Windows is the world’s most used desktop OS — and one of the most targeted.
This module teaches you to recognize Windows vulnerabilities, understand how attackers gain footholds, and apply defenses through hardening and monitoring tools like Event Logs and Sysmon.
Labs use isolated VMs so you can safely practice detection and response without risk.
💡 Learning Objectives
By the end of this module, you’ll be able to:
Identify Windows attack vectors and misconfigurations.
Recognize signs of privilege escalation and lateral movement.
Understand and use Windows Event Logs and Sysmon for basic forensics.
Apply security baselines and hardening steps.
Create and validate a Windows Hardening Checklist.
1. Typical Windows Attack Surfaces
Attackers leverage misconfigurations or social engineering to get in.
| Surface | Risk | Example |
|---|---|---|
| Email (Phishing) | Delivers malicious attachments or links. | Invoice.docm → macro payload |
| Weak Credentials | Brute force or credential reuse. | “Password123” |
| RDP Exposure | Remote Desktop open to internet. | Port 3389 unrestricted |
| Unpatched Software | Exploits known bugs. | EternalBlue (SMB) |
| User Privilege Escalation | Local admin abuse. | Runas / token impersonation |
| Lateral Movement | Moving inside network after entry. | Pass-the-Hash / SMB relay |
2. Common Vulnerabilities & Exploitation Concepts
Privilege Escalation: Exploiting weak service permissions or registry keys to gain admin rights.
Unquoted Service Paths: Spaces in service paths can allow malicious executables to load first.
DLL Hijacking: Malicious DLL placed where Windows searches before the legitimate one.
Misconfigured Shares: Open SMB folders leak sensitive files or scripts.
Weak UAC Policies: Allow unauthorized elevation of apps.
💡 Defensive Mindset: Every vulnerability is a misconfigured policy or unpatched binary waiting for fixing — not a tool to exploit.
3. Detection & Monitoring — Event Logs and Sysmon
Windows Event Logs record system and security activity. Key logs to review:
Security: Logons, privilege use, object access.
System: Driver or service issues.
Application: Crashes or warnings from apps.
Sysmon (System Monitor) extends logging with deep visibility:
Process creation (Event ID 1)
File creation (Event ID 11)
Network connections (Event ID 3)
Registry modifications (Event ID 13)
Exercise Idea: Compare normal vs suspicious process trees in Sysmon logs.
(Example: powershell.exe → cmd.exe → rundll32.exe = potential malicious chain.)🧩 Tools: Event Viewer, Sysmon + Configuration XML (from SwiftOnSecurity template), PowerShell Get-WinEvent.
4. Hardening & Baseline PracticesAccount & Access Control
Use least privilege accounts; disable built-in Administrator.
Enforce strong password policies and lockout rules.
Enable MFA for domain logins where available.
System Configuration
Turn on Windows Defender + real-time protection.
Apply security patches promptly (Windows Update).
Disable AutoRun/AutoPlay for removable media.
Enable BitLocker encryption for drives.
Disable SMBv1 and old protocols.
Logging & Audit
Enable Advanced Audit Policy Configuration.
Forward logs to central collector or SIEM.
Regularly review Event ID 4624 (logons), 4672 (privilege use), 4688 (process creation).
5. Practical (Safe) Lab — Windows Hardening Checklist
Environment: Windows 10/11 VM (offline or lab network).
Run Windows Update → install all pending patches.
Open
gpedit.msc→ set “Account Lockout Threshold” to 5.Enable BitLocker (virtual TPM OK for VMs).
Create a new standard user and remove admin rights from daily account.
Install and configure Sysmon.
Generate some activity (open browser, copy files) and observe new events in Event Viewer.
Document findings and export relevant Event IDs.
Deliverable: Completed Windows Hardening Checklist table and short report describing why each control matters.
6. Practical Exercise — Incident Detection Scenario
Scenario: You find multiple failed login attempts in Event Viewer (Security log).
Identify Event ID 4625 (Failed logon).
Filter for same username or source IP.
Check for follow-up Event ID 4624 (success) — possible brute force success.
Contain by disabling the account temporarily.
Update password policies and log the incident.
🧩 Outcome: A mini incident response within Windows itself.
7. Ethics & Legal Framework
Unauthorized access to Windows hosts (even testing without permission) is illegal.
Always:
Work in VMs or systems you own.
Use synthetic malware samples or simulation tools only.
Follow organizational rules for incident handling and reporting.
Respect privacy — logs often contain user data.
💡 Quick Tips Box
💡 Review Windows Security Event Logs weekly.
⚙️ Turn on Controlled Folder Access to block ransomware.
🔒 Use PowerShell command Get-LocalUser to audit accounts regularly.
📁 Keep a restore point before major policy changes.
8. Summary & Takeaways
You’ve learned to see Windows as a defensive battlefield: patch, monitor, respond, and improve.
✅ Key points:
Windows is a primary attack target — defense must be layered.
Regular patching and account controls stop most breaches.
Event Logs and Sysmon reveal hidden activity.
Hardening and continuous review make you resilient.
🧱 Course Complete: You’ve finished the Foundational Cybersecurity — Practical, Ethical & Defensive course!