Windows Internals: Security Professional's Deep Dive
Understanding Windows internals helps detect 68% of advanced attacks that bypass traditional security tools. This tutorial explores critical system components, security mechanisms, and forensic investigation techniques used by Microsoft's own security teams.
Windows Attack Surface Distribution (2023)
1. Windows Security Architecture
Critical Components:
- Security Reference Monitor (SRM): Enforces access checks
- Local Security Authority (LSA): Authentication core
- Windows Filtering Platform (WFP): Network stack filtering
Security Mechanisms:
- Mandatory Integrity Control (MIC): IE protected mode
- User Account Control (UAC): Privilege separation
- Control Flow Guard (CFG): Memory corruption protection
Enterprise Insight:
Credential Guard virtualizes LSA to prevent Mimikatz attacks
2. Process & Memory Security
Key Structures:
- EPROCESS: Contains security context and handles
- PEB: Process environment block
- VAD Tree: Virtual address descriptors
Investigation Commands:
# List processes with security context
tasklist /V /FO CSV
# Dump process memory
procdump -ma [PID]
# Check for code injection
handle -p [PID] | findstr ".dll"
Attack Example:
Process hollowing replaces legitimate process memory with malicious code
3. Registry & Configuration Security
Security-Critical Hives:
- HKLM\SAM: Account credentials
- HKLM\SECURITY: Policy settings
- HKLM\SOFTWARE: Installed programs
Forensic Commands:
# Export registry keys
reg export HKLM\SYSTEM system.hiv
# Check persistence locations
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
# Audit service permissions
accesschk.exe -kvucs *
Malware Technique:
Registry Run keys for persistence (e.g., HKCU\...\Run)
4. Authentication & Credential Security
Security Components:
- LSASS: Stores credentials in memory
- Kerberos: Domain authentication protocol
- DPAPI: Data protection API
Hardening Measures:
- LSA Protection: Prevents credential dumping
- Windows Hello: Hardware-backed auth
- Protected Users Group: Restricts credential caching
Enterprise Defense:
Microsoft Defender Credential Guard virtualizes auth processes
Windows Security Quick Reference
| Component | Security Feature | Investigation Tool | Common Attack |
|---|---|---|---|
| Processes | ASLR, DEP | Process Explorer | Process Injection |
| Registry | ACLs, Auditing | Regshot | Persistence |
| Authentication | Credential Guard | Mimikatz | Pass-the-Hash |
5. Forensic Investigation Tools
Sysinternals Suite
- Process Explorer
- Autoruns
- Procmon
Native Commands
- wevtutil (Event Logs)
- logparser
- powershell -c "Get-WinEvent"
Enterprise Solutions
- Windows Defender ATP
- Azure Sentinel
- Velociraptor
Windows Security Hardening
Microsoft Security Expert Insight: The 2023 Microsoft Threat Report shows that 82% of enterprise compromises exploit Windows internals knowledge. Understanding components like the registry, authentication processes, and memory management is crucial for both attack detection and system hardening.
