Bypassing Windows11 OS Hardening & end-point protection apps
Bypassing Windows11 OS Hardening & end-point protection apps



With growing usage of desktop applications in various segments like aviation, healthcare, public infrastructure, logistics, finance, education, hospitality and many more in the form of kiosk / un-attended systems in public, it opens scope of information & network security. Also with change in way of work getting flexible from home due to Covid-19, this increases the responsibilities of enterprises to have their systems run safely using multiple endpoint protection tools like DLP/EDR/KIOSK/PAM etc..This training course would target such areas where systems are secured via hardening using Windows/3rd party tools and how we can evade hardening to gain unrestricted system access. After having system access trying to elevate privilege within the Windows system.Learning these techniques would help in pentest, designing tools securely which can be used in commercial products or enterprise systems.

Training Outline

Day 1

  • >  Setting up OS Hardening with custom scripts, which would demonstrate what changes are made so that participants can visualize their scope.
  • >  Learning core concepts like Reg/filesystem permissions, user roles & privileges, process inheritance, cross ownership, etc.& getting familiar with commands which would be used during the entire session.
  • >  Win11 KIOSK Bypass techniques to access restricted windows components like creds. manager, certificate store, registry, filesystem, etc.
  • >  Group policies and Registry restriction bypass
  • >  Various techniques to access command prompt / powershell when blocked via sys. Admin in Win11
  • >  Win11 UWF (unified write filter) bypass technique
  • >  Accessing restricted Control Panel components in Win11
  • >   Kiosk apps bypass via Unquoted service path & exploiting missing least privilege principle
  • >  Creating Shell Explorer by self and designing KIOSK to understand nature of Winlogon while hardening.
  • >   bcdedit, insecure boot to evade DLP/EPM software/KIOSK
  • >  Few techniques via which DLP can be bypassed being non-admin standard user or admin user
  • >  Gaining Command execution via compiling binaries, using other platform binaries, extension precedence rule, shortcuts, task scheduler, ActiveXObject, etc..
  • >  Creating reverse shell executables and managing remote connections for persistence.

Day 2

  • >  Applocker restriction rules and various bypass techniques
  • >  Writing rules to Allow list of apps via directory path signature. And bypassing all those 3 techniques.
  • >  Using ReactOS to evade signature based app restriction
  • >  Understanding UAC & identifying various bypass techniques
  • >  Understanding controlled folder access and it's misconfigurations
  • > Gaining access to admin via exploiting various EPM apps
  • >  Working with deploying multiple 3rd party KIOSK/Hardening end point protection apps. And exploiting multiple vulnerabilities which undergone CVD. For 2 Tier apps memory analysis techniques like getting connection string and there by using for privilege escalations.
  • >  Post bypassing OS Hardening various techniques of Privilege escalation like extension precedence, misconfigured service parameters, dll preloading, unquoted service path, cmdkey, tasks, Reg hive dump, always elevated, startup, etc.
  • >  CTF to practice & summarize all items learnt.

Who should take this training: Pentesters, Security architects or developers who want to have security by design in their products, Windows administrators, security professionals from IT security.

Who would not be a good fit for this training: People focusing on any other OS apart from Windows, People Looking for Network Assessments/core Anti-virus evasion/Fuzzing/Kernel exploitation/Forensics.

Audience level : Intermediate

Student Requirement : Basic Knowledge of how Windows OS worksBasic Knowledge on how to use VirtualBox Although there would be few scripts used during the session, but it's completely fine if you do not have scripting/programming expertise.Windows 11 Enterprise 64bit Evaluation VirtualBox VM (If you do not have license make use of use  ) List of other tools would be shared to participants

Trainers Personal Information:

Speaker Name : Kartik Lalan

Speaker Profile : Product Security Engineer @ Security Centre of Excellence - Philips Innovation Campus. He is M.Tech. in CS with Specialization in Information & Network Security. He conducts frequent talks and workshops on Info Sec topics @ several places including C0C0N, Bsides Delhi & Bangalore Chapter, OWASP, Null A'bad & Bangalore Chapter, DroidCon-IN. Kartik loves to write technical Blogs in his leisure time.

Speaker Name :  Aravind C Ajayan

Speaker Profile :  Sr. Security Engineer with Philips and is part of the Security Centre of Excellence team. Aravind's primary areas of expertise are web/thick client application penetration testing, hardened system security, network security, and windows active directory security. He has helped to fix severe issues in IMS(Internet Management Software) solutions through responsible disclosures. Aravind pursued his master's in Cyber Security Systems and Networks from Amrita Vishwa Vidyapeetham, Coimbatore. He is an Offensive Security Certified Professional (OSCP) and has published several research papers on security in IEEE and Springer.


©2024 BSides GOA All rights reserved