Huntress Labs' "Hacking Windows" Training at IT Nation: A Deep Dive for Security Professionals

Huntress Labs, known for its focus on managed service providers (MSPs) and small-to-medium business (SMB) security, made waves at IT Nation 2017 with its hands-on “Hacking Windows” training session. The workshop, led by former U.S. intelligence and offensive security experts, provided MSPs with practical insights into attacker methodologies, from initial access to data exfiltration. This article examines the technical aspects of the training, its relevance to modern threat detection, and how security professionals can apply these lessons.

Training Overview and Key Focus Areas

The “Hacking Windows” session at IT Nation 2017 covered four core attack vectors: initial access techniques, antivirus evasion, persistence mechanisms, and data exfiltration methods. Attendees practiced real-world scenarios, such as bypassing common Windows defenses and maintaining access in enterprise environments. According to Huntress Labs’ Medium post, the session was so well-received that participants requested an extended 8-hour version¹.

Kyle Hanslovan (CEO), Chris Bisnett (Chief Architect), and John Ferrell (VP of ThreatOps) designed the training based on their combined experience in U.S. intelligence, red teaming, and vulnerability research². The content aligned with prevalent threats at the time, including attacks leveraging Windows Server vulnerabilities like Zerologon⁴.

Technical Relevance for Security Teams

The training emphasized practical Windows security weaknesses that remain relevant today. For example, it covered:

Common misconfigurations in Windows Group Policy and Active Directory
Techniques for evading Windows Defender and other endpoint protections
Persistence methods using scheduled tasks, registry modifications, and service installations

These topics directly relate to contemporary attack patterns observed in ransomware incidents and APT campaigns. The BrakeSec podcast later discussed similar real-world cases, validating the training’s focus areas⁵.

Defensive Applications and Recommendations

For security teams, understanding these attack methods informs better detection rules and hardening strategies. Key takeaways include:

Attack Phase	Defensive Recommendation
Initial Access	Monitor for unusual process spawning from Office applications or scripts
Persistence	Audit scheduled tasks and services for unrecognized entries
Exfiltration	Implement egress filtering and monitor for large data transfers

Huntress’ approach aligns with the MITRE ATT&CK framework, particularly techniques under Initial Access (T1078), Persistence (T1053), and Exfiltration (T1048).

Community Engagement and Ongoing Impact

Beyond the training, Huntress maintained active dialogue with the MSP community through Reddit AMAs and forum participation²³. This engagement helped translate the workshop’s technical content into actionable guidance for MSPs protecting SMB networks.

The company’s 2016 “Best Newcomer” award at IT Nation reflected its growing influence in the MSP security space¹. Subsequent training sessions built on this foundation, addressing evolving threats like supply chain attacks and fileless malware.

Conclusion

Huntress Labs’ “Hacking Windows” training exemplified the value of hands-on, adversarial perspective training for security professionals. By demonstrating real attack techniques in a controlled environment, the session helped participants develop more effective detection and response capabilities. The methodologies covered remain pertinent to modern Windows security assessments and defensive strategies.

Security teams can apply these lessons by: