Windows Internals interview questions
The registry, processes, Active Directory, tokens and Windows-centric attack and defence.
A threat runs only in memory with no file on disk. How do you analyze it?
Fileless malware lives in process memory (injection, reflective loading, LOLBins), so acquire and analyze a memory image to find the injected code, suspicious modules, and process relationships. A disk AV scan and a clean disk tell you nothing about an in-memory implant. The recycle bin is irrelevant. Memory forensics is the right tool when there's no file to triage, and you should capture before the host is rebooted.
EDR flags a process reading LSASS memory. Why does it matter and what do you do?
LSASS stores cached credentials and secrets, so an unexpected process reading its memory is a hallmark of credential theft (e.g., mimikatz-style dumping). Triage the offending process and parent, isolate the host to stop lateral movement, and rotate the credentials that could have been captured — including privileged and service accounts. It has nothing to do with graphics rendering or disk space, and ignoring it as normal can lead to domain-wide compromise. The benign-sounding distractors are exactly how analysts miss an active intrusion.
A user opened an Office document and enabled macros; EDR then shows a child process spawned by Word. What's your first action?
Word spawning a child process right after macros were enabled is a classic malicious-document initial-access pattern. Isolate the host to limit spread, capture volatile evidence, and investigate the spawned process, its network activity, and any persistence. Asking the user to close the file or repairing Office doesn't address an executing payload that may already have run. Doing nothing because the file came by email is backwards — email is exactly how this attack is delivered. Contain first, then investigate.
On Windows, an alert shows a new scheduled task launching PowerShell from %TEMP%. What is this likely to be and your move?
Legitimate software rarely runs PowerShell out of %TEMP% via a freshly created scheduled task — it's a common persistence and execution technique. Examine the task definition, the invoked script, the creating process and the timeline, contain the host, and sweep the environment for the same pattern. Updates don't look like this, blanket-trusting scheduled tasks ignores a known TTP, and deleting System32 breaks the OS while doing nothing about the threat. The first three options all reflect dangerously weak judgment.
What is the difference between EDR and traditional signature-based antivirus?
Traditional antivirus matches files against signatures of known malware and blocks or quarantines them — great for known threats, weak against novel or fileless attacks. EDR continuously records endpoint behavior (processes, network, registry, memory), uses behavioral analytics to detect suspicious activity, and lets responders investigate, hunt, and remotely contain or roll back. AV is prevention by signature; EDR adds visibility, detection, and response.
Name the common ways malware persists on a Windows host across reboots, and how you would hunt for them.
Persistence is how malware survives reboots and logoffs. The staples on Windows are registry Run/RunOnce keys (HKLM and HKCU), scheduled tasks, and Windows services, plus startup folders, WMI event subscriptions, and DLL hijacks. You hunt them with autoruns/Sysinternals, Sysmon, and event logs — looking for unsigned binaries, odd paths like %AppData%, and entries created right after initial compromise.
Explain the order of volatility and why it drives the sequence of evidence collection in DFIR.
Order of volatility ranks evidence by how fast it vanishes, so you collect the most fragile first. Roughly: CPU registers/cache, then RAM and running state (processes, network connections, ARP), then temporary/swap files, then disk, then remote logging and monitoring data, and finally archival media and backups. You also work on forensic copies, hash them, and keep a chain of custody so evidence stays admissible.
Where are user password hashes stored on Windows and on Linux, and why do attackers target those files?
On Windows, local account hashes (NTLM) live in the SAM hive under C:\Windows\System32\config\SAM, protected while the OS runs; live credentials sit in LSASS memory, and domain hashes are in NTDS.dit on a domain controller. On Linux, hashes are in /etc/shadow (readable only by root), while /etc/passwd holds account metadata. Attackers steal these to crack passwords offline or pass-the-hash.
Explain process injection, give a couple of techniques, and say how a blue team detects it.
Process injection runs attacker code inside the memory space of a legitimate process so the activity blends in and inherits that process's trust. Classic techniques include DLL injection (CreateRemoteThread + LoadLibrary), process hollowing (start a benign process suspended, unmap it, write malicious code), and APC injection. Defenders detect it via EDR API hooks, anomalous parent/child or memory regions (RWX, unbacked executable memory), and Sysmon CreateRemoteThread events.
Which Windows event IDs and logs would you pull first during an intrusion investigation?
The Security log is primary: 4624 successful logon (with logon type), 4625 failed logon, 4634/4647 logoff, 4672 special privileges assigned, 4720 account created, 4688 process creation (with command line if enabled), and 4768/4769 Kerberos. Add 7045 service install (System log), 4698 scheduled task created, and PowerShell script-block logging (4104). Logon type and command-line auditing are what make these logs useful.
Explain how Kerberos authentication works with TGTs and service tickets.
Kerberos relies on a trusted Key Distribution Center (KDC). The client authenticates once to the Authentication Server and gets a Ticket-Granting Ticket (TGT) encrypted with the KDC's key. To reach a service, it presents the TGT to the Ticket-Granting Service and receives a service ticket encrypted with that service's key. The service decrypts and trusts it. Passwords never traverse the network, and tickets are time-limited.
When do you reach for Ghidra or IDA versus a debugger like x64dbg, and how do they complement each other?
A disassembler like Ghidra or IDA gives you the full static map: cross-references, decompiled pseudocode, and every code path whether or not it runs. A debugger like x64dbg lets you execute the sample under control — set breakpoints, inspect registers and memory, watch decryption happen, and follow the path the code actually takes with real inputs. You read structure and intent statically, then attach the debugger to resolve what static analysis cannot: runtime-decrypted strings, dynamically resolved APIs, packed payloads, and which branch a condition takes. The two together close each other's gaps.
