Windows Security Auditing (W37) - Pentestmag

You will learn how to protect your Microsoft Windows server, workstation and AD environment in order to achieve confidentiality, integrity and ensure availability of your data.

This course is self-paced and pre-recorded

18 CPE Credits

Click here to buy the course

You will learn:

  • How to reduce Windows attack surface by enhancing security around Windows binaries
  • How to effectively monitor and log Windows security events
  • Tools to effectively audit and continuously secure their Windows estate
  • How to prevent common Windows exploitation methods: bypassing access restriction, privilege escalation, lateral movement, password disclosure
  • How to create a custom windows secure baseline

You will need:

A Windows installation (preferably Windows 7/ Windows 10 workstation and Windows Server 2012 R2). Windows 10 users can use this material comfortably, except for minor elements like use of Mimikatz attacks, which have been mitigated inherently by Microsoft in Windows 10.

What you should know before you join:

  • Windows usage and basic knowledge of Windows administration tools

  • Basic powershell familiarity

  • Windows local policies and user right assignment



MODULE 1:  Windows system binaries hardening

In this module, we get to learn about binaries and their role in the Windows platform; how malicious actors use this to bypass security controls; how signed binaries assist attackers and how blue teams can protect their estates better by understanding these attack vectors.

Module 1 brief:

Some of the interesting binaries that need to be monitored:

  • ClickOnce Applications
  • dfsvc.exe (dfshim.dll)
  • InstallUtil.exe
  • Msbuild.exe
  • Regsvr32.exe
  • Rundll32.exe
  • Bitsadmin.exe

Know how to disable/control binaries and reduce attack surface.

Attack scenarios using binaries to escalate privileges / bypass access restriction:

  • Applocker bypass using MSIEXEC
  • Applocker bypass using MSXSL
  • UAC bypass using Fodhelper
  • Applocker bypass using CreateRestrictedToken
  • Applocker bypass for control panel
  • Applocker bypass using bginfo

Module 1 exercises:

  • Use VBSMaster to get a meterpreter shell using bginfo 
  • Name five ways in which to ensure that Windows binaries, otherwise deemed as trusted,are not abused by attackers

MODULE 2:  Windows security auditing and logging

You shall learn how to enable specific audit logs and how to determine which logs are important. We will also look at how the eventIDs correlate with actual common Windows attacks and how through auditing, these attacks can be seen and stopped. Moreover we will look at tactics that attackers are now using to evade the logging and how to beat attackers at their own game using Windows native tools.

Module 2 brief:

  • Which audit logs to enable and why?
  • Defining / Modifying Auditing Policy Settings for an Event Category
  • Auditing Security Events: Logging powershell attacks/activity
  • Collecting and making sense of the logs using splunk

Why Audit? Why log?

Logs are critical in:

  • Establishing baselines for various metrics (throughput, uptime)
  • identifying operational trends (when is the system most stressed?, when is the system less stressed?)
  • audit and forensic analysis


Module 2 exercises: 

Identify critical logs and identify specific events as mentioned in the module.

MODULE 3: Hardening Windows Active Directory

You shall learn how attackers use the settings on AD to exploit and move laterally within the organization and how to prevent this.

Module 3 brief:

We shall look at some key AD user properties and AD computer properties, which include:

  • Lastlogondate
  • Passwordnotrequired
  • Passwordneverexpires
  • Admincount
  • SIDhistory
  • Serviceprincipalname
  • Trustedfordelegation

A look at common AD attacks,mitigation and detection:

  • Privilege escalation
  • Mimikatz attacks
  • common powershell discovery (service discovery without port scans) tand attacks

Module 3 exercises:

Try to exploit the AD you have set up to show some of the common attacks explained.

MODULE 4:  Tools to perform windows audit

You shall learn some open source and free tools to assist in performing Windows security auditing efficiently and enhancing continuous assessment.

Module 4 brief:

  • Windows security audit with powershell

  • Windows security audit with custom script

  • Windows security audit with commercial tool (Nessus)

  • Developing a secure windows baseline:

So, you have identified the events, eventIDs, controls that you need to monitor and are forwarding the events to your central logger. In an enterprise context (With hundreds? Thousands? ) of Windows nodes, security/auditing shouldn’t slow down the process of commissioning systems. We need to have tools for the audit/information security department to do this in a standardized and efficient manner.

For this course focus shall be on non-commercial tools in three categories: custom .bat Windows tool, custom powershell tool and a community edition tool version of a commercial tool which pretty much does the work efficiently and effectively and with no restrictions.

We shall also focus on how to create a custom baseline for Windows platforms using native Windows tools (as shown below), customize standards; of course, this is dependent on an organization’s desired level of security, pain points and rationale.

Module 4 exercises: 

Use any of the tools taught to harden a Windows installation and scan with any tool mentioned to identify gaps.

Your Instructor: Alfie Njeru

Alfie is a seasoned information security professional, who has vast experience in information security especially in matters of penetration testing, vulnerability assessments and infrastructure hardening. He has been recognized by various organisations as having helped them identify and remediate various security issues (Dell, Envato, ABN Amro Bank, Bosch etc). He regularly contributes to the open source community and has created a simple tool to audit Linux OS installations (nix auditor). He is a certified ISO 27001 Lead Auditor, CPTE , GRCP , CISA, CISSO etc. He is also a writer at the-infosec , cybrary and peerlyst.

Questions? Reach out to us at [email protected]

Course Reviews


  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023