top of page

Advanced Threat Emulation: Evasion by BC Security  

Date: April 13 & 14 2023
On-Site (In Person)
2 Day

Training Abstract

This class will explore the theory behind malware obfuscation, starting with the Theory of Code
Obfuscation and how it applies to Tactics, Techniques, and Procedures (TTPs) implemented by
modern Advanced Persistent Threats (APTs). We will examine everything from standard
variable obfuscation to control flow manipulation to data procedurization. Throughout the
course, students will apply obfuscation theory to practical applications in hands-on labs.
Windows presents a vast attack surface and provides the Blue Team with many detection
opportunities. Students will learn about evading Blue Team hunters by first learning how to build
detections and then masking their signatures and exploiting indicators to decrease their
detection probability. By the end of the course, students will be equipped with the knowledge to
obfuscate open-source tools without necessitating custom tooling for use across a diverse and
dynamic operations environment.



  • Introduction to Evasion

  • Origin of Obfuscation

  • Detection Methodologies (AV 101)

  • Network vs Host indicators

  • Human vs Machine Analytics

  • Threat Specific Evasion TTPs

  • Windows Attack Surfaces

  • Event Tracing for Windows (ETW)

  • Script Block & Module Logging

  • Offensive .NET (PowerShell, C#, DLR)

  • Implementing Windows Antimalware Scan Interface (AMSI) Bypasses

  • Evading Event Tracing for Windows (ETW) and Logging

  • Theory of Obfuscation

  • Layout Modification

  • Control Flow Manipulation

  • Data Masking and Transformation

  • Method Scattering and Proxying

  • Code Translation and Diversification

  • Practical Implementations of Obfuscation

  • Universal Evasion Methods

  • .NET Obfuscation

  • Automated Obfuscation Tooling

  • Indicators of Compromise (IOC) Analysis

  • Evading Blue Team Hunt

  • Masking Network Traffic

  • Out-of-Band Communications

  • Leveraging Trust and Reputation

  • Prepping your Panic Button

  • Distributive Architecture

Who Should Attend

Anyone who has a desire to understand the principles behind code obfuscation. Either Red or
Blue team mem
bers who are interested in advancing their threat emulation capabilities or
understanding of obfuscation indicators and theory.

What Students Will Be Provided

  • 30-day access to the comprehensive course range
    - A copy of all course material
    - Course Swag &; Coin

bcs 2.png
  • LinkedIn

Anthony "Coin" Rose

PhD Student at the Air Force Institute of Technology and Lead Security Researcher at BC Security

Speaker Bio:

Anthony "Coin" Rose, CISSP, is a PhD Student at the Air Force Institute of Technology and Lead Security Researcher at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences,including Black Hat, DEF CON, HackMiami, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at

Jake "Hubble" Krasnov

Red Team Operations Lead and Chief Executive Officer of BC Security

Speaker Bio:

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He
has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at

bottom of page