Instructor: Joff Thyer
Course Length: 16-Hours
Format: Live Online or On-Demand

DESCRIPTION
As penetration testers, we all have a need to establish command and control channels in our customer environments. This can be done under the guise of an “assumed compromise” context or in a more adversarial Red Team context. The age of endpoint detection and response (EDR) solutions and application whitelisting has created significant barriers to commodity/well known malware deployment for adversarial exercises.
This class focuses on the demonstration of an Open Command Channel framework called “OpenC2RAT”, and then developing, enhancing, and deploying the “OpenC2RAT” command channel software into a target environment. Students will learn about the internal details of a command channel architecture and methods to deploy in an application-whitelisted context. The class will introduce students to blocks of code written in C#, GoLang, and Python to achieve these goals. In addition, the class will introduce some ideas to deploy existing shellcode such as Cobalt Strike Beacon or Meterpreter within a programmed wrapper to enhance success in the age of modern endpoint defense. Many of the techniques introduced in this class can be used to evade modern defensive technologies.
KEY TAKEAWAYS
- Insight into command channel architecture
- The ability to leverage different programming languages to execute custom malware
- A diversity of solutions for establishing command channels
WHO SHOULD TAKE THIS COURSE
- Penetration testers
- Any security professionals who want to know the inner workings on malware.
- This class will help any organization that wants to start emulating advanced malware to test their defenses and detective capabilities.
AUDIENCE SKILL LEVEL
Basic scripting skills in a language such as Python and a willingness to use Visual Studio IDE for code modification will be advantageous. Students should have a familiarity with penetration testing tools, techniques, and procedures as well as a conceptual understanding of HTTP RESTful/JSON technology.
STUDENT REQUIREMENTS
- High-speed Internet connectivity
- Ability to connect to remote Azure deployed desktops
SUGGESTED PREREQUISITE READING LIST
- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
- https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
- https://docs.microsoft.com/en-us/dotnet/csharp/tutorials/intro-to-csharp/
- https://www.python.org/about/gettingstarted/
- https://golang.org/doc/tutorial/getting-started
WHAT EACH STUDENT SHOULD BRING
- A laptop that supports Windows Remote Desktop protocol.
WHAT STUDENTS WILL BE PROVIDED WITH
- Access to a GitHub code repository with source code samples
- Access to a PDF copy of all slideware
Live Online
Learn via live stream from instructors that are in the field utilizing the techniques they teach. Classes are split into four training days that are each four hours long. Live Online training includes six months access to dedicated class channels in the Antisyphon Discord server, six months access to live class recordings, a certificate of participation, and 12 months complimentary access to the Antisyphon Cyber Range.
On-Demand
Learn at your own pace with access to course content, lectures, and demos in the Antisyphon On-demand learning platform. Most courses are offered with lifetime access to the course and content updates. All On-demand courses include content update alerts, access to dedicated support channels in the Antisyphon Discord server, a certificate of participation, and 12 months complimentary access to the Antisyphon Cyber Range.
Live Online w/ On-Demand Bundle
This is the best of both worlds! Attend the live online class at its next scheduled interval and gain access to the online training modules in the Antisyphon On-demand training platform. Bundle also includes six months access to dedicated class channels in the Antisyphon Discord server, six months access to live class recordings, a certificate of participation, and 12 months complimentary access to the Antisyphon Cyber Range.
TRAINER & AUTHOR

Joff Thyer has been a penetration tester and security analyst with Black Hills Information Security since 2013. Prior to joining the InfoSec world, he had a long career in the IT industry as a systems administrator and an enterprise network architect. He has an Associate’s in Computer Science, a B.S. in Mathematics, and an M.S. in Computer Science, as well as several certifications. The best part of a penetration test for Joff is developing sophisticated malware that tackles defensive solutions, ultimately delivering exciting wins for company engagements. He has extensive experience covering intrusion prevention/detection systems, infrastructure defense, vulnerability analysis, defense bypass, source code analysis, and exploit research. When Joff isn’t working or co-hosting the Security Weekly podcast, he enjoys making music and woodworking.
LIVE ONLINE CLASS SCHEDULE
Tue, June 7, 2022 11:00 AM – 4:00 PM ET
Wed, June 8, 2022 12:00 PM – 4:00 PM ET
Thu, June 9, 2022 12:00 PM – 1:00 PM ET
Fri, June 10, 2022 12:00 PM – 4:00 PM ET
Tue, July 26, 2022 11:00 AM – 4:00 PM ET
Wed, July 27, 2022 12:00 PM – 4:00 PM ET
Thu, July 28, 2022 12:00 PM – 1:00 PM ET
Fri, July 29, 2022 12:00 PM – 4:00 PM ET