My Book Project : Windows 10 for Enterprise Administrators

[Post Migrated from TechNet]

With more and more customers adopting Windows 10 as preferred Operating System as their preferred platform for their Endpoint Devices, the need of upgrading skills for our IT administrators with the know how of new tools, upgrade strategies, deployment of new features/capabilities and ongoing management of Windows 10 devices is definitely catching up.

Windows 10 brings a whole lot of new capabilities both from Manageability and Security perspective for IT administrators.  If you haven’t read some of my previous posts around Security with Windows 10, following articles will give you some insight.

  1. Threat Mitigation in Windows 10
  2. Windows Device Guard against Malware Intrusion

I have been working as Tech Reviewer of this Book on Windows 10 for Enterprise administrators for few months now and its finally got published.
As a Tech Reviewer my responsibility was to ensure that the Technical topics are explained accurately and has consistent information, with working set of scripts and codes.  The sole objective of the book is to help IT administrators with the knowledge of new capabilities, Deployment tools, tips and tricks to manage a Windows 10 environment better.

The Authors did a great job in bringing the right content and concepts to ensure our Windows 10 administrators are successful in their day to day job.

Here are some screenshots of the book preface

Book is available for Sale here :

Hope you all will like it.


My Article on CIO Review Magazine : Stay Updated, Stay Protected

(Post migrated from

In the increasingly dynamic world of cyber threats where threat landscape is changing by seconds, staying updated breaks the ROI of the attackers.

If you are a reader of CIO review magazine hope you’ll like my this article published in the October 2017 edition.


You can read the full CIO review Digital Magazine here with some other great articles.



What is Windows Defender ATP ?

I get to hear a lot of confusion between Windows Defender and Windows Defender ATP and people don’t often get the difference between the two,

lets understand the difference.

Windows Defender is an Anti malware / Anti Virus solution part of Windows 10 itself, it helps protect you from known malware/Viruses which has already been discovered and there is a definition available for it. So think of this like similar Anti Virus capability provided by known vendors like McAfee, Symantec etc.

Besides protecting you from known malware, Windows Defender also has inbuilt machine learning and heuristics to detect malware in realtime based on behaviour analysis. If you want to see a glimpse of what Defender AV can do in real time, watch this video below.


Windows Defender ATP on the other hand is an Endpoint detection and Response ( EDR) solution from Microsoft which enables identifying and detecting suspicious and malicious activities on the endpoint PCs and help you take remedial actions for containment.

So if there is a persistent attack scenario where attackers are doing initial recon and lateral movement activity to find out critical and high value assets for them to compromise, this activity gets detected in the Defender ATP console and helps organizations to confine it before the attackers are able to compromise your high value assets.

Here is a quick overview of Windows Defender ATP and some of the example activities of compromise it can help detect and remediate.

Defender ATP can run irrespective of the fact what Anti Malware you are using.

Hope that clears out the confusion.

Do subscribe to my channel on YouTube for more informative demos on InfoSec.


Threat Mitigations in Windows 10

Traditionally Operating system releases from Microsoft used to happen once in few years and the time between releases,  a lot of these exploitation techniques used to get developed. Most of these new exploitation techniques were used to carry out attacks on Windows platform which didn’t have any mitigations and future release with the fix was few years apart.

Some of the exploitation that exists today didn’t even existed a decade before.

Exploitations a decade before:

  • Stack overrun
  • Return Address Corruption
  • Shell Code

Exploitation techniques today :

  • ARW
  • Sandbox bypass
  • Heapspray
  • Memory Corrupt
  • CFG Bypass
  • ASLR Bypass
  • DEP Bypass
  • ROP Shellcode

Given the kind of threats have increased multifold, waiting for couple of years to mitigate a particular exploitation technique is far from ideal and leaves our consumers and commercial users/organizations vulnerable.   With Windows 10 as a Service where we keep releasing new features and capabilities every 6 months has reduced the shelf live of these techniques.

