Presentation Material
Abstract
Disrupting the Kill Chain is a defender’s approach to minimizing cyber-adversary access and success in a Windows environment. It builds upon my previous work on ‘Defending a Microsoft Environment at scale’ which spoke to the innovations made in Windows 10 and the capabilities of a native Microsoft stack to launch a capable defense against most vulnerability classes. This talk is a bluebook of the most effective and efficient controls in Windows 10 and an associated Microsoft environment to disrupt the kill chain. This talk focuses on leveraging capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. It starts out by describing the Lockheed Martin kill chain in conjunction with the MITRE ATTACK framework and explains how it has been used by us to build a defense model. We then dwell into specific capabilities of the Windows subsystem to detect and respond to the various stages of an attack lifecycle including: Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command and Control (C2). As we continue, we describe a working defense model that dwells into some of the more effective and efficient controls in a Windows 10 ecosystem that address several categories of attacks. These higher efficiency controls are detailed in a few sample deployment guides that are made available on Github and based upon a “single platform approach” I’ve previously described in my other talks. As we continue, we talk about the different ways in which logging, and monitoring data can be collected and analyzed at scale. We talk about implementations that extrapolate the telemetry from these indicators across Microsoft Windows to an enterprise view that reduces noise and improves signal. In order to do this, we explain how WEF works, a sample Sysmon deployment guide and how to collect rich event meta-data from all Windows Event Log sources to build correlation and finally the more recent technique of log collection and hunting using Windows Defender telemetry data. We don’t address the traditional SIEM implementations but talk about specific use cases that address the MITRE ATTACK framework. (Samples of such an approach are visible in my previous talks detailed here between Pages 16-25). During the second half of the talk, we dwell into some of the automated remediation and incident response capabilities built into the Windows Defender ATP product and how it can be used for handsfree triage and remediation through the use of automation playbooks (Hexadite). We cover scenarios from basic malware / hunting techniques such as frequency analysis, process trees and other indicators that may indicate suspicious behaviors. In closing, we round up the topics covered, provide some disclaimers that this is not a silver bullet to all attacks and simply reinforce the message that basic hygiene and a handful of properly implemented controls are indeed effective in disrupting the killchain.
AI Generated Summary
The talk evaluates Windows 10’s native security features as a means to reduce reliance on multiple third-party endpoint agents, which expand the attack surface. Using the MITRE ATT&CK framework and Lockheed Martin kill chain as analytical models, the speaker examines built-in defenses like Credential Guard, Remote Credential Guard, and Device Health Attestation.
Key findings include demonstrations of bypass techniques for Credential Guard, such as injecting malicious code into MSI installers to dump secrets from isolated memory. The talk also details an attack chain using phishing to obtain credentials, followed by abusing Outlook rules via the tool “Ruler” to establish persistence, highlighting risks even with two-factor authentication due to legacy protocols.
Practical implications stress a defense philosophy of early detection and controlled response over immediate blocking during reconnaissance. Strategies include deploying deception through honey tokens and dark nets to monitor attacker movement, disrupt activities, and increase operational costs. The speaker argues that native Windows 10 controls, when fully implemented as a cohesive system, can make intrusions cost-prohibitive by forcing attackers to expend more resources, but partial adoption creates security gaps. The core objective is to become a difficult target by tracking adversaries without alerting them, enabling effective scoping and response upon eventual detection.