Instructors: Greg Hatcher & John Stigerwalt
Course Length: 16 Hours
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
Course Description
Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.
This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.
Course Syllabus
Day 1: Understanding Modern Defenses
- Hiding from the Import Address Table (IAT)
- Dynamically Building Your Strings
- Defeating string detection via encryption
- Finding EDR’s DLL
- Unhooking EDR products
- .NET and Assembly.Load
- Obfuscating .NET assemblies and their IOCs
- AMSI bypass
- ETW bypass
Day 2: Process Injection & Cobalt Strike
- Process Injection Variants
- Malleable C2 Profiles
- Beacon Object Files
- Cobalt Strike IOCs
- Attacking AV/EDR Products
- Dumping LSASS in 2022
- Making the final binary to bypass multiple EDR product
Key Takeaways
Learn the IOCs and artifacts of using off-the-shelf tooling. Without understanding the defender’s capabilities, an attacker brings little value to a red team engagement.
Who Should Take This Course
Anybody that is deeply passionate about red teaming and has a strong desire to learn
Audience Skill Level
Anyone! This is an intermediate level course, hoever, so a background in C programming, Windows Internals, .NET programming, and how AV/EDR products work would be useful.
Student Requirements
Students will be required to have an AWS account, and some background in .Net and modern red team TTPs will be helpful.
What Each Student Should Bring
High-speed Internet connection
What Students Will Be Provided With
For the duration of the course, students will be given access to a private, fully immersive cloud cyber range hosted in AWS. In addition to receiving course slides, students will receive hands-on training with commercial products, including the Cobalt Strike C2 platform. To keep this course industry-relevant and realistic, students will be developing bypasses for multiple EDR products.
Lab Environment
Students will have access to their own lab environment in AWS that consists of the following:
- Windows Server 2019 running Sophos Intercept X EDR
- Ubuntu Cobalt Strike Team Server
- Windows 10 Development Machine
- Kali Linux
- Fully Patched Windows 10 Machine
Trainers & Authors
Greg Hatcher’s time in Army Special Operations and teaching at the NSA gives him a unique background for conducting full-scope offensive cyber operations. He has led penetration tests and red team engagements that include network, cloud, mobile, web app, and API technologies. He has authored and taught courses at DerbyCon and Calvin University. When he’s not hacking the planet, he’s spending time with his family or trail running.
During the last 10 years John Stigerwalt has worked in the following roles: blue team lead, developer, senior penetration tester, and red team lead. Focused mostly on exploit development and offensive cyber operations, he has led red team engagements in highly complex Fortune 500 companies. He has worked hand-in-hand with Microsoft to increase kernel security for the Windows 10 operating system. He has led training at BlackHat and DerbyCon. When not pwning boxes, you can find him harvesting maple syrup or spending time with his family.
Live Training Events
There are no sessions of this course currently on our schedule.
Please keep an eye on the Live Training Calendar page for updates, or Contact Us for a private training session.