Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.
This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re
Day 1 – Understanding Modern Defenses
• Hiding from the Import Address Table (IAT)
• Dynamically Building Your Strings
• Defeating string detection via encryption
• Finding EDR’s DLL
• Unhooking EDR products
• .NET and Assembly.Load
• Obfuscating .NET assemblies and their IOCs
• AMSI bypass
• ETW bypass
Day 2 – Process Injection and Cobalt Strike
• Process Injection Variants
• Malleable C2 Profiles
• Beacon Object Files
• Cobalt Strike IOCs
• Attacking AV/EDR Products
• Dumping LSASS in 2022
• Making the final binary to bypass multiple EDR product
Learn the IOCs and artifacts of using off-the-shelf tooling. Without understanding the defender’s capabilities, an attacker brings little value to a red team engagement.
WHO SHOULD TAKE THIS COURSE
Anybody that is deeply passionate about red teaming and has a strong desire to learn
AUDIENCE SKILL LEVEL
This is an intermediate level course – a background in C programming, Windows Internals, .NET programming, and how AV/EDR products work would be useful.
Students will be required to have an AWS account, and some background in .Net and modern red team ttps will be helpful.
WHAT EACH STUDENT SHOULD BRING
High-speed Internet connection
WHAT STUDENTS WILL BE PROVIDED WITH
For the duration of the course, students will be given access to a private, fully immersive cloud cyber range hosted in AWS. In addition to receiving course slides, students will receive hands-on training with commercial products, including the Cobalt Strike C2 platform. To keep this course industry-relevant and realistic, students will be developing bypasses for multiple EDR products.
Students will have access to their own lab environment in AWS that consists of the following:
• Windows Server 2019 running Sophos Intercept X EDR
• Ubuntu Cobalt Strike Team Server
• Windows 10 Development Machine
• Kali Linux
• Fully Patched Windows 10 Machine
TRAINER & AUTHOR
His time in Army special operations and teaching at the NSA gives him a unique background for conducting full-scope offensive cyber operations. He has led penetration tests and red team engagements that include network, cloud, mobile, web app, and API technologies. He has authored and taught courses at DerbyCon and Calvin University. When he’s not hacking the planet, he’s spending time with his family or trail running.
During the last 10 years he has worked in the following roles: blue team lead, developer, senior penetration tester, and red team lead. Focused mostly on exploit development and offensive cyber operations, he has led red team engagements in highly complex Fortune 500 companies. He has worked hand-in-hand with Microsoft to increase kernel security for the Windows 10 operating system. He has led training at BlackHat and DerbyCon. When not pwning boxes, you can find him harvesting maple syrup or spending time with his family.