Windows Mitigations – understanding, tactics and tools

Windows is one of the most secure operating systems now after long history of being attacked by hackers. With many defense mechanisms it has, many mitigations the operating system has played a key role in enhanching it’s overall security. With this training, we want to discuss how state-of-the-art mitigations are implemeneted and can be used to improve overall security levels of your machines and network. We want to start from traditional anti-exploit mitigations like ASLR, DEP and CFG and want to talk about basic isolation techniques like PPL to WDAG, more advanced mode of isolation.

  • When: May/6/2019 (Mon) ~ May/10/2019 (Fri)
  • Where: Bundang-gu, Seongnam-si, Korea
  • Reservation:

Time table

The following is the overall schedule over 5 day training course.

May/6/2019 (Mon) - Exploit-focused Mitigations

Start End Name Description
10:00 10:30 Introduction Introduction, overview of the courses and hands-on preparations
10:30 10:40 Memory Corruption Methods Stack Overflow
10:40 11:30 Control Flow Hijack Return Address Overwrite/SEH Overwrite/SafeSEH/RFG/Shadow Stack
11:30 13:00 Lunch Group Lunch
13:00 13:20 Memory Corruption Methods Heap Overflow/UAF/ASLR
13:20 13:50 Memory Contents Weakness RW Primitives/Object Corruption/Heap Mitigations
14:00 17:00 Hands-on Adobe Flash Exploit Code Analysis - RW Primitives

May/7/2019 (Tue) - Post-exploit Mitigations

Start End Name Description
10:00 10:50 Control Flow Hijack Vftable Corruption/CFG
11:00 11:50 Hands-on Adobe Flash Exploit Code Analysis - CFG Bypass
12:00 13:00 Lunch Group Lunch
13:00 13:50 Payload Execution Default +X Memory/DEP/+X Shellcode Via Virtual*/ACG/ROP/CET
14:00 14:50 Hands-on Word Exploit Analysis - ROP and syscall
15:00 15:50 Memory Threats Shellcode/Process Injection/Reflective DLL Injection/Process Hollowing
16:00 16:50 Hands-on Adobe Flash Exploit Code Analysis - Multi-stage Shellcode

May/8/2019 (Wed) - Kernel

Start End Name Description
10:00 10:50 Memory Contents Weakness kASLR/Information Leak/RW Primitives/Tactical Mitigations/Vftable Corruption/kCFG
11:00 11:50 Code Execution Kernel to Userland Code Execution/SMEP/PTE Corruption/PTE Randomization/SMAP
12:00 13:00 Lunch Group Lunch
13:00 13:50 Hands-on Advanced Kernel Threat Analysis - RW Primitivies
14:00 14:50 Hands-on Advanced Kernel Threat Analysis - RW Primitivies
15:00 15:50 Hands-on Advanced Kernel Threat Analysis - Token Swapping
16:00 16:50 Hands-on Advanced Kernel Threat Analysis - Token Swapping

May/9/2019 (Thr) - Rootkis/Application Whitelisting

Start End Name Description
10:00 10:50 Whitelisting Rootkits and SecureBoot
11:00 11:50 Whitelisting Application Whitelisting
12:00 13:00 Lunch Group Lunch
13:00 13:50 Hands-on Windows Rootkit Analysis
14:00 14:50 Hands-on Windows Rootkit Analysis
15:00 15:50 Hands-on Windows Rootkit Analysis
16:00 16:50 Hands-on Windows Rootkit Analysis

May/10/2019 (Fri) - VBS (Virtualization Based Security)/Container/Self-protection/SMB

Start End Name Description
10:00 10:50 Container VBS (Virtualization Based Security)/WDAG/Windows Sandbox/PPL
11:00 11:50 SMB WannaCry vs SMBv3
12:00 13:00 Lunch Group Lunch
13:00 13:50 Hands-on Debugging & Analyzing WannaCry
14:00 14:50 Hands-on Debugging & Analyzing WannaCry
15:00 15:50 Hands-on Debugging & Analyzing WannaCry
16:00 16:50 Hands-on Debugging & Analyzing WannaCry