Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Purple Team Tactics: A Technical Look at Windows 10 Exploit Mitigations

  • Wednesday, April 15, 2020 at 10:30 AM EDT (2020-04-15 14:30:00 UTC)
  • Stephen Sims

You can now attend the webcast using your mobile device!



The defense and offense both need to understand exploit mitigations running on modern operating systems, but from different perspectives. The offense needs to understand ways to circumvent or defeat these mitigations, while the defense needs to know which ones are the most effective and any associated overhead that could negatively impact an application or system. Windows 10 includes a cutting edge exploit mitigation toolkit called Exploit Guard. This supersedes the deprecated Enhanced Mitigation Experience Toolkit (EMET) that is no longer supported. While some mitigations, such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) are enabled by default, many modern mitigations with Exploit Guard are disabled. It is often the case where administrators and users do not know enough about a mitigation to feel comfortable in turning it on as it could potentially break applications or increase processor overhead. Join me in this webcast where we will attempt to demystify these controls and look at some of the latest mitigations such as Control-flow Enforcement Technology (CET).

Speaker Bio

Stephen Sims

Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant. He has spent many years performing security architecture, exploit development, reverse engineering, and penetration testing. Stephen has an MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking and co-author of SEC599: Defeating Advanced Adversaries Purple Team Tactics & Kill Chain Defenses. He holds the GIAC Security Expert (GSE) certification as well as the CISSP, CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.