For the soc analyst

Key Windows directories

Key Windows directories every SOC analyst should know for threat detection, malware analysis, and incident response. Stay ahead of attackers. Learn how system paths like System32, AppData, and Temp folders play a crucial role in threat detection, malware analysis, and forensic investigations.

Credential & Access Logs:

  • C: \Windows \System32 \config\SAM – Stores local password hashes (target for credential dumping attacks).
  • C: \Windows \repair \ SAM – Backup of user credentials (potential target for attackers).
  • C: \Windows \System32 \config \SECURITY – Holds security policies & access control settings.

System & Event Logs:

  • C: \Windows \System32 \winevt – Stores Windows Event Logs (crucial for SIEM correlation).
  • C: \Windows \System32 \config \SYSTEM – Tracks system-wide changes and configurations.
  • C: \Windows \System32\config\SOFTWARE – Registry hive with details on installed software and changes.

Malware & Threat Hunting Indicators:

  • C: \Windows \Prefetch – Tracks recently executed programs (useful for forensic timelines).
  • C: \Windows \AppCompat \Programs \Amcache.hve – Logs details of executed applications, great for detecting lateral movement.
  • C: \Users \*\NTUSER.dat – Holds user-specific registry settings, often abused for persistence.

Persistence & Startup Investigations:

  • C: \Users \*\AppData \Roaming \Microsoft \Windows \Start Menu \Programs \Startup – User-specific persistence mechanisms
  • C: \ProgramData \Microsoft \Windows \Start Menu \programs \Startup – Global startup folder for all users (often misused by malware).