Skip to content

Windows Security

Windows security is layered and complex
Understanding built-in defenses is critical for both blue team configuration and red team bypass identification

User Account Control (UAC)

UAC splits administrator tokens -- standard user rights by default , elevated only when explicitly needed

whoami /groups                   # Check integrity level

By default: Standard user gets Medium IL , Admin gets split token with Medium + High Virtualization redirects writes to protected areas (but this is bypassable)

Windows Defender

Built-in AV that actually works now (gone are the days of being useless)

Get-MpPreference                  # Check Defender config
Get-MpThreatDetection             # View detections
Add-MpPreference -ExclusionPath C:\tools  # Exclude from scan

Defender uses cloud-delivered protection and AMSI integration to block script-based attacks

AppLocker / WDAC

Restricts which executables can run

Allow by path, publisher hash, or file attribute
Block execution from Temp directories

Common bypasses: LOLBins (living-off-the-land binaries) , InstallUtil , msbuild , regsvr32

Windows Firewall

Host-based firewall with inbound/outbound rules

Get-NetFirewallRule               # List firewall rules
New-NetFirewallRule -DisplayName "Block-4444" -Direction Inbound -Action Block -LocalPort 4444 -Protocol TCP

BitLocker

Full disk encryption Recovery key stored in AD in enterprise environments (valuable target)

Event Logging

Windows Event Log is surprisingly detailed when properly configured

Critical logs: * Security (4624=logon , 4625=failed logon , 4672=admin logon) * System (service crashes , driver issues) * Application (app-level errors , IIS) * PowerShell (4103=module logging , 4104=script block logging)

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 50

Registry as Attack Surface

The Windows Registry is a massive persistence playground

Common persistence locations: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

LSA Protection

Credential Guard virtualizes and isolates LSA (prevents Mimikatz) Requires hardware virtualization support and UEFI lock Not enabled by default in most environments because compatibility issues