Attacker Perspective: What the Adversary Sees

The attacker's cost-benefit calculation

Attackers are rational operators. Every technique has a cost — complexity, time, noise generated, risk of detection — and a benefit — capability gained, objective advanced. The endpoint security configuration directly affects this calculation.

On an endpoint with default Defender settings, no ASR rules, no Credential Guard, and no Sysmon, the calculation is straightforward: use standard tools with minimal modification. Mimikatz default binary. Cobalt Strike with default malleable C2 profile. PowerShell Empire with standard payloads. The cost is low because the defense is low. MDE's built-in detections may catch known tool signatures, but default cloud protection and the absence of custom detections leave significant gaps for anything beyond commodity malware.

On an endpoint with ASR rules in block mode, Credential Guard enabled, Sysmon deployed, and custom detection rules in MDE, the calculation changes dramatically. Standard tools fail. Mimikatz cannot access LSASS because the ASR rule blocks the process handle and Credential Guard isolates the secrets. The attacker must use alternative credential access techniques — token theft from running processes, Kerberoasting against service accounts, or DCSync from a remote system with domain admin rights. Each alternative is more complex, requires higher privileges, takes longer, and generates more detectable artifacts. The AMSI bypass required for obfuscated PowerShell creates its own detection opportunity. The process injection required to evade EDR's userland hooks generates Sysmon Event ID 8 and Event ID 10. Every workaround creates a new detection surface.

This is the principle that underlies the adversary-aware approach in this course: every defensive control you deploy does not just prevent one technique — it forces the attacker to use an alternative technique that creates additional detection opportunities. The layered stack multiplies detection surface because each evasion attempt is itself detectable.

How each control changes the attacker's path

ASR LSASS rule in block mode. The attacker cannot dump LSASS memory using comsvcs.dll, Procdump, or other tools that open a handle to the LSASS process. Alternatives: Kerberoasting — request TGS tickets for service accounts and crack offline, which generates Kerberos event 4769 with encryption type 0x17. DCSync from a remote system — requires domain admin rights and generates Directory Service Access event 4662. Token theft from running processes — does not require LSASS access but provides only the tokens of currently running processes, not stored credentials. Each alternative is more complex, requires specific preconditions, and generates more detectable artifacts than a simple LSASS dump.

Credential Guard enabled. Even if the attacker bypasses the ASR rule and dumps LSASS, the NTLM hashes and Kerberos tickets are not present in LSASS memory — they are isolated in a virtualization-based security container that the OS kernel cannot read. The dump returns empty or partial results. Alternatives: attack the VBS container directly, which requires kernel-level exploitation against a hypervisor-isolated process. Use pass-the-ticket with existing tickets obtained through other means. Target credentials stored outside of LSASS — cached credentials in the registry, credential manager vault, browser password stores. Each alternative significantly raises the bar and provides fewer credentials than a successful LSASS dump would have.

Sysmon deployed. The attacker's operations generate detailed telemetry that persists in the Windows event log and forwards to Sentinel. Process creation with full command-line detail in Event ID 1. Network connections with source and destination in Event ID 3. Registry modifications in Event ID 12 and 13. File creation in Event ID 11. Process access — including injection attempts — in Event ID 10. The attacker can attempt to clear Sysmon logs, but the clearing attempt itself generates an event in the System log, and if events are forwarded to Sentinel, the cleared events already exist in the SIEM. Sysmon does not prevent attacks. It makes the attacker's operations visible at a level of detail that default Windows logging cannot match.

Custom detection rules in Advanced Hunting. Built-in MDE alerts catch known tool signatures and documented attack patterns. Custom detection rules catch the patterns specific to your environment that no vendor model covers. A custom rule that alerts when PowerShell is spawned by mshta.exe catches the CHAIN-ENDPOINT initial execution. A custom rule that alerts when comsvcs.dll is loaded by rundll32 with a MiniDump argument catches the LSASS credential dump. A custom rule that alerts when scheduled tasks are created by scripting engine parent processes catches the persistence mechanism. Each custom rule closes a gap that the attacker's standard tradecraft exploits. An environment with 20 custom detections covering the highest-priority ATT&CK techniques from the threat model presents a completely different detection surface than one with zero — the attacker's standard playbook triggers alerts at multiple phases of the chain.

The NE endpoint vs the target endpoint

The contrast between NE's current Level 1 endpoint and the Level 4 target makes the engineering value of this course concrete.

On NE's current endpoint, the attacker's recon returns: Defender AV at default cloud protection, zero ASR rules configured, no Sysmon service, no ScriptBlock logging, no Credential Guard, no RunAsPPL, shared local admin password (no LAPS). Every check returns the unprotected result. The attacker's assessment: standard tradecraft, no modifications needed, proceed at full speed. The cost of operating on this endpoint is near zero. The risk of detection is low — MDE's built-in alerts may fire on known signatures, but any tool modification or custom implant operates undetected.

AMRunningMode               : Normal
RealTimeProtectionEnabled   : True
BehaviorMonitorEnabled      : True
CloudBlockLevel             : 0    ← Default (not High/High+/ZeroTolerance)
AttackSurfaceReductionRules : (empty — zero rules configured)
Sysmon64 service            : not found
ScriptBlockLogging          : not found (default = disabled)
RunAsPPL                    : not found (default = disabled)
SecurityServicesRunning     : {}   ← Credential Guard not running

This is what the attacker sees. AV is running in Normal mode — real-time protection is on but cloud protection is at the default level, which means lower detection rates for unknown files. The ASR rules array is empty. Sysmon is not installed. ScriptBlock logging is not configured. Credential Guard is not running. Every line is a green light for the attacker's standard playbook. The distance between this output and the Level 4 target output — where every line returns a protected result — is the engineering work this course delivers.

