🔐 ThreatLocker Cybersecurity Hero Bootcamp — Study Notes Compiled from 3-3 Bootcamp Sessions (Parts 1 & 2) | Exam: March 5, 2026 --- ⚡ QUICK CHEAT SHEET (Most Critical Exam Points) | Topic | Key Fact | |---|---| | ThreatLocker definition | Zero-trust endpoint protection platform | | Application Control | Deny by default | | Storage Control | NO default deny — monitors everything | | Network Control | NO default deny — must create it manually | | Installation Mode | Only captures files written to disk, only useful during install | | Learning Mode | Captures executions in memory; ignores temp/downloads/desktop/documents | | Default policy refresh | 60 seconds | | Rapid Check | Every 5 seconds for 5 minutes | | Default learning period | 21 days before going to control | | Default session timeout | 30 minutes (max 24 hours) | | Authorization Host port | 8810 | | Objects port | 8811 | | IDP-initiated SSO | NOT supported — SP-initiated only | | Detect trigger | Activates on execution, not download | | Detect policies | 900+ based on MITRE ATT&CK | | Flat policy structure | NOT retroactive — must opt in for existing tenants | --- 1. 🏢 Platform Overview - ThreatLocker = Zero-trust endpoint protection platform - Core question: "Do you actually have control?" — yes or no - Exam questions are scenario-based and practical, not trivia Platform Modules - Application Control - Storage Control - Network Control - Elevation Control - Ring Fencing - Configuration Manager - Patch Management - Web Control - ThreatLocker Detect (EDR) --- 2. 🖥️ Agent Installation - OS support: Windows (7+), macOS, Linux - Legacy: Windows 7 and Windows Server 2008+ supported - Deployment methods: SCCM, RMM, scripts, manual install, portal email/Teams link - Must be elevated to install - ⚠️ Must DISABLE tamper protection before uninstalling - MSI switches available for flexible deployments (control group, sub-org, container) - Deleting a device from the portal does NOT uninstall the agent — it only drops the key/policy - Device will recreate itself in the same group when it reconnects - If it fails, it goes to an orphaned organization managed inside the portal --- 3. 🖥️ VDI Deployments | Type | Approach | |---|---| | Persistent VDI | Treat like a regular machine | | Non-persistent VDI | Install engine on the golden/built image | | Non-persistent (longer lifecycle, 3-6 months) | Remove 3 things before cloning: Device ID, Auth Key (2 registry keys), TK Lab App | - Non-persistent: only one entry on devices page; unique references in unified audit - If migrating RMMs: identifiers must match to avoid duplicate sites --- 4. 🧭 Portal Navigation | Section | Purpose | |---|---| | Response Center | Approvals, alerts from Detect/EDR | | Unified Audit | Cross-module logging — most important tool | | Health Center | Misconfigurations, patch status, posture | | System Audit | Every admin change made in the portal | | Defense Against Configurations (DAC) | Line-by-line compliance checks | 💡 DAC was originally called "dumbass considerations" — rebranded for marketing --- 5. 👤 Users, Access & SSO - Login restrictions (country, IP) applied TOP DOWN — first rule wins - IDP-initiated SSO: NOT SUPPORTED — SP-initiated only - SMS MFA being deprecated on portal — use authenticator app, SSO, or IDP - Default session timeout: 30 minutes (configurable up to 24 hours) - Admin role default: scoped to the site they were invited to - To grant access to ALL sites: change role scope from specific site → "All" - ThreatLocker support access: full control by default - Visible via Help button → bottom of flyout - You control how long they have access - HIPAA compliance mode: locks site to US-only access — even ThreatLocker staff outside US cannot access --- 6. ⚙️ System Settings - Branding: Full white-label — logo/icon updates take ~5 minutes to propagate - Proxy/Air-gap: If any LAN endpoint can reach internet, proxy solution available - TLS 1.2: Relay service available for old machines that can't support it - Policy refresh: Every 60 seconds (default, can be changed) - Rapid Check: Right-click tray icon → checks every 5 seconds for 5 minutes --- 7. 🗂️ Groups & Computers - Update channels: Slow and Steady | Expediated | Pre-releases Only | Manual - Recommended: split IT/Dev from general population - Moving machine between groups: device-level policies stay with the machine - Default new machine learning period: 21 days before going to control - Computer-level policies (default since 2023): better hygiene, smaller footprint - Pre-2023: workstation-level learning caused thousands of unrelated policies - Redirect URL (group settings): When user clicks Send on a request, redirect to a custom page (e.g., ServiceNow form) Template Organizations ⚠️ EXAM TIP: Search "template" in ThreatLocker Knowledge Base - Allows MSPs to build policies once (QuickBooks, common tools) and auto-apply to all new client deployments - All policies/configs copied down to new sites on creation - Massively underutilized — huge time saver --- 8. 