Saturday from 0900 to 1300
EventBrite Link: https://www.eventbrite.com/e/rohan-d...s-379313515937

The Windows Defence Evasion and Fortification Primitives workshop will walk candidates through adapting initial access, code execution, credential access and lateral movement TTPs against commonly encountered defences (such as Anti-Virus, Endpoint Detection Tooling and Windows Credential Guard). Candidates will be challenged to think critically and expand their classroom knowledge of vulnerabilities against limitations in defensive technologies on Windows 10, 11, Server 2016 and Server 2019 systems.

  • Connectivity and Setup Tests
  • Initial Endpoint Compromise and Code Execution
    • Discussing common defensive challenges
      • AV
      • Application control
      • Process relationship
      • Process flow using Attack Surface Reduction Rules
      • AMSI
  • Initial Access
    • DLL Hijacking/Proxying
      • Identifying common issues
    • Creating DLLs
    • Living out-of-land
      • SOCKS Proxy
        • Unmanaged code
    • Managed code
  • In-process/In-memory unmanaged code execution
    • Leveraging C2 capabilities
    • Injection
  • Credential Access
    • Interrogating Browsers
      • Information gathering
      • Extracting secrets
    • LSA
    • Running Mimikatz/Kekeo
    • What's a protected process?
    • In-memory patching using
    • Discussing other methods
    • Credential Guard
    • Remote Desktop Credential Guard
    • Effects of EDR
    • Kerberos
    • Session 0
    • Code Injection
    • TGS Exports
    • Lateral Movement
  • SMB
    • Artefacts
    • Customisation
      • Service
      • Named pipe
  • Alternatives (WinRM/RDP)
    • Artefacts
    • SOCKS Proxy

Skill Level: Intermediate
Materials Needed: Laptop capable of outbound SSH/RDP to our labs.


Rohan (@Decode141) is a Senior Consultant at Mandiant with a primary interest in attack simulation. Rohan is most interested Windows and Active Directory assessments but is also involved delivering offensive security training and capability development. Rohan's presented at conferences such BlackHat, BSides London and BSides LV in the past.

Paul L. (@am0nsec) is a Senior Consultant at Mandiant. Paul works in R&D to improve Simulated Attack (SA) capabilities. With a strong interest in Microsoft Windows system and low-level programming, and x86 Instruction Set Architecture (ISA). Paul specialises in the development of malware and tools for SA operations. Some of his work is publicly available on GitHub and discussed on his Twitter profile.


Max Class Size: 200