On the target Level 4 endpoint, the same recon returns: Defender AV at High+ cloud protection with tamper protection, 14 ASR rules in block mode, Sysmon service active, ScriptBlock logging enabled, Credential Guard running, RunAsPPL configured, LAPS-managed unique local admin password. Every check returns the protected result. The attacker's assessment: standard tradecraft will fail at multiple phases. LSASS dump blocked by ASR and emptied by Credential Guard. PowerShell scripts visible through ScriptBlock logging and AMSI. Process chains recorded by Sysmon. Local admin hash valid on this device only. The attacker must use entirely different techniques at every phase — each of which is more complex, slower, and generates detectable artifacts that custom detection rules are designed to catch.

The engineering investment between these two states is the 90-day deployment plan from Section 0.7. The security improvement is not incremental — it is a qualitative transformation of the endpoint from a soft target that an attacker traverses in minutes to a hostile environment that forces the attacker to invest hours in evasion, with detection opportunities at every step. The attacker who could compromise NE's entire fleet in 20 minutes from a single phishing email now faces a stack where each phase requires a different bypass, each bypass generates telemetry, and each piece of telemetry feeds a detection rule that triggers an automated response. That is the architecture this course builds — not one control, but a system of controls where the attacker's workarounds for each control create the detection surface for the next.

# The attacker's 4 recon checks — run these on your own endpoint
# Check 1: AV/EDR status
Get-MpComputerStatus | Select-Object AMRunningMode, RealTimeProtectionEnabled,
    BehaviorMonitorEnabled, AntivirusEnabled
# Check 2: ASR rule states (0=off, 1=block, 2=audit, 6=warn)
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids,
    AttackSurfaceReductionRules_Actions
# Check 3: Logging configuration
Get-Service Sysmon64 -ErrorAction SilentlyContinue | Select-Object Status
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
    -ErrorAction SilentlyContinue
# Check 4: Credential protection
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" `
    -ErrorAction SilentlyContinue
Get-CimInstance -ClassName Win32_DeviceGuard `
    -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning

Run these commands on your own endpoint and read the output as the attacker would. For each "not configured" or "default" result, identify the attack technique it enables. For each "configured" or "enabled" result, identify the alternative technique the attacker must use and the detection opportunity that alternative creates. At NE, every check returns the unprotected result — default AV, zero ASR, no Sysmon, no Credential Guard. The attacker proceeds with standard tradecraft. On a Level 4 endpoint, every check returns the protected result, and the attacker must solve four additional problems before they can achieve what standard tooling accomplishes in minutes on NE's endpoints.

The first 5 minutes: proceed or pivot

When an attacker gains initial access — through a phishing attachment, a browser exploit, or stolen credentials — their first actions follow a predictable sequence that maps directly to the endpoint security controls from this course.

Minute 1: environment assessment. What AV is running? What version? Is real-time protection enabled? Is cloud protection at default or enhanced? The answer determines whether existing tooling needs modification. Default Defender is a softer target than High+ cloud protection with tamper protection enabled, because tamper protection means the attacker cannot disable Defender without Microsoft's cloud service detecting the attempt.

Minute 2: EDR and ASR check. Is the MDE sensor present (MsSense.exe in the process list)? Are ASR rules in block mode? The presence of an active EDR sensor means every process, network connection, and file operation is recorded. ASR rules in block mode mean specific attack techniques will fail on first attempt. The attacker's options narrow to: operate quickly and accept detection, use evasion techniques to blind the EDR, or pivot to a device without EDR — which is why 100% onboarding from Module ES2 is the first deployment priority.

Minute 3: privilege and credential assessment. Current privilege level — standard user or local admin. The attacker runs whoami /priv to see their token privileges. Standard user access limits the attacker to user-context operations without LSASS access, service installation, or driver loading — which eliminates most post-exploitation tradecraft. Local admin access opens the full attack path. LSASS protection status determines whether credential dumping is possible: RunAsPPL protects the LSASS process from unsigned code, the ASR LSASS rule blocks non-Microsoft processes from opening a handle, and Credential Guard isolates the secrets in a VBS container. The attacker checks all three because bypassing one protection does not bypass the others — they are independent controls that must each be defeated separately. LAPS deployment status determines whether a successfully obtained local admin hash grants access to one device or 865 devices. Each credential protection control independently removes an escalation or lateral movement path.

Minute 4: logging check. PowerShell ScriptBlock logging, Sysmon, advanced audit policies. The answers determine whether the attacker's subsequent actions will be recorded in forensic detail or leave minimal evidence. Sysmon's presence does not block the attacker but forces operational decisions: inject into existing processes rather than creating new ones to avoid Sysmon Event ID 1. Use named pipes for internal communication rather than network connections to avoid Event ID 3. Avoid registry modifications that generate Event ID 12 and 13. These operational constraints slow the attacker and limit their flexibility — every technique they avoid because of Sysmon is a technique they would have used on an unmonitored endpoint.

Minute 5: proceed or pivot. If the endpoint has full EDR, High+ AV, Sysmon, ScriptBlock logging, ASR enforcement, and standard user context, the attacker is in a hostile environment where every action is monitored, most standard techniques are blocked, and credential access requires solving multiple independent protection mechanisms. They either invest in sophisticated evasion — building custom tooling, using process injection chains, finding kernel-level bypasses — which is costly, slow, and generates detection artifacts at every step. Or they pivot to a less-protected endpoint, which is why 100% onboarding with consistent policy application across the fleet matters. An organization with 90% of endpoints at Level 4 and 10% at Level 1 has given the attacker a guaranteed soft target on every initial access attempt. The endpoint security architecture from this course makes every endpoint the hostile environment. When every endpoint is hostile, there is nowhere to pivot.