What are packers and obfuscation, and how do you detect them in a binary?
Packing compresses or encrypts the real payload and prepends a stub that unpacks it into memory at runtime; obfuscation transforms the code or data to resist reading and signatures. You detect packing from high section entropy near 8.0, a tiny or stub-only import table, unusual or writable-executable section names like UPX0, an entry point that sits outside .text, a large virtual size versus small raw size, and detectors like Detect It Easy or PEiD. None of these is conclusive alone, so analysts weigh several signals together and confirm by observing the unpack at runtime.
Walk me through the Windows PE file format and what parts you inspect when triaging a sample.
A PE file starts with the DOS header and its e_lfanew pointer to the PE/NT headers, which hold the File Header and Optional Header (entry point, image base, subsystem). It is divided into sections — .text for code, .data, .rdata, .rsrc for resources — each with a virtual address and raw size. During triage you read the import table for suspicious APIs, the section table for odd names and high entropy that hint at packing, the timestamp and rich header, embedded resources, and any digital signature. Mismatches between these tell you a lot before you ever run the file.
Explain common process injection techniques and the API and behavioral signatures that reveal them.
Process injection runs malicious code inside another process to hide and to inherit trust. Classic remote injection allocates memory in a target with VirtualAllocEx, writes a payload via WriteProcessMemory, and runs it with CreateRemoteThread. Variants include DLL injection via LoadLibrary, process hollowing that unmaps a suspended legitimate process and replaces its image, APC injection that queues code to a thread, and reflective or manual-mapped loading that avoids LoadLibrary entirely. You spot them by the telltale API sequences, RWX memory in a normally-clean process, threads with no backing file on disk, and parent-child anomalies.
Describe how you unpack a packed sample to reach the original code.
Unpacking recovers the original code the packer hid. For known packers you use the matching unpacker or an emulator. For custom packers you unpack manually: run the sample in a debugger, let the stub decompress the payload into memory, find the moment it jumps to the original entry point (often by breaking on memory that becomes executable, or on the tail jump), then dump the process image from memory and rebuild the import address table with a tool like Scylla or PE-sieve. The result is a runnable or analyzable PE containing the real payload.
What do you check when you find SMB and SNMP open on a host?
For SMB, enumerate shares, check for anonymous/null-session access, list users, and identify the version for known CVEs. For SNMP, try default community strings like 'public' and walk the MIB to extract usernames, running processes, installed software, and network details.
How do you approach privilege escalation on a Windows target?
Enumerate current privileges (whoami /priv), misconfigured services (weak permissions, unquoted service paths), AlwaysInstallElevated, scheduled tasks, stored credentials, and missing patches. WinPEAS or PowerUp automates the sweep; token-privilege abuses like SeImpersonate are common high-value wins.
Walk me through Kerberoasting — how it works, why it's possible, and how defenders stop it.
Any authenticated domain user can request a Kerberos service ticket (TGS) for any account with an SPN. That ticket is encrypted with the service account's NTLM password hash, so you extract it and crack the password offline — no privileged access needed to start, and it's near-silent.
You've compromised a host on a segmented network. Explain how you pivot to reach systems you can't touch directly.
Pivoting turns a compromised host into a relay so you can reach internal segments your machine can't route to. You use port forwarding, a SOCKS proxy over your C2 channel (e.g. Chisel, SSH dynamic forwarding), or agent-based routing, then run tools through that tunnel to attack the next subnet.
You've landed a low-privileged shell on a Windows host. How do you escalate privileges?
Enumerate the account's privileges and the host's misconfigurations: token privileges like SeImpersonate, unquoted service paths, weak service permissions, AlwaysInstallElevated, and stored credentials. Then abuse the most reliable one — token impersonation (Potato attacks) is a common route to SYSTEM.
Both involve failed logins. How would you distinguish a brute-force attack from a password spray in your logs?
Brute force targets a single account with many password guesses, so you see many failures concentrated on one username. Password spray flips it: one or a few common passwords tried across many accounts, low and slow, so each account sees only a couple of failures. The detection signal is the ratio of accounts to failures and the timing, not raw failure counts.
Can you explain how EDR, XDR, and SIEM differ and where each one fits?
EDR is endpoint-focused: it records and responds to process, file, and network activity on hosts. XDR extends that correlation across multiple domains — endpoint, network, identity, email, cloud — as one vendor-integrated stack. SIEM is the broad log-aggregation layer that ingests data from anything, including non-security sources, for detection, search, and compliance.
An attacker has a foothold on one host. What signs of lateral movement would you hunt for?
Lateral movement is an attacker using a foothold to reach other systems. Signs include unexpected network logons (type 3) and RDP (type 10), access to admin shares like C$ and ADMIN$, remote-execution tools such as PsExec, WMI, and WinRM, pass-the-hash patterns, and a normally local account suddenly authenticating to many hosts.
Walk me through what Windows event IDs 4624, 4625, and 4688 mean and how you would use them in an investigation.
4624 is a successful logon, 4625 is a failed logon, and 4688 is a process creation. In an investigation you use 4625 to spot credential attacks, 4624 (with its logon type and source) to confirm a successful access and how it happened, and 4688 to see what was actually executed, ideally with command-line auditing enabled.
Get 100 cybersecurity interview questions + answers
Drop your email and we'll send you the free PDF pack and the flashcard deck.
No spam. Unsubscribe anytime.