Today we’ll go through these security mitigations enabled in Windows 10 and is enabled by default to all of our user irrespective of the Windows 10 editions you are using.



Threat Mitigations in Windows 10 is set of features which helps to disrupt exploitation techniques and vulnerability classes harder or impossible to use.

Lets go through some of these important mitigations

1. User Mode Font Driver ( UMFD ) :

User mode font driver mitigation was added in initial version of Windows 10. This is towards isolating or containing the vulnerabilities.
Font process was done in kernel mode, and these memory corruption could be hit remotely using untrusted fonts. The font processing code is very legacy code and it is also from different contributors as well.
With UMFD the font processing is now moved into an App Container in user mode. This actually makes any of the vulnerabilities in font processing kind of use less.
So, the EOPs or typically the sandbox escapes that were being targeted using vulnerabilities are no longer possible.
All the processes gets benefitted from this mitigation.
While we have moved the font processing to user mode to contain the vulnerability, it is also possible to disable processing of untrusted remote fonts for a process via the ProcessFontDisablePolicy process mitigation option.

2. Win32k Syscall Filtering :

We all know that Win32k subsystem is the No.1 targeted component for achieving Sandbox escapes. It is a gigantic component because of its functionality, what ever you see is all mostly Win32k. It has a very huge attack surface, about 1200 APIs compared to about 400 NT APIs.
With Syscall filtering Microsoft Edge tries to maintains a list of Win32k APIs that it needs and allows only those from the content process thus reduces the surface area.
This mitigation removes a good set of Win32k APIs that can be targeted for any possible memory corruption.

3. Less Privileged App Container (LPAC):

App Container has access to resources protected with ALL APPLICATION PACKAGES SID: This SID has read permission on all folders by default. LPAC is a more restricted version of the App Container. it denies access by default for everything. One can access only the secured objects that are granted explicitly to LPAC.

4. Structured Exception Handling Overwrite Protection (SEHOP) : this feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps protect applications regardless of whether they have been compiled with the latest improvements.

5. Address Space Layout Randomization (ASLR) : ASLR loads DLLs into random memory addresses at boot time. This mitigates against malware designed to attack specific memory locations where specific DLLs are expected to be loaded.

6. Heap protections : Windows 10 includes protections for the heap, such as Heap metadata hardening for internal data structures that the heap uses, it also uses Heap allocation randomization, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Also Heap guard pages before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.

7. Kernel pool protections,

Windows 10 includes protections like Kernel DEP and Kernel ASLR for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.

8. Control Flow Guard :

Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. It can also be built into applications when they’re compiled. For example, it can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled

9. Protected Processes : With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and for the first time, you can put antimalware solutions into the protected process space, which helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.

 10. Universal Windows apps protections: When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s highly unlikely that they will encounter malware, because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through Sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements

11. No Child Proc :  Attackers can trick a sandbox to create a child process to bypass mitigations. this feature prevents code execution via launching a child process.

Here is the release cycles of various threat mitigation capabilities in every Windows 10 feature updates :


The main objectives of implementing these threat mitigation capabilities in Windows 10 are :

  • Reducing the attack surface of Windows Platform
  • Takes soft target out of the picture
  • Eliminates existing exploitation techniques so that new techniques need to be found.
  • Reducing impact of vulnerability by isolation.
  • Make overall exploitation harder and expensive

These are all the more reasons to move to Windows 10 as quickly as possible to remain protected against modern cyber threats.

Hope you liked the article, look forward to more later.


Effecient way to Disk Cleanup – Windows 10 Storage Sense

While disks storage are cheap nowadays, we can never have enough of storage.

Often we find ourselves running out of disk storage on our PCs. The other while I decided to clean up my systems drive, I though of using the brand new feature of Windows 10 Storage Sense.

It definitely one of a great feature where now I don’t need to hunt for temp and cache files manually in various folders on my hard disk,

I made a video out of it just incase if you haven’t give it a shot yet.



