RED TEAM Operator: Windows Persistence by Sektor7 Institute

RED TEAM Operator: Windows Persistence

Welcome to Persistence in Windows course!

Real threat actors utilize various Tactics, Techniques and Procedures (aka TTPs). One of the tactic is Persistence - a way to survive a breached machine restart and preserve access to a target environment. There is a lot of focus on what methods adversaries use to exploit a particular vulnerability or how their C2 channels and infrastructure look like. Less often you find discussions about persistence. This course is aiming to change that.

You will learn almost 30 different persistence techniques working on Windows 10. Most of them were used by nation-state threat actors, like EquationGroup, Turla, APT29, ProjectSauron or malware, including Flame or Stuxnet.

As usual you will get not only full explanation of each technique with examples, but also a working code templates (written in C) and a complete development environment you can experiment with.

COURSE IN A NUTSHELL

You Will Learn

  • Knowledge about Windows persistence used by real threat actors, including nation-state adversaries
  • 27 different techniques, including:
    • DLL Proxying
    • COM hijacking
    • Multiaction Tasks
    • Port Monitors
    • Time Providers
    • WMI Eventing
    • LSA-as-a-Persistence
    • and much more...

Target Audience

  • Ethical Hackers
  • Penetration Testers
  • Blue Teamers
  • Threat Hunters
  • All security engineers/professionals wanting to learn advanced offensive tactics

Requirements

  • Understanding of operating system architecture
  • Some experience with Windows OS
  • Basic knowledge about coding in C/C++
  • Computer with min. 4 GB of RAM + 30 GB of free disk space
  • VirtualBox 6.0+ installed
  • Strong will to learn and having fun


What's included?

Video Icon 30 videos File Icon 2 files Text Icon 4 text files

Contents

Intro and Setup
Introduction to Windows Persistence
5 mins
Intro Addendum
8 mins
Course VM Setup
3 mins
RTO-PERS.ova
RTO-pers.zip
220 KB
Low Privilege Persistence
Start Folder and Registry Keys
7 mins
Logon Scripts
4 mins
Shortcut Mods
7 mins
Screensavers
5 mins
Powershell Profile
4 mins
DLL Proxying - Introduction
4 mins
DLL Proxying - Demo
24 mins
Component Object Model - Introduction
9 mins
COMs Registry
4 mins
COM Hijacks and Proxies
16 mins
Admin Level Persistence
Elevated Scheduled Tasks
10 mins
Multiaction Tasks
7 mins
New & Modified Services
10 mins
IFEO - Debugger / SilentProcessExit / Verifier
19 mins
Application Shims
9 mins
Windows Management Instrumentation - Introduction
3 mins
WMI Event Subscription
7 mins
AppCert DLLs
10 mins
AppInit DLLs
8 mins
Netsh Helper DLLs
6 mins
Winlogon - SHELL / USERINIT
7 mins
Time Providers
10 mins
Port Monitors
9 mins
Local Security Authority - Introduction
5 mins
LSA-as-a-Persistence - SSPs & AuthPkgs
10 mins
LSA-as-a-Persistence - Password Filters
6 mins
Assignments
Assignment #1
Assignment #2
Assignment #3
Assignment #4
Wrap up
Summary and Next Steps
5 mins

Instructor: reenz0h

Chief Research Officer at Sektor7. In the industry for over 20 years. Worked in global Red Team for almost a decade. Simulated threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) around the world. Speaker at HackCon, PWNing, WTH@ck, Sec-T, T2, DeepSec. Gave guest lectures at several military and civil academies and universities.

Founder of x33fcon security conference
and Sektor7 offensive research company

FAQs

How long is the course?

All videos are over 3.5 h long.

What language is used in the course?

All videos, text and materials are in English.

Is it on-line course only?

The course is composed of 2 types of materials. Videos, which are available on-line only, and virtual machine with source code templates, which can be downloaded and stored on your computer, so you can access it later off-line.

How long is the course available after purchase?

After you purchase the course, you have access to all the videos and materials without any time limit. You can learn whenever you want, the content will always await for you.
Moreover, any updates to the course materials (ie. new modules, new videos, new files, etc.) will also be available for anyone who purchased the course without any extra charge.

Do I have to be an expert in C language?

No. Although some level of experience in C programming reading is required, you don't have to be an expert in this field. Basic knowledge about the syntax, data structures and function calling convention is enough during the course.
For refresher check Windows API tutorial

I don't have Paypal account. What can I do?

We accept payments via Paypal and credit/debit cards. To use the latter, choose Paypal payment. You will get redirected to Paypal website where you can choose between PP and credit/debit card payment.

How can I get an invoice?

You can get an invoice after you purchase the course.
After logging into your account, first go to Account and fill out Your address (ie. company name, street, etc,). Then go to Billing and just download the invoice.

How to change VAT rate?

When you are registering in the course, you can choose VAT rate appropriate for your country (if you are from EU). After you supply your email, the system will present you a price with suggested VAT rate, and, if a tax rate is inappropriate or you do not qualify for VAT because of your tax residence, adjust the rate by clicking on update and chose your country of residence.

Can I get a Certificate of Completion?

Yes, Certificate of Completion will be provided on request (send an email to training+CoC @ sektor7.net)

Legal Disclaimer

All the materials are for educational and research purposes only.
 
Do not attempt to violate the law with anything contained in materials produced by Sektor7. Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

By using institute.sektor7.net and its contents, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests for your customers and clients.

Do not abuse this material. Be responsible.