Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s
defenses oftentimes call for multiple bypasses within a single piece of code.
This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.
Who Should Attend
This course is intended for penetration testers that are attempting to break into red teaming and engineers that are curious to understand how EDR products inorder to break/bypass them. Students with a strong understanding of the fundamentals of cybersecurity, experience with penetration testing should attend. This course is also recommended for blue teamers that want to understand hypercurrent techniques for bypassing modern-day defenses.
Key Learning Objectives
▪ PE file format for shellcode storage
▪ Windows API Primer
▪ Introduction to Process Injection and Loaders: CRT/Early Bird/Process Hollowing/MockingJay
▪ Calling APIs with Direct and Indirect System Calls
▪ Encrypting Windows API Calls via XOR
▪ Cobalt Strike C2 Deep Dive (Malleable C2 Profiles and BOFs)
▪ Hiding Imports via Dynamic Resolution
▪ Defeating sandbox detection
▪ DLL Proxying for Persistence
▪ DInvoke and AMSI Bypass
▪ ClickOnce for EDR Bypass
▪ AppDomain Injection for EDR Bypass
▪ Custom Reflective Loaders
This is an intermediate/advanced level course – a background in C programming, Windows Internals, .NET programming, and how AV/EDR products work would be useful.
Students will be given a Terraform scripts to spin up their own lab environment in AWS that consists of the following:
▪ Ubuntu C2 box /w fully licensed Cobalt Strike
▪ Ubuntu Desktop
▪ Windows Sophos Intercept X EDR Bopx
▪ Windows Dev Box
▪ Windows OpenEDR Box
▪ Windows Elastic EDR Box
▪ Windows Defender Box
▪ Students must have an active AWS admin account with programmatic access.
Note: Please note that the syllabus provided is intended to be a general outline of the course content and does not reflect the true nature of the course guide or starting and ending points. This course is hyper-current and changes are always made at the last minute to ensure that students receive the most up-to-date and relevant content possible. As a result, the syllabus is subject to change, and course content may be modified based on student skill level, course progression, and other factors.