🔧 Maintenance Modes — CRITICAL SECTION ⚠️ TIMING IS EVERYTHING for installation and learning modes Mode Comparison | Mode | What It Captures | Ignores | |---|---|---| | Default Learning | Executions (memory) | Temp, Downloads, Desktop, Documents | | Scheduled Learning | Everything that executes | Nothing | | Installation Mode | Files written to disk | Executions | | Monitor Only | Logs everything | Learns nothing | 🔑 Installation Mode - Captures files as they are written to disk - ONLY useful while the installer wizard is actively running - ❌ Turning it on AFTER the install = useless - ❌ Approving only the installer .exe hash = endless approval loop (176+ DLLs still blocked) 🔑 Learning Mode - Captures executables that run in memory - Does everything installation does PLUS captures executions - ❌ Turning on AFTER install = only captures ~10 of 176 files on first launch - ✅ Must re-run the installer while in learning/installation mode Monitor Only - Agent still installed and logging - Use Unified Audit to see what WOULD have been blocked - No learning, no policies built Network/Storage Control Monitor Only - Same concept — simulates blocks without enforcing --- 9. 📊 ShareX Pitfall Example (Exam Scenario) ShareX installs ~176-177 files. | Mistake | Result | |---|---| | Approve only installer hash | Installer runs, then every DLL blocks | | Skip installation mode | Miss all 176 files written to disk | | Turn on learning AFTER install | Only ~10 of 176 files captured on first launch | | ✅ Correct approach | Be in installation OR learning mode BEFORE running installer | --- 10. 📋 Baseline Scan & Active Learning - Runs on initial agent install - EXCLUDES: temp files, downloads, desktop, documents - Unified Audit action type: "Baseline" — shows everything learned - Review after a few days post-install - Active Learning: Automatically captures new executions and auto-updates after baseline is complete --- 11. 📜 Policies — Built-in vs. Custom | Type | Description | |---|---| | Built-in | Managed by ThreatLocker's team, auto-updated | | Custom | Created by you for your specific environment | - Often need both (e.g., Intune built-in + custom Intune Management Extension) - ✅ Browsers (Chrome, Edge, etc.): Built-in ONLY — no custom needed - ✅ Microsoft Office: Built-in ONLY — no custom needed - ❌ Never create a custom role for an installer file if a built-in exists Flat Policy Structure ⚠️ NOT retroactive — existing tenants must opt in manually - Previously: could NOT override a higher-level policy - Now: can override global/board-level deny with machine or group-level permit - New site deployments: flat policy structure is default - Web Control was built with flat policy structure from day one - Search "flat policy structure" in ThreatLocker Knowledge Base --- 12. ✅ Application Control - Deny by default - Unified Audit action types: - Baseline — initial scan - Install — files written to disk - Execute/Learn — executions captured - Deny — simulated or real block - Response Center → Approved → Include Child Orgs → search .team to audit repeated approvals --- 13. 🔒 Ring Fencing - Accepts: URLs, IPv4, IPv6 - Tags: Update one location → updates everywhere it's used - ⚠️ Tags are NOT auto-created during learning — must create manually - Links all modules together (bread and butter of the platform) --- 14. 💾 Storage Control - NO default deny — monitors everything by default - Monitors: reads, writes, moves, deletes — all in unified audit - ⚠️ Must click DEPLOY for policy to take effect - Windows NTFS permissions can't stop system-level compromise — ThreatLocker can - Now available at global policy level (added late 2023) Key Use Cases - Protect backup databases — only the backup tool should read/write to them - Protect financial shares, mapped drives, local folders - Prevent browsers from accessing saved password files Policy Options - Action: Read/Write or Write only - Selected paths, selected programs - Can specify individual processes (e.g., only notepad.exe can access a folder) --- 15. 🌐 Network Control - Endpoint-level firewall - Focus on inbound connections first (greatest risk) - NO default deny — must create it yourself after configuring - Still simulates denies for network control 4 Ways to Specify Connections 1. IP address 2. Tags 3. Ring Fencing 4. Objects Default Ports — MEMORIZE THESE | Port | Purpose | |---|---| | 8810 | Authorization Hosts (listening port) | | 8811 | Objects (handshake/API) | ⚠️ These ports CANNOT be changed Objects vs. Authorization Hosts | Feature | Objects | Authorization Hosts | |---|---|---| | Direction | Upstream only | Any direction | | Between siblings? | ❌ No | ✅ Yes | | Use case | Org → child | Sister companies, split tunnel VPN | Split Tunnel VPN / Land Hopping - All employees share the same IP → agent can't distinguish - Use Authorization Hosts to handle this correctly Handshake Process 1. Device checks if port is open 2. Sends packet with: port, action, hashed password 3. ThreatLocker validates all info 4. Opens port → connection established 5. Normal handshake completes (~2 seconds) --- 16. ⚙️ Configuration Manager - Like Active Directory Group Policy + Intune, but script-based - Agent checks every 5 minutes — if config drifted, auto-reverts - Policy not configured = not enforced - Works for both domain-joined AND workgroup machines Policy Categories - Local built-in account management - OS security (event log tracking) - Application security - Network protocol security (disable Windows features) - Zero-day security policies - ADR policies (PrintNightmare was one of the first added) --- 17. 