Operating Systems & Endpoints
Windows/Linux basics, processes, persistence, and endpoint triage.
Showing 10 of 10
OS-01
Where do you typically find Windows security logs?
▾
OS-01
Where do you typically find Windows security logs?
Answer: In Event Viewer under Windows Logs → Security (and also System/Application). Centralized logs may be forwarded to a SIEM.
Tip: Know examples: logon events, account changes, service installs, scheduled tasks.
OS-02
Where are common Linux logs stored?
▾
OS-02
Where are common Linux logs stored?
Answer: Usually under /var/log (e.g., auth.log/secure, syslog/messages, journalctl for systemd).
Tip: Be comfortable with grep, tail, less, and journalctl queries.
OS-03
How would you quickly assess a suspicious process on Windows?
▾
OS-03
How would you quickly assess a suspicious process on Windows?
Answer: Check process name/path, parent process, command line, hash, signed status, and network connections; correlate with recent file writes and user context.
Tip: Sysinternals Process Explorer is a common approach (even if your org uses EDR).
OS-04
How would you quickly assess a suspicious process on Linux?
▾
OS-04
How would you quickly assess a suspicious process on Linux?
Answer: Use ps/top, check command line and parent (ps -ef), validate binary path, inspect network sockets (ss/netstat), and review auth/system logs around the time of execution.
Tip: Look for unusual locations (e.g., /tmp, /dev/shm) and odd persistence mechanisms.
OS-05
What is “persistence” and give 3 examples on endpoints.
▾
OS-05
What is “persistence” and give 3 examples on endpoints.
Answer: Persistence is how malware survives reboots and maintains access. Examples: scheduled tasks, startup/run keys, services (Windows); cron jobs, systemd services, rc scripts (Linux).
Tip: In interviews, name specific locations/keys (e.g., Run/RunOnce).
OS-06
What is the Windows Registry and why is it useful in investigations?
▾
OS-06
What is the Windows Registry and why is it useful in investigations?
Answer: A database for configuration and system settings. It’s often used for persistence and stores artifacts about execution, installed software, and user activity.
Tip: Mention common persistence keys and that EDR often records registry modifications.
OS-07
How do you check for suspicious user accounts?
▾
OS-07
How do you check for suspicious user accounts?
Answer: Review local/domain account creation, group membership changes, recent logons, and privileged roles; validate against HR/IT change records.
Tip: Look for “new admin” accounts, unusual naming patterns, and logons at odd hours.
OS-08
Explain the idea of least privilege.
▾
OS-08
Explain the idea of least privilege.
Answer: Users and services should have only the minimum permissions needed. It reduces blast radius when accounts are compromised.
Tip: Tie it to SOC: privilege abuse is common; watch for admin group changes and token elevation.
OS-09
User-mode vs kernel-mode malware—what’s the difference?
▾
OS-09
User-mode vs kernel-mode malware—what’s the difference?
Answer: User-mode runs with standard process privileges; kernel-mode runs in the OS core, can hide deeper, and is harder to detect/remove.
Tip: You don’t need deep RE knowledge—just show you understand impact and detection difficulty.
OS-10
What endpoint signals help determine if an alert is real?
▾
OS-10
What endpoint signals help determine if an alert is real?
Answer: Process lineage, command line, file hash reputation, network destinations, persistence attempts, lateral movement artifacts, and user context.
Tip: Answer like a triage playbook: validate → scope → contain if needed.