Workshop

Windows Attack & Defense

March 11th & 12th, 2025

2 days training, by Clément Labro and Julien Oberson
This training will be given in ENGLISH

Normal price: CHF 2000.-
Student price: CHF 1500.- (limited availability)

Description

This training will familiarize system administrators and security professionals with modern Windows attacks and best security practices, such as Windows security components, network interception, Active Directory mapping, privilege escalation, lateral movements, credentials theft and common persistence techniques. After covering a large attack overview, the course introduces associated counter-measures such as credentials protection and much more. After the workshop, members will understand how to protect their infrastructure against modern attacks. Hands-on: This class is practice-oriented, lectures present real-world attacks that participants put into practice in various labs.

About the trainer

The course gives an idea of how pentesters and hackers think, and the best way to defend against them. To do so, this training is given by a duo of pentesting engineers. Both trainers have in combination more than 15 years of experience in offensive and defensive security.

Clément is an IT security professional with 8 years of experience. He started as a network engineer and then switched to a security engineer career. After working 5 years in the field, he eventually joined SCRT in 2020, thus totaling 6 years of experience in IT security. Aside from the regular audit activities, he also has a strong interest in vulnerability research and exploit development, especially in Windows environments. In this regard, he also publishes his findings and tools on his personal blog and on GitHub. Most notably, he is the maintainer of a Windows privilege escalation enumeration tool called PrivescCheck that helps penetration testers and system administrators identify vulnerabilities and weaknesses on Windows machines.

Julien is an IT security professional with 8 years of experience. He started his career in 2013 as a scientific collaborator at the Fribourg Engineering College where he worked on various projects related to critical infrastructure security. He joined the SCRT Pentesting team in 2015 and he is now Deputy Head of the Audit Division. Over the years, he performed missions on a wide range of technologies including Windows, Linux, mobile/web application, and social engineering. He specialized on Windows environment and organized many Red Team audits. Besides the pentesting activity, he is also a trainer for multiple courses given by SCRT and a forensic analyst.

Course outline

Network access to initial account

  • Windows network protocols poisoning (LLMNR, NetBIOS, DHCPv6)
  • Initial network discovery (nmap port scan)

Active Directory mapping

  • Active directory enumeration (Bloodhound, PingCastle)
  • Kerberos authentication
  • Common domain password extraction techniques (GPP passwords, Kerberoast, ASREPRoast)

Lateral movement

  • Kerberos delegation (Unconstrained, constrained, ressource-based)
  • NTLM authentication and cross-protocol relay attacks
  • Ways to coerce a machine account NTLM authentication and abuse it (Printer Bug, PetitPotam, ntlmrelayx)

Windows credentials dumping

  • Windows credentials storage (SAMLSA secrets, LSASS, etc.)

Getting access to a key asset

  • From RDP access to administrator
  • Abusing impersonation privileges in Windows services

Domain compromise and persistence

  • Domain credentials storage
  • Kerberos Silver/Golden tickets

Bonus

  • Physical device security (BitLocker and known attacks)
  • LSA protection (how it works and how it can be bypassed)
  • Credential Guard (how it works and how it can be bypassed)

Course requirements

A laptop with a SSH, RDP and VNC client.

Organized by

Technology partners

Partner events

Scroll to Top