SEKTOR7 Institute/RED TEAM Operator: Windows Evasion Course

  • $239

RED TEAM Operator: Windows Evasion Course

  • 37 Lessons
  • 365-day access

Learn how to avoid modern endpoint protection technology with well known, less known and in-house developed techniques.

Welcome to Windows Evasion course!

In the modern enterprise Windows  environment we often encounter lots of obstacles, which try to detect and stop our sneaky tools and techniques. Endpoint protection agents (AV, IDS/IPS, EDR, etc.) are getting better and better at this, so this requires an extended effort in finding a way into the system and staying undetected during post-exploitation activities.

This course will guide you though modern detection technology and teach how you can try to avoid it. This means understanding how the technology works and developing certain capabilities to stay under the radar.

You will receive a virtual machine with complete environment for developing and testing your software, and a set of source code templates which will allow you to focus on understanding the essential mechanisms instead of less important technical aspects of implementation.

COURSE IN A NUTSHELL

You Will Learn

  • How a modern detection looks like
  • How to get rid of process' internal operations monitoring
  • How to make your payload look benign in memory
  • How to break process parent-child relation
  • How to disrupt EPP/EDR logging
  • What is Sysmon and how to bypass it


What Will You Get?

  • Full-blown videos explaining all techniques in detail
  • Transcription with English subtitles
  • Text supplements with additional information (code snipets, structure definitions, technology description and context, etc.)
  • Source code with code templates for rapid development
  • VM image with ready-to-use development environment

Requirements



Target Audience

  • Ethical Hackers
  • Penetration Testers
  • Blue Teamers
  • Threat Hunters
  • All security engineers/professionals wanting to learn advanced offensive tactics


Contents

Intro and Setup

Course Introduction
  • 3 mins
  • 7.63 MB
Development VM Setup
  • 3 mins
  • 9.43 MB
RTO-WinEva.ova
    WEv.zip
    • 566 KB
    Shellcodes

      Essentials

      Modern Detection Tech
      • 9 mins
      • 18 MB
      Evasion Development Rules
      • 9 mins
      • 18.6 MB
      Binary Entropy
      • 21 mins
      • 94.1 MB
      Module Details
      • 6 mins
      • 19.3 MB
      Binary Signature
      • 8 mins
      • 27.4 MB

      Non-privileged user vector

      Introduction To Process Unhooking
      • 9 mins
      • 46.8 MB
      Hooks vs Code Injection
      • 8 mins
      • 32.1 MB
      Process Unhooking - "Classic"
      • 7 mins
      • 27.6 MB
      Hooks vs Hell's Gate
      • 37 mins
      • 177 MB
      Hooks vs Halo's Gate
      • 10 mins
      • 44.5 MB
      Process Unhooking - Perun's Fart
      • 13 mins
      • 56.5 MB
      Silencing Process Event Tracing
      • 14 mins
      • 57.7 MB
      Module Stomping
      • 11 mins
      • 51.2 MB
      No-New-Thread Payload Execution
      • 8 mins
      • 30.5 MB
      "Classic" PPID Spoofing
      • 8 mins
      • 35.5 MB
      Changing Parents - Scheduler
      • 28 mins
      • 135 MB
      Changing Parents - Emotet Method
      • 11 mins
      • 39.1 MB
      Cmdline Arguments Spoofing
      • 8 mins
      • 30.2 MB
      Assignment #1 - Hooks
        Assignment #2 - Module Stomping

          High-privileged user vector

          Blinding Eventlog
          • 12 mins
          • 49.3 MB
          Blocking EPP Comms - Listing Connections
          • 9 mins
          • 35.9 MB
          Blocking EPP Comms - Firewall
          • 8 mins
          • 34.3 MB
          Blocking EPP Comms - Routing Table (P1)
          • 7 mins
          • 23.4 MB
          Blocking EPP Comms - Routing Table (P2)
          • 13 mins
          • 51.8 MB
          Dancing with Sysmon - Detection
          • 25 mins
          • 93.9 MB
          Dancing with Sysmon - Kill'em!
          • 15 mins
          • 68.4 MB
          Dancing with Sysmon - Silent Gag
          • 7 mins
          • 27.7 MB
          Assignment #3 - Sysmon
            Assignment #4 - Sysmon

              Summary

              Evasion Decision Tree
              • 8 mins
              • 18.2 MB
              Closing Words
              • 2 mins
              • 4.42 MB

              Instructor: reenz0h

              Chief Research Officer at SEKTOR7. In the industry for over 20 years. Worked in global Red Team for almost a decade. Simulated threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) around the world. Speaker at HackCon, PWNing, WTH@ck, Sec-T, T2, DeepSec. Gave guest lectures at several military and civil academies and universities.

              Founder of x33fcon security conference
              and SEKTOR7 offensive research company

              FAQs

              Why malware development?

              So-called malware development in the context of legal security testing is also known as offensive security tool (OST) development. The goal is to teach all cybersecurity professionals, both red and blue teams, to use this knowledge to better understand how real threat actors operate and use different techniques (TTP). This approach should significantly improve the skillset of offensive and defensive teams in testing and securing the production environments of their customers and employers in the long run.

              How long is the course?

              All videos are about 5.5h long.

              What language is used in the course?

              All videos, text and materials are in English.

              Is it on-line course only?

              The course is composed of 2 types of materials. Videos, which are available on-line only, and virtual machine with source code templates, which can be downloaded and stored on your computer, so you can access it later off-line.
              In case of video download attempts, access to the content will be revoked.

              How long is the course available after purchase?

              After you purchase the course, you have access to all the videos and materials for 365 days. You can learn whenever you want, the content will always await for you within that time frame.
              Moreover, any updates to the course materials (ie. new modules, new videos, new files, etc.) will also be available for anyone who purchased the course without any extra charge.

              How can I get an invoice?

              You can get an invoice after you purchase the course.
              After logging into your account, first go to Settings and edit Address (including business details like company name and tax ID). Then save and go to Billing and just download the invoice.

              How to change VAT rate?

              When you are registering in the course, you can choose VAT rate appropriate for your country (if you are from EU). After you supply your email, the system will present you a price with suggested VAT rate, and, if a tax rate is inappropriate or you do not qualify for VAT because of your tax residence, adjust the rate by clicking on update and chose your country of residence.

              Can I get a Certificate of Completion?

              When the course is finished, Certificate of Completion will be generated automatically. The notification email will be send with CoC access details.
              To include your name on the certificate, please provide your first and last name in your profile Settings.

              Can I share my account with others?

              Unfortunately, we consider this unfair and therefore it is prohibited. We try to keep our prices affordable so that the course can reach as many students as possible.

              Legal Disclaimer

              All the materials are for educational and research purposes only.
               
              Do not attempt to violate the law with anything contained in materials produced by SEKTOR7. Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

              By using institute.sektor7.net and its contents, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests for your customers and clients.

              Do not abuse this material. Be responsible.
              SEKTOR7 © All rights reserved