files, session tokens, and runtime data — but this same flexibility makes them ideal for attacker operations.

- **Persistence without elevated privileges**:  
  Attackers can drop payloads, scripts, or even entire backdoors in user-specific folders without requiring administrative rights. These files can be set to run at startup using user-level registry run keys or scheduled tasks.

- **Evasion from system-wide defenses**:  
  Because antivirus and Endpoint Detection and Response (EDR) tools often focus more aggressively on system directories, malware hiding in `AppData` may evade detection, especially if it mimics the structure or naming of legitimate software.

- **User-specific targeting**:  
  Attackers may use these directories to store tools that activate only for certain users, enabling stealthy, role-specific surveillance or data collection — for example, targeting only accounts with access to sensitive files or VPN credentials.

- **Key locations**:  
  - `AppData\Roaming`: Commonly abused for persistence, especially because its contents sync with domain profiles in enterprise environments.  
  - `AppData\Local`: Often used for dropped binaries or temporary storage.  
  - `AppData\LocalLow`: A more restricted version used by some applications (like web browsers or Flash-based apps).

- **Investigation insight**:  
  Security analysts should routinely inspect these directories during incident response to locate hidden executables, suspicious folders, or scripts mimicking legitimate applications.


- **Security Audit Policy (`secpol.msc`)**  
  - Governs what is logged by the system. Understanding this is critical when configuring a forensic-ready system or evaluating log coverage.

  ### Security Audit Policy  
**Status:** Not explored  
**Why it matters:**  
Security audit policies govern what types of events are recorded in the Windows event logs, particularly within the Security log. These settings determine whether the system logs successful and failed logon attempts, object access (e.g., file or folder interactions), privilege use, system changes, and more.

Proper configuration of audit policies is foundational for forensic readiness. If logging is not enabled for specific event types, critical evidence may be lost during an investigation. For example, without auditing object access or privilege use, an attacker could read sensitive files or escalate privileges without leaving a trace.

Security teams rely on these policies to ensure visibility into suspicious or unauthorized activity, and to maintain compliance with regulatory frameworks (e.g., HIPAA, PCI-DSS). Misconfigured or overly permissive audit settings can hinder incident detection and delay response.

**Key Concepts:**
- **Audit Success**: Records successful actions (e.g., a user successfully logged in).
- **Audit Failure**: Records failed attempts (e.g., failed logins or privilege use).
- **Granular Control**: Admins can define which activities are audited under categories like logon events, object access, policy changes, and process tracking.

**Use Case:**  
Security Audit Policy settings should be reviewed and tailored to organizational needs. Overly broad settings may generate noise, while under-auditing risks losing evidence of attacker behavior.


- **Windows Defender Logs / Security Center Interface**  
  - Viewing how Defender logs alerts or actions can aid in threat detection or false positive evaluation.

  ### Windows Defender Logs (Security Center Interface)  
**Status:** Not explored  
**Why it matters:**  
**Windows Defender** is Microsoft’s built-in antivirus and antimalware solution included in modern versions of Windows. It provides real-time protection against threats such as viruses, spyware, ransomware, and other forms of malware. It integrates with the Windows Security Center to centralize visibility of threat detections, protection status, and alerts across various security features (e.g., firewall, device health, and SmartScreen).

Reviewing **Windows Defender logs** through the Security Center or associated event logs (e.g., `Microsoft-Windows-Windows Defender/Operational`) is crucial for understanding system-level threat responses. These logs reveal:
- What threats were detected
- When and where the threats occurred
- Whether remediation actions were successful
- If any real-time protection features were disabled or bypassed

This visibility is essential for:
- **Threat Detection:** Identifying real-world malware encounters, including file paths and affected users.
- **Incident Response:** Verifying whether a threat was mitigated or requires escalation.
- **False Positive Investigation:** Determining whether benign files or scripts were misclassified and blocked.
- **Auditing & Compliance:** Showing protection activity and system health over time.

**Use Case:**  
In security operations or incident response, analysts rely on Defender logs to validate endpoint activity and assess whether malware was neutralized or persisted. These logs also support the tuning of exclusions and real-time protection features to balance security and usability.


- **Temp Folders (`%TEMP%`)**  
  - Another common drop zone for temporary payloads or scripts used in staged attacks.

  ### Temp Folders  
**Status:** Not explored  
**Why it matters:**  
Temporary folders (such as `C:\Windows\Temp` and `%USERPROFILE%\AppData\Local\Temp`) are system-designated storage areas used to hold short-lived files generated by applications, installers, or system processes. These files may include setup data, extracted archives, cached installers, crash dumps, or application logs.

Because these folders are **writable by user-level processes** and typically excluded from strict access controls, they are frequently exploited by attackers during staged or fileless attacks. Common attacker uses include:
- **Dropping malicious payloads** that are executed later (e.g., malware stagers, initial scripts).
- **Extracting archive contents** (e.g., from phishing-delivered ZIP files or embedded executables).
- **Living off the land** by executing malicious scripts from temporary locations to evade detection.
- **Bypassing application controls** that ignore or allow execution from these directories.

Security teams monitor temp folder activity to catch:
- Suspicious script execution (`.vbs`, `.js`, `.ps1`, `.bat`) from temp paths.
- Unexpected binaries dropped by unusual parent processes.
- Indicators of tools like LOLBins (Living Off the Land Binaries) being launched from temporary storage.

**Use Case:**  
In threat hunting or incident response, correlating temp folder usage with known attack timelines helps determine staging behavior, privilege escalation attempts, or lateral movement. Behavioral detection rules often flag execution from temp folders as high-risk, particularly for script-based attacks.


---