Let me know what you think.


Windows Defender Detects Malicious Macros in Real time.

We are seeing an increasing trend of Microsoft office files are being used as Trojans to download malicious payloads by using legitimate features like VB Macros.

If you are running Windows Defender as your default AV, check out this video as how Defender uses its client side ML with AMSI to detect malicous VB macro and blocks it in real time.

This feature doesn’t require any definition.

let me know what you think.



Artificial Intelligence and Machine Learning for NextGen Threat Protection

Traditionally detecting and responding to cyber threats always relied on understanding precedence, matching patterns, writing definitions and configuring rules based actions for mitigations.

Given the kind of sophistications, polymorphism and expedited rate of change in threat landscape seen nowadays, traditional methods involving human touch at each and every point proving to be inadequate and inefficient.

Rule based action can only scale up to manage commodity attacks but whenever there is a slight difference in the attack technique the whole rule falls apart.

Machine learning and Artificial Intelligence can achieve high rate of precision of detecting and responding to a threat by analyzing various datasets with lots of dimension which human cannot scale.

Just to give you an idea and how polymorphic pattern of threats are emerging :

Machine Learning models can uncover blind spots by removing human bias that comes with expertise, such as confirmation bias to reveal greater insights.

Machine learning for building Threat Intelligence: The Intelligence Security Graph (ISG)

In reducing the time it takes to detect an attack and its techniques, enterprise companies are struggling with a contradictory dilemma between having too much security-related data to process yet still not having enough information to separate the signal from the noise and understand an incident quickly.

The challenge here is not just sheer volume, but also separation. Many indicators of attack either seem innocent on their own, or are separated by industries, distances and timeframes. Without clear insight into the whole dataset, early detection becomes a game of chance. Even the largest enterprise companies are facing these limitations:

  • Real threat intelligence requires more data than most organizations can acquire on their own.
  • Finding patterns and becoming smarter in that huge data pool requires advanced techniques like machine learning along with massive computing power.
  • Ultimately, applying new intelligence so that security measures and technologies constantly improve requires human experts who can understand what the data is saying, and take action.

As a platform and services company, Microsoft’s has a wider optics of threat and activity data comes from all points in the technology chain, across every vertical industry, all over the world. This enables us to diagnose attacks, reverse engineer advanced threat techniques, and apply that intelligence across the platform.

Following image shows how ML can see various signals across the technology chain and helps building threat Intelligence which can help detect attacks much faster and help mitigate.

For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify its platform and protect customers. Since the Security Development Lifecycle born from early worm attacks like Blaster, Code Red and Slammer, to modern security services woven into our platforms and services, the company has continually built processes, technologies and expertise to detect, protect, and respond to evolving threats.

These threat intelligence has helped Microsoft to work with law enforcements in various countries in taking down some of the major global botnets like Citadel, Ramnit, Dorkbot, and very recently Gamarue.

Today, with the immense computing advantages afforded by the cloud, the Machine learning and Artificial Intelligence is finding new ways to use its rich analytics engines and by applying a combination of automated and manual processes, machine learning and human experts, we are able to create an intelligent security graph that learns from itself and evolves in real-time, reducing our collective time to detect and respond to new incidents.

The Game of Phishing – How to beat your Opponent

With more than 1.4 Billion clear text user credentials accumulated and up for grabs in the dark web clearly indicates that the hunt for credentials from genuine users/Organizations is the most important phase of the the cyber kill chain.

Verizon Data Breach Investigation report 2017 says that 81{133ac7b6b546e3a9292346674892cfa2a474ed03d372a26bd3c9b466588878a9} of breaches that have occurred involved compromised credentials and in 75{133ac7b6b546e3a9292346674892cfa2a474ed03d372a26bd3c9b466588878a9} of them perpetrators were outsiders.

Phishing emails are proving to be most effective way to grab credentials of users and then use them to carry out attacks on them and their organization.

