Windows Exploitation


Table of Contents


Microsoft Windows is one of the most popular operating systems ever used. This operating system can be found on any device, such as computers, phones, banking machines, and many more.

In this training, you will learn about Windows operating system, and you will gain experience in both offensive and defensive methods, as knowing how to break into the system is not the same as understanding how to defend against the attack . Participants will learn the latest hacking methodologies and use of different attack methods on the various Windows operating systems and Windows applications, and on the other side, how to defend against them.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

  • Penetration testers for Windows environments
  • Security professionals and vendors
  • System and network administrators
  • IT professionals


  • Getting to know the Windows environment
  • Discovering vulnerabilities in various Windows operating systems
  • Taking advantage of vulnerabilities
  • Explore multiple attacks and how to defend against them
  • Hardening and securing the Windows OS


  • ThinkCyber Level-2 Courses



In this module, participants will learn about Windows operating systems in general, system management, folder structure, and the concept of exploitation.

Technical content

  • Windows Fundamental Components
    o Common Windows Versions
    o Domain vs. Workgroup Environment
    o System Built-in Services
    o Network Configurations
    ▪ Internet Connection State (Public or Private)
    o Security Components
    ▪ The Windows-Firewall
    ▪ Windows Defender
    ▪ Antimalware Scan Interface (AMSI)
    ▪ Local Security Policy
    o CMD and Batch Scripting
    o Windows Server Concepts


Windows systems are vulnerable and have many security breaches. It is the lack of knowledge of the average user regarding security. The flaws found from time to time in the operating system and the various types of software installed on it, are causing Windows to be a lucrative target, so hackers can take advantage of this and use it to manipulate the user and succeed in their malicious actions. In this module, we will exploit Windows through various methods.

Technical content

  • Gathering Information
    o Enumerating Windows Services
    ▪ SMB
    ▪ LDAP
    ▪ Kerberos
    ▪ IIS
    ▪ NetBIOS
    ▪ RPC
    o Domain Enumeration
  • Attacking the Host
    o Basic Metasploit Modules
    o Preforming Known Exploits
    ▪ BlueKeep
    ▪ EternalBlue
    o Cross Forest Attacks Using Domain Trust
    o Macro and Hardware-Based Attacks
    o Post exploitation Phase
    ▪ Domain Privilege Escalation using DNSAdmin
    ▪ Kerberos Ticket Harvesting and Kerberoasting
    ▪ Dumping Passwords from the Memory
    ▪ Lateral Movement Throughout the Domain
    ▪ Domain Persistence using DCShadow


PowerShell is a built-in shell, available on every supported version of Microsoft Windows, which provides incredible flexibility & functionality to manage the Windows system. In this module, we will learn various techniques to use PowerShell as a Red-Team tool in the Windows environment, and how to understand and leverage this capability of the PS platform to gain and maintain access in this environment.

Technical content

  • Introduction to PowerShell Scripting
    o What is PowerShell
    o Using ISE, help system, cmdlets, and syntax of PowerShell
    o Scripting Basics
    o Advanced Scripting
    ▪ Working with Pipeline, Files, Functions, Objects, Jobs, and Modules
    ▪ Improving Performances
    ▪ Executing Policies with Scripts
    ▪ Command Injection
    • PowerShell as Offensive Tool
    o Recon and Scanning
    ▪ Gathering Information about the Network
    ▪ Vulnerability Scanning and Analysis
    ▪ Strategies
    ▪ Avoiding Detection
    ▪ Tools Written/Integrated with PowerShell
    o Exploitation
    ▪ Brute Forcing
    ▪ Client-Side Attacks
    ▪ Using Existing Exploitation Techniques
    ▪ Porting Exploits to PowerShell – When and How
    ▪ Human Interface Device
    ▪ Getting Foothold on the System
    o Use Management Tools to Attack Systems
    o Writing Shells in PowerShell
    o Pivoting to other Machines using PowerShell
    ▪ Gaining Control of WinRM and WS-Man Sessions


Microsoft Windows has been the primary target for attacks; thus, it has security measures that can help you prevent and avoid them if possible, such as Windows updates, encryption services, and secure connections. In this module, you will learn how to detect and defend against attacks and breaches, and how to avoid them from the start using Windows features and applications

Technical content

  • Windows Server Hardening
    o Proper Active-Directory Structure
    o Crafting GPO
    ▪ Blocking App Installation
    ▪ Restricting Access to Command-Lines
    ▪ Registry and Run Access Control
    ▪ Hard-Drive and USB Blocks
    o Patches and WSUS
    o Shared-Folders as Drives
  • Host Hardening
    o DEP – Identifying and Handling Suspicious Files
    o Restricting User’s Environment
    ▪ Block User Desktop
    ▪ Store User-Profile Online
    ▪ Lock Local Users
    o Hardening Network Settings
    o BitLocker and Tamper-Resistance
    o Custom Access-Control
    ▪ System Internals Suite
    ▪ Understanding Event Viewer
    ▪ Sysmon as a Service


The following labs are part of the actual RT424 course:
  • Lab 1 Advanced Enumeration
  • Lab 2 Attacking the Host
  • Lab 3 Privilege Escalation
  • Lab 4 Red-Teams PowerShell
  • Lab 5 Mass Attack
  • Lab 6 Domain Exploitation
  • Lab 7 Post Exploitation
  • Lab 8 Exploiting with Updates

Real Cases Studies

Case Study #1 (WE001)
A Russian anti-virus company is warning users about a malicious program, which is helping attackers carry out mass spam mailings and allow the attacker to use a victim's PC as a slave of his DDOS Army. Our company requires your assistance to gain control of the CNC server related to the DDOS attack, which is controlled by that server.
Case Study #2 (WE002)
Computers used by the Minnesota police department suffered a data exposure. The IT team which dealt with the case said that a keylogger was installed on their systems, apparently thanks to a Windows update. An attacker used the vulnerability to harvest sensitive police information. As a part of the red team security, help the police find the server holding their data and retrieve the stolen data.

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group: FOUNDATION


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certification:

  • OSEE (Offensive Security)

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details