Day 5: Windows OS fundamentals for SOC Analyst

Windows commands used by a SOC Analyst in daily life

1. ipconfig

• It Shows network configuration — IP address, gateway, DNS.

• It helps Check if the system has the right IP or troubleshoot network

issues.

2. netstat

• It Displays active network connections and listening ports.

• It helps Identify suspicious connections or open ports that might indicate

malware or an attacker.

3. tasklist

• It Lists all running processes on the machine.

• It helps Spot unknown or suspicious processes that might be malware.

4. taskkill

• It Terminates (kills) a running process by name or ID.

• It helps Stop malicious or unresponsive processes.

5. whoami

• It Shows the current logged-in user and their privileges.

• It helps Check if an attacker escalated privileges or which account is

being used.

6. net user

• It Lists local user accounts and their details.

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

• It helps Look for unauthorized or suspicious user accounts.

7. net localgroup administrators

• It Shows who is in the local administrator group.

• It helps Check if attackers added themselves or others to admin.

8. dir

• It Lists files and folders in a directory.

• It helps Look for suspicious files, hidden malware, or unexpected

changes.

9. type

• It Displays the content of a text file.

• It helps Quickly read logs or script files without opening them.

10. find / findstr

• It Searches for specific strings (words) in files or command outputs.

• It helps Filter logs or outputs for keywords like “error” or “failed”.

11. systeminfo

• It Displays detailed system info, including OS version, patch levels, and

system uptime.

• It helps Check for missing patches or gather details during incident

response.

12. wmic

• It Runs system queries — e.g., list installed software, running processes,

or system details.

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

• It helps in Inventory checks, gathering forensic data.

13. sc

• It Manages Windows services (start, stop, query).

• It helps to Check if attackers installed malicious services.

14. route print

• It Shows the routing table (how network traffic is directed).

• It helps to Spot abnormal routes that could indicate tunneling or

pivoting.

15. net share

• It Lists shared folders on the system.

• It helps Check for unauthorized or suspicious file shares.

16. net use

• It Shows active network shares or connections.

• It helps See if the system is connected to suspicious external resources.

17. ping

• It Tests if another system is reachable on the network.

• It helps in Basic connectivity troubleshooting.

18. tracert

• It Shows the path network traffic takes to reach a target.

• It helps Identify network routing or where traffic is getting blocked.

19. arp -a

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

• It Displays the ARP cache (mapping of IP addresses to MAC addresses).

• It helps Spot duplicate or suspicious MAC addresses, indicating spoofing.

20. eventvwr (launches Event Viewer)

• It Opens the Windows Event Viewer GUI.

• It helps Review logs for failed logins, system errors, or suspicious activity.

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

Types of Windows Logs

1. Application Log

• What it is:
Records events from software applications installed on the system. These
events are generated by the app developers — not by Windows itself.

• Types of events you’ll see:

o Application errors (crashes, failures)

o Warnings (potential problems, like low memory)

o Information (normal events, like a service starting)

• Why it’s important for SOC:

While not directly security-related, this log can show signs of:

o A compromised or misbehaving app

o Failed app updates or patching

o Malware pretending to be a legitimate app

Example:
If a security application (like an antivirus or EDR) is constantly crashing, you’ll
see clues here.

2. Security Log

• What it is:
Logs all security-related events — this is one of the most critical logs for
SOC analysts.

• Types of events you’ll see:

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

o Login successes and failures

o File and object access (if auditing is enabled)

o Privilege use (e.g., who changed permissions)

o Account changes (password resets, user creations)

• Why it’s important for SOC:

This is where you detect attacks like:

o Brute-force login attempts

o Privilege escalation

o Unauthorized access to files or systems

o Insider threats

o Policy violations

Example:
Event ID 4625 shows failed login attempts — key for spotting brute-force
attacks.

3. System Log

• What it is:
Logs Windows system-level events — mainly generated by the operating
system, drivers, and core services.

• Types of events you’ll see:

o Service failures (e.g., Windows Update failing)

o Driver issues

o Hardware errors

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

o System shutdowns/restarts

• Why it’s important for SOC:

While not always security-specific, system issues can:

o Be a sign of an attack (e.g., attacker disabling logs or AV services)

o Cause system outages or weaknesses attackers exploit

o Reveal tampering or suspicious reboots

Example:
A sudden stop or crash of critical services like Windows Defender may suggest
tampering.

4. Setup Log

• What it is:
Contains events related to the installation or setup of the Windows
system, as well as updates and upgrades.

• Types of events you’ll see:

o OS installations

o Windows updates and upgrades

o Driver and component setup

• Why it’s important for SOC:

Tracks when critical system changes happened, helping answer:

o Was a system rebuilt recently?

o Was a specific patch installed?

o Was the system tampered with during setup?

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

Example:
Missing or failed updates can indicate a vulnerability the attackers might
exploit.

5. Forwarded Events

• What it is:
A central collection log where events from other systems are forwarded.

• Types of events you’ll see:

o Any logs forwarded by a configured system (usually Security or

System logs from other machines)

• Why it’s important for SOC:

In large environments, you can’t check every machine manually, so
forwarding critical events to a central log collector allows:

o Central monitoring

o Faster incident detection across multiple systems

o Easier correlation of events for threat hunting

Example:
If you’re monitoring 50 servers, you can forward their Security logs to one place
and detect coordinated attacks.

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

EVENT VIEWER

1. How to Open Event Viewer

There are multiple ways to open Event Viewer on Windows:

• Press Win + R, type eventvwr.msc, and hit Enter.

• Go to Start → type “Event Viewer” in the search box → open it.

• Open Control Panel → Administrative Tools → Event Viewer.

Once open, you’ll see the left panel with key log sections:

• Windows Logs → Application, Security, System, Setup

• Forwarded Events (if set up)

2. How to Filter & Search Logs

When you’re inside a log (e.g., Security log):

• Filter Current Log:

o Right-click on the log (e.g., Security) → Filter Current Log.

o You can filter by Event Level (Error, Warning, Information), Event

IDs, date/time, or Keywords.

o Example: To only see failed logins, filter for Event ID 4625.

• Find (Search):

o On the right-side Actions panel, click Find.

o Type a keyword (like a username or IP address) and it will highlight

matching entries.

• Custom Views:

~Siddhesh Jaiswal
 Day 5: Windows OS fundamentals for SOC Analyst

o You can create a Custom View to save filtered settings you use
often (like only showing failed logins from the last 24 hours).

3. What is an Event ID?

• An Event ID is a unique number that identifies a specific type of event in

Windows logs.
• Think of it as a code that tells you what happened.

Here are a few important examples for SOC analysts:

Event ID Meaning Why It’s Important

Shows who logged in successfully — watch

4624 Successful logon
for unusual accounts or times.

Alerts you to failed login attempts — useful

4625 Failed logon
for detecting brute-force attacks.

4634 Logoff See when sessions end.

Spot unauthorized or suspicious account

4720 User account created
creations.

4726 User account deleted Detect unexpected deletions.

Permissions on an object Watch for unauthorized permission

4670
were changed changes.

4768 / Kerberos ticket events

Monitor domain authentication activity.
4769 (Active Directory)

You can filter by Event ID in Event Viewer to narrow down and investigate
faster.

~Siddhesh Jaiswal