Introduction to Windows Security

Introduction to Windows Security

This course teaches IT professionals the most fundamental concepts on how to build secure Windows workstations and networks, perform rapid forensics investigations, and exploit the most common vulnerabilities affecting Windows systems.

The course materials for this training have been extensively reviewed, tested and documented. On several noted occasions attendees who thought of themselves as being savvy Windows users discovered during the course that their personal workstations were affected by critical vulnerabilities, and that backdoors had been installed on their systems which they had failed to detect!

Whilst this course is an introduction to Windows security, it’s proven to be an eye-opener for many IT professionals, and it has fast-tracked the progression of many of our students who wished to become better security researchers and engineers.

Theoretical knowledge makes up 50% of the class, and the other 50% consists of practical exercises.

Course Outcome:
By attending this class, you will learn:
  • Common ways adversaries have been attacking Windows systems since Windows 2000
  • Different types of malware that exists and how to start writing your own
  • Where attacks leave traces on Windows computers
  • How to start analyzing a machine for signs of compromise
  • Top vulnerabilities in Windows enterprise networks
  • Which are the best tools to investigate the Windows OS
  • How to use latest security protections Microsoft has made available to defenders

Look no further if you are looking for a course to quickly learn the most important Windows security concepts. By the end of the course, you’ll be able to read threat reports, understand how attackers compromised organisations, and how you can help your organization protect itself.

Intended Audience:
Students studying IT, professional IT engineers, system administrators, and developers.

Instructor(s):
This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.

Outline

Module 1: Windows Architecture Overview
  • User-land
  • Kernel-land
  • Hypervisor
  • System Management Mode
  • Firmware layer
  • Overview of key Windows components you need to know

Module 2: Portal Executables
  • Types of executables on Windows
  • Portable Executable format
  • Differences between .exe, .dll, services, and drivers
  • Analysing a Windows malware by exploring the PE and its strings
  • Process integrity levels
  • Code signing

Module 3: Scripting Interfaces
  • PowerShell malware
  • “Not Powershell” malware
  • Jscript and VBScript malware
  • WMI malware
  • HTML Applications
  • LNK malware
  • Combining scripts and portable executables
  • Analysing Windows exploitation techniques that bypass all anti-virus products

Module 4: The Registry
  • Architecture of the Windows registry
  • Main registry hives
  • Investigating the registry for:
    • Recent actions performed by the user(s)
    • Auto-complete passwords
    • Software installed and left-over credentials
    • Geolocation information
    • File-less malware
    • Autoruns

Module 5: Privileges
  • Query Windows objects for permission levels
  • Identifying and exploiting permissions weaknesses
  • Identifying weaknesses in sandboxes

Module 6: Networking
  • Windows Management Instrumentation (WMI)
  • Windows Remote Management (WinRM)
  • PSExec
  • The Scheduler
  • NTLM authentication
  • Kerberos authentication
  • Server Message Block (SMB)
  • Stealing NTLM hashes with a link
  • Remote Procedure Call (RPC)
  • Remote Desktop Protocol (RDP)

Module 7: The File System
  • File Allocation Table (FAT)
  • New Technology File System (NTFS)
  • Alternative Data Stream (ADS)
  • How to hide malware in the ADS

Module 8: Security Auditing
  • Windows event logs
  • Prefetch
  • ShimCache
  • System Monitor (Sysmon)
  • Process Monitor (Procmon)

Module 9: Microsoft Enterprise Network Architecture
  • Active Directory (AD) architecture
  • Domain controllers
  • Querying to find users, groups and machines
  • Group policy
  • SYSVOL folder
  • Windows update server services (WSUS)

Module 10: Security Protections
  • Secure Boot
  • Protected processes
  • Secure Kernel Mode
  • Virtual Trust Levels
  • PatchGuard
  • Enterprise Data Protection
  • Data leakage prevention
  • Application whitelisting
  • Antivirus software
  • Host-based security monitoring

Enrol


Fees
  • Early bird: $1,800.00 AUD including GST.
  • Standard: $2,000.00 AUD including GST.

Enrolment
No open registration programmes scheduled. Contact us to run this learning programme onsite.
Terms and Conditions
  • Payment methods are either booking online via Event Brite or contacting us for an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.

Requirements

Software Requirement
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.