If you are new to this term, This should help.


The Mind Game

Over the years, the art of phishing has evolved and adversaries are now using more sophisticated ways to trick human mind in making a wrong judgement.

If you are fan of National Geographic’s popular show “Brain Games” like me, they’ve showed how amazing ways human brain functions. How a part of brain questions everything, sees with suspicion before making any decision and how another part of brain which simply accepts the fact and assumes it as true and takes the action.

For E.g, When you are about to cross the road, A part of brain looks at this scenario with suspicion and caution. It only makes decision to cross the road after determining that there is no threat to life from incoming vehicle. Lets call this part of the brain – Part 1

However on a different scenario, when you pickup a TV remote and about the press the power button, does you brain sees this act with same level of caution and suspicion? No, right? This time the other part of the brain makes the decision by assuming that when you press the button, the TV will turn on and nothing bad will happen. Lets call the part of the brain Part-2.

Adversaries are now using various physometeric tactics to let your Part 2 of brain acts and makes you take quick decision to act swiftly on the email and supress your other side of the brain which makes you question it.

Lets play a game.

Can you tell which of the following screenshot of the Office 365 Logon Page is a Phishing Page and which one is authentic webpage?


Fig 2

If you happen to land on one of these webpages and provide your credentials, You have just made a life of a attacker easy by handing over one of your organizations critical asset, your Username and Password.

So what could really happen when someone else have your credentials?

1. They can logon to your mailbox and use your email account to send with emails with Malicious attachments to all your colleagues. Since all your colleagues trusts you they will not use their Part 1 of brain to think twice before opening those attachments.

2. They can use your mailbox to attack your friends/family similar way.

3. They can use your mailbox to spear phish senior leaders of your organization to grab their credentials and elevate privileges.

4. They can VPN and connect to your corporate network as you and initiate exploration and then exploitation activities or just spreading a worm based ransomware in the network.

5. and much more Smile

How to be better than the game?

Detecting Signs on a Phishing Email

1. Sense of Urgency – Look for the sense of urgency in the email. If the email is asking you take an action in hurry with words like immediately, Urgently etc, be cautious.

2. Grammatical errors or spelling mistakes- More often or not, attackers from non native English speaking regions tend to make spelling or grammatical mistakes in their emails or on the Phishing site.

3. Spoofed Email Sender – Do not trust the email sender name on your email header. While it might look its coming from known sender but when you expand the Email Name, you may see a different email address (spoofed)

4. Obfuscated URLs : What you see my not be what you get. Hover your mouse on the Links to see the actual URL its taking you to. If you see Base64 in URL, move away.

5. Detailed Email Header – If you are ready to dive deep, Look at the detailed email header to review the complete mail flow and sender Info including IP address and Sender Domain.

6. Email formatting – Emails coming from various reputated organizations goes through multiple review w.r.t formatting. if the email looks weirdly formatted it may be anomalous.


Detecting Signs of a Phishing website.

If you do end up on a site by clicking on those URLs in your email, following tips can help detecting it a Phishing Site.

Yes, it would be really taxing to check every email with suspicion and open every links in the email and verify the webpage for signs of phishing.

If you are an Office 365 customers,  Advanced Threat protection of O365 protects against phishing attacks by analyzing the URLs in the emails and blocks the access to the malicious website at the time of click.

If you’d like to see a short demo on how Office 365 ATP Safe link protects against Phishing attack, check this video

To learn more about the Safe Link capabilities of Office 365 ATP, check here

PS: If you have not been able to figure out yet, Figure 2 is a phishing page 🙂



Originally Published On

Hello world!

Hello Everyone.

Welcome to the new destination of my blog.

This blog will be all about Cyber Security, Ethical hacking and of course some of the other computing hacks to make your digital lives more secure and efficient.

Stay tuned for some great Technical Articles, Videos, How to’ s and some leisurely talks.


The ZeroDay