SKILL: Week 7: Defeating Windows Security Boundaries
Metadata
- Skill Name: windows-boundaries
- Folder: offensive-windows-boundaries
- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/7-windows-boundaries.md
Description
Windows security boundary taxonomy and attack surface enumeration: kernel/user boundary, sandbox boundaries (LPAC, AppContainer), COM/RPC boundaries, hypervisor boundary, trust level transitions. Use when planning privilege escalation paths, sandbox escapes, or understanding Windows security architecture.
Trigger Phrases
Use this skill when the conversation involves any of:
Windows boundaries, security boundary, kernel user boundary, sandbox escape, AppContainer, LPAC, COM boundary, RPC boundary, hypervisor, Hyper-V, privilege escalation, trust level
Instructions for Claude
When this skill is active:
- Load and apply the full methodology below as your operational checklist
- Follow steps in order unless the user specifies otherwise
- For each technique, consider applicability to the current target/context
- Track which checklist items have been completed
- Suggest next steps based on findings
Full Methodology
Week 7: Defeating Windows Security Boundaries
Overview
created by AnotherOne from @Pwn3rzs Telegram channel.
Week 6 taught you how mitigations work defensively. You'll learn to bypass the OS security policies and features that prevent your code from running, your processes from accessing protected resources, and your actions from being logged. This is distinct from Week 8, which teaches you how to bypass exploit mitigations (DEP, ASLR, CFG) once your code is already running.
Week 7 vs Week 8 - The Key Distinction:
- Week 7 answers: "Can my code execute at all?" - bypass AMSI, WDAC, ASR, AppContainers, integrity levels, PPL, ETW telemetry
- Week 8 answers: "Can my exploit succeed?" - bypass DEP, ASLR, stack cookies, CFG/XFG, heap safe-unlinking
This Week's Focus:
- Offensive reconnaissance and mitigation fingerprinting
- AMSI bypass and script-based attack techniques
- Protected Process Light (PPL) exploitation
- Sandbox, integrity level, and AppContainer bypass
- WDAC and Attack Surface Reduction (ASR) bypass
- ETW manipulation and telemetry blinding
- Kernel driver interaction fundamentals (preparation for Week 11)
Prerequisites:
- Completed Week 6: Understanding Modern Windows Mitigations
- Week 5: Basic exploitation techniques (stack overflow, ROP, heap)
- Familiarity with WinDbg, x64dbg, and IDA/Ghidra
- C/C++, Python, and assembly knowledge
Week 7 Deliverables
By the end of this week, you should have completed:
- Recon Tool: Built a mitigation fingerprinting tool
- AMSI Bypass: Implemented working AMSI bypass techniques
- PPL Research: Documented PPL bypass vectors
- Sandbox Escape: Bypassed AppContainer or integrity level restrictions
- WDAC/ASR Bypass: Demonstrated at least one WDAC and one ASR bypass
- ETW Blinding: Implemented ETW provider patching to suppress telemetry
- Driver IOCTL Lab: Loaded a test driver, sent an IOCTL, set a kernel breakpoint (Week 11 prep)
Day 1: Offensive Reconnaissance & Mitigation Fingerprinting
- Goal: Master target enumeration - fingerprint system and process mitigations to identify attack vectors.
- Activities:
- Reading:
- Windows Exploit Protection - Official mitigation documentation
- Process Mitigation Policies
- Override Process Mitigations via Policy
- Online Resources:
- Tool Setup:
- Process Hacker / System Informer
- WinDbg Preview with mitigation inspection scripts
- PE-bear / pestudio for binary analysis
- Exercise:
- Build comprehensive mitigation scanner
- Enumerate all protected processes on target
- Identify legacy/unprotected binaries for exploitation
- Reading:
Deliverables
- Build a comprehensive mitigation scanner
- Fingerprint process-level protections remotely
- Identify unprotected/legacy binaries on target
- Map kernel mitigation status
Target Mitigation Landscape
┌─────────────────────────────────────────────────────────────────┐
│ Offensive Reconnaissance: What to Enumerate │
├─────────────────────────────────────────────────────────────────┤
│ │
│ SYSTEM-LEVEL PROCESS-LEVEL │
│ ───────────── ───────────── │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ VBS/HVCI │ │ DEP/NX │ │
│ │ WDAC/CI │ │ ASLR │ │
│ │ Secure Boot │ │ CFG/XFG │ │
│ │ Credential │ │ CET/Shadow │ │
│ │ Guard │ │ ACG │ │
│ │ KDP │ │ CIG │ │
│ │ KASLR │ │ Child Process│ │
│ └──────────────┘ └──────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ Determines: Determines: │
│ - Kernel exploit - Shellcode execution │
│ feasibility - Code injection │
│ - Driver loading - ROP requirements │
│ - Credential theft - Process hollowing │
│ │
│ ATTACK SURFACE MAPPING │
│ ───────────────────── │
│ ├── Unprotected legacy binaries (no ASLR/DEP) │
│ ├── Signed but vulnerable drivers (BYOVD) │
│ ├── Processes running without ACG/CFG │
│ └── Kernel version -> known vulnerabilities │
│ │
└─────────────────────────────────────────────────────────────────┘
Mitigation Scanner
This scanner enumerates security boundaries on a Windows target. Why this matters: Before exploiting a target, you need to know which mitigations are active.
// unified_recon.c
// Combines system, process, binary, and policy analysis
// Compile: cl src\unified_recon.c /Fe:bin\unified_recon.exe advapi32.lib
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
// PE DLL Characteristics flags
#define IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA 0x0020
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
#define IMAGE_DLLCHARACTERISTICS_GUARD_CF 0x4000
void CheckSystemMitigations() {
printf("\n=== SYSTEM-LEVEL MITIGATIONS ===\n\n");
// Check VBS/HVCI via registry (more reliable than WMI)
printf("[*] Checking VBS/HVCI status...\n");