🩹 Patch Management ⚠️ EXAM TIP: There WILL be a question on patch management Where to See Patch Status 1. Individual device (Computers page) 2. Health Center (org-wide) 3. Patch Management portal (full control) Key Behavior - Patch delay + offline device: If device is offline during scheduled patch window → waits until next scheduled day → patches immediately when back online - Recommended: test group first → then full org on separate schedule - Can patch on-demand or via schedule --- 18. 🌍 Web Control - Content filter / URL filtering - Agent-based = follows users everywhere (home, coffee shop, remote) - Default blocked: Known malware sites (out of the box) - Dashboard: Shows visit COUNT — cannot show time spent on a page Browser Extension - Off by default — push via Intune/RMM/SCCM - Allows end users to request access to blocked sites - Incognito mode: Extension off by default — enable via Intune/SCCM - To enable: Organizations → ⚙️ icon → Options → "Create browser web control extension" → restart services DNS Server - Available for non-managed devices ONLY - ⚠️ Never point managed devices to it — can't determine what caused a block Policy Hierarchy - Flat policy structure from day one - Top-down: Marketing can have social media; everyone else blocked --- 19. 🕵️ ThreatLocker Detect (EDR — Endpoint) - Activates on EXECUTION — not on download - Detect policies apply regardless of endpoint state (learning, monitor, etc.) - OS support: Windows 7+, Windows Server 2008+, Windows 11 all versions - 900+ pre-built policies based on MITRE ATT&CK framework - Least resource-intensive EDR — already has context from other modules Disable Detect State - Use when doing legitimate admin work that looks malicious - (Advanced IP scanning, privilege escalation, etc.) Retroactive Analysis - If 90-day log retention enabled → turning on Detect retroactively reviews all historical logs 🔥 Power Feature: Cross-Module Triggers Detect can automatically trigger other module controls: - Example: 200+ file writes in 5 minutes → stop all writes (ransomware response) - Example: Unauthorized tool touches backup DB → immediately lock down machine Actions Available | Action | Description | |---|---| | Alert | Notify team | | Lock Down | Uses modules to stop executes/writes/network traffic | | Isolate | Pulls device off network entirely | | Request MDR Monitoring | Submits IOC to ThreatLocker MDR team | ⚠️ Lock Down ≠ Isolation - Lock Down: uses modules to stop malicious activity while keeping business running - Isolation: removes device from network entirely MDR (Managed Detection & Response) - ThreatLocker team monitors 24/7 - "Request Monitoring" button → engineer reviews → MDR team takes over --- 20. ☁️ Cloud Detect & Cloud Control Cloud Detect - Monitors Microsoft 365 tenant - Requires: Microsoft tenant integration - P1 license = detection - P2 license = full Detection & Response - Detects: impossible travel, unusual mail forwarding, compromised accounts Cloud Control - Requires: P1 license - Creates/maintains Named Location Policy in Azure AD - Continuously updates with known-good IPs from your environment - If user is phished and attacker logs in from different IP → blocked (IP not in Named Location Policy) - Protection BEFORE detection — proactive, not reactive --- 21. 🛡️ Defense Against Configurations (DAC) - Checks environment for misconfigurations line by line - Each check shows exactly what it's looking for - Can check child organizations (checkbox available) - Goes through compliance frameworks automatically - May check for specific Network Control policies, not just GPO settings --- 22. ⚠️ Common Pitfalls (Likely Exam Scenarios) 1. ❌ Turning on Installation Mode AFTER installer runs → misses all files written to disk 2. ❌ Approving only the installer hash → perpetual approval loop (all DLLs still blocked) 3. ❌ Using Learning Mode without re-running the installer → captures ~10 of 176 files 4. ❌ Not using Template Organizations → rebuilding same policies for every client 5. ❌ Deleting device from portal → does NOT uninstall agent (just drops key/policy) 6. ❌ Pointing managed devices to optional DNS server → can't determine what caused the block 7. ❌ Creating custom app definition when built-in exists → unnecessary duplication/conflicts 8. ❌ Not protecting backup locations with Storage Control → major security gap 9. ❌ Turning on Installation Mode too early (before install wizard opens) → misses install window --- 23. 🔢 Numbers to Memorize | Value | What It Is | |---|---| | 8810 | Authorization Host port | | 8811 | Objects port | | 60 seconds | Default policy refresh | | 5 seconds / 5 minutes | Rapid Check interval | | 21 days | Default learning period for new machines | | 30 minutes | Default session timeout | | 24 hours | Maximum session timeout | | 176-177 | Files ShareX writes to disk | | 5 minutes | Config Manager check interval | | 900+ | Pre-built Detect policies | | 2023 | Year computer-level learning became default | --- 24. 🧠 Behavioral Use Cases (Detect Chain Examples) Departing Employee Monitoring 1. Detect monitors personal cloud storage usage (unsanctioned) 2. If matched AND mass data deletion observed → trigger alert + MDR monitoring Content Filtering Trigger - User launches TikTok 50x in an hour → Web Control denies social media for that user for 1 day Ransomware Response - 200+ file writes in 5 minutes → stop all writes automatically Backup Protection - Anything other than approved backup tool touches backup DB → lock down machine immediately --- Good luck on your exam tomorrow! You've got this! 🌸