Unit 3: Linux and Windows Administration for Cybersecurity

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------- | | Suggested length | 5 × 60 minutes | | Recommended placement | Weeks 3–4 of Cyber II | | Prerequisite | Cyber I Unit 3 | | Materials | Kali, Ubuntu Server, Windows 10/11 + PowerShell 7 |

Safety: All commands run on lab VMs. Snapshot before destructive labs.

Learning objectives

By the end of this unit, students can:

1. Use core Bash for file/directory operations, redirection, piping, and text processing.
2. Write a 30-line Bash script that automates a baseline inventory.
3. Use PowerShell for Windows admin: services, processes, event logs, ACLs.
4. Read and filter Windows Event Viewer and Linux journalctl for security-relevant events.
5. Manage cron jobs and Windows Scheduled Tasks; recognize each as a persistence vector.
6. Articulate the privilege boundary on each OS and three common privilege escalation patterns at a conceptual level.

Vocabulary

• Shell / pipeline - interactive program / chained commands using |.
• stdin / stdout / stderr - input, output, error streams.
• Cron / Anacron / systemd timer - Linux scheduling.
• Scheduled Task / SCHTASKS - Windows scheduling.
• Service / daemon - long-running background process.
• ACL - Access Control List (Windows file/registry permissions).
• SUID / sudoers - Linux privilege escalation surfaces.
• UAC / token - Windows privilege model.

Pacing

| Day | Focus | Deliverable | | --- | ------------------------------------------ | -------------------------------------------- | | 1 | Bash core + text processing | One-liner pipeline that summarizes a log | | 2 | Bash scripting + cron | 30-line inventory script + cron job | | 3 | PowerShell core | Get-* / Where-Object / Select-Object basics | | 4 | Windows logs + scheduled tasks | Filter Event Viewer for 4625 (failed logon) | | 5 | Privilege boundaries + escalation patterns | Written summary of three patterns each |

Day 1 - Bash text processing (live demo)

# Count failed SSH logins by IP, sorted high-to-low
sudo grep "Failed password" /var/log/auth.log \
  | awk '{print $11}' \
  | sort | uniq -c | sort -rn | head

# Find files modified in the last 24 hours
find / -mtime -1 -type f 2>/dev/null | head -50

# Find all SUID binaries (privilege escalation surface)
find / -perm -4000 -type f 2>/dev/null

# Top 10 largest files
du -ah / 2>/dev/null | sort -rh | head -10

Day 2 - Bash scripting

Students write baseline.sh:

#!/usr/bin/env bash
set -euo pipefail
out="baseline-$(hostname)-$(date +%F).md"
{
  echo "# Baseline for $(hostname) at $(date -Iseconds)"
  echo "## Users with login shells"
  grep -E "/(bash|zsh|sh)$" /etc/passwd
  echo "## Listening ports"
  ss -tlnp 2>/dev/null
  echo "## Running services"
  systemctl list-units --type=service --state=running --no-pager
  echo "## Last 20 logins"
  last -n 20
} > "$out"
echo "Wrote $out"

Then schedule with cron: 0 6 * * * /home/student/baseline.sh. Discuss: this is also exactly what an attacker would write to maintain persistence. Same tool, different intent.

Day 3 - PowerShell core

# Services
Get-Service | Where-Object Status -eq 'Running' |
  Select-Object Name, DisplayName, StartType |
  Sort-Object Name

# Processes by CPU usage
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

# Local accounts and last logon
Get-LocalUser | Format-Table Name, Enabled, LastLogon, PasswordLastSet

# Files modified in the last 24 hours under C:\Users
Get-ChildItem C:\Users -Recurse -File -ErrorAction SilentlyContinue |
  Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) } |
  Select-Object FullName, LastWriteTime |
  Sort-Object LastWriteTime -Descending |
  Select-Object -First 50

Day 4 - Windows event logs

Failed logons (Event ID 4625):

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 50 |
  Select-Object TimeCreated,
    @{N='User';E={$_.Properties[5].Value}},
    @{N='SourceIP';E={$_.Properties[19].Value}}

Successful logons (4624) - useful for "who's actually here?". Account lockouts (4740). Service install (7045 - classic persistence).

Schedule a task that runs the failed-logon report nightly:

Register-ScheduledTask -TaskName "Daily-Logon-Report" `
  -Action (New-ScheduledTaskAction -Execute "powershell.exe" `
    -Argument "-File C:\Scripts\daily-logon-report.ps1") `
  -Trigger (New-ScheduledTaskTrigger -Daily -At 6am) `
  -RunLevel Highest

Day 5 - Privilege boundaries

Linux:

• sudo group / /etc/sudoers lines.
• SUID binaries (a poorly chosen one = root).
• World-writable directories on the path.
• Misconfigured cron with relative paths.

Windows:

• Local admin token vs. user token.
• Services running as SYSTEM with weak ACLs on the binary or directory.
• Unquoted service paths.
• AlwaysInstallElevated misconfig.

Students write 1 paragraph per pattern: what it is, what tells you it's there, what fixes it.

Common misconceptions

• "PowerShell is only for sysadmins." - Modern Windows attackers live in PowerShell. Defenders who don't know it are flying blind.
• "Cron is for backups." - Cron is also the most common Linux persistence mechanism. Audit it.

Assessment

• Day 1 one-liner deliverable.
• Day 2 working baseline.sh + cron entry.
• Day 4 4625 query output (annotated).
• Day 5 written privilege-pattern summary.

Career connection

Tier-2 SOC analysts and incident responders live in this content. Salary $75K–$110K.

Homework

Read the Microsoft "Detecting Persistence" docs. Bring two specific event IDs you didn't know about.