RTO: Windows Persistence

$499

RTO: Windows Persistence

37 Lessons
365-day access

27 persistence methods in Windows. From basic to advanced, unique and used by nation-state threat actors.

Welcome to Persistence in Windows course!

Real threat actors utilize various Tactics, Techniques and Procedures (aka TTPs). One of the tactic is Persistence - a way to survive a breached machine restart and preserve access to a target environment. There is a lot of focus on what methods adversaries use to exploit a particular vulnerability or how their C2 channels and infrastructure look like. Less often you find discussions about persistence. This course is aiming to change that.

You will learn almost 30 different persistence techniques working on Windows. Most of them were used by nation-state threat actors, like EquationGroup, Turla, APT29, ProjectSauron or malware, including Flame or Stuxnet.

As usual you will get not only full explanation of each technique with examples, but also a working code templates (written in C) and a complete development environment you can experiment with.

COURSE IN A NUTSHELL

You Will Learn

Knowledge about Windows persistence used by real threat actors, including nation-state adversaries
27 different techniques, including:
- DLL Proxying
- COM hijacking
- Multiaction Tasks
- Port Monitors
- Time Providers
- WMI Eventing
- LSA-as-a-Persistence
- and much more...

Target Audience

Ethical Hackers
Penetration Testers
Blue Teamers
Threat Hunters
All security engineers/professionals wanting to learn advanced offensive tactics

Requirements

Understanding of operating system architecture
Some experience with Windows OS
Basic knowledge about coding in C/C++
Computer with Intel-compatible CPU, min. 4 GB of RAM + 30 GB of free disk space
VirtualBox 6.0+ installed
Strong will to learn and having fun

Intro and Setup

Introduction to Windows Persistence

5 mins
11.7 MB

Preview

Intro Addendum

8 mins
27.9 MB

Course VM Setup

3 mins
10.1 MB

RTO-PERS.ova

RTO-pers.zip

220 KB

Low Privilege Persistence

Startup Folder and Registry Keys

7 mins
27.3 MB

Logon Scripts

4 mins
17.3 MB

Shortcut Mods

7 mins
24.7 MB

Screensavers

5 mins
16.1 MB

Powershell Profile

4 mins
16.3 MB

DLL Proxying - Introduction

4 mins
9.3 MB

Preview

DLL Proxying - Demo

24 mins
93.1 MB

Component Object Model - Introduction

9 mins
19.7 MB

COMs Registry

4 mins
21.1 MB

COM Hijacks and Proxies

16 mins
60.4 MB

Admin Level Persistence

Elevated Scheduled Tasks

10 mins
39.1 MB

Multiaction Tasks

7 mins
24.9 MB

New & Modified Services

10 mins
41.9 MB

IFEO - Debugger / SilentProcessExit / Verifier

19 mins
65.7 MB

Application Shims

9 mins
33 MB

Windows Management Instrumentation - Introduction

3 mins
8.03 MB

WMI Event Subscription

7 mins
25.9 MB

AppCert DLLs

10 mins
39.2 MB

AppInit DLLs

8 mins
30.4 MB

Netsh Helper DLLs

6 mins
25.1 MB

Winlogon - SHELL / USERINIT

7 mins
27.1 MB

Time Providers

10 mins
39.1 MB

Port Monitors

9 mins
35.2 MB

Local Security Authority - Introduction

5 mins
12.5 MB

Preview

LSA-as-a-Persistence - SSPs & AuthPkgs

11 mins
45.3 MB

LSA-as-a-Persistence - Password Filters

6 mins
25.2 MB

Assignments

Assignment #2

Assignment #1

Assignment #3

Assignment #4

Wrap up

Your Feedback

Summary and Next Steps

5 mins
12.1 MB

Instructor: reenz0h

Chief Research Officer at SEKTOR7. In the industry for over 20 years. Worked in global Red Team for almost a decade. Simulated threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) around the world. Speaker at HackCon, PWNing, WTH@ck, Sec-T, T2, DeepSec. Gave guest lectures at several military and civil academies and universities.

Founder of x33fcon security conference
and SEKTOR7 offensive research company

X Youtube Website

FAQs

Why malware development?

So-called malware development in the context of legal security testing is also known as offensive security tool (OST) development or Offensive Coding. The goal is to teach all cybersecurity professionals, both red and blue teams, to use this knowledge to better understand how real threat actors operate and use different techniques (TTP). This approach should significantly improve the skillset of offensive and defensive teams in testing and securing the production environments of their customers and employers in the long run.

How long is the course?

All videos are over 3.5 h long.

What language is used in the course?

All videos, text and materials are in English.

Is it on-line course only?

The course is composed of 2 types of materials. Videos, which are available on-line only, and virtual machine with source code templates, which can be downloaded and stored on your computer, so you can access it later off-line.
In case of video download attempts, access to the content will be revoked.

How long is the course available after purchase?

After you purchase the course, you have access to all the videos and materials for 365 days. You can learn whenever you want, the content will always await for you within that time frame.
Moreover, any updates to the course materials (ie. new modules, new videos, new files, etc.) will also be available for anyone who purchased the course without any extra charge.

Do I have to be an expert in C language?

No. Although some level of experience in C programming reading is required, you don't have to be an expert in this field. Basic knowledge about the syntax, data structures and function calling convention is enough during the course.
For refresher check Windows API tutorial,

How can I get an invoice?

You can get an invoice after you purchase the course.

After logging into your account, first go to Settings and edit Address (including business details like company name and tax ID). Then save and go to Billing and just download the invoice.

How to change VAT rate?

When you are registering in the course, you can choose VAT rate appropriate for your country (if you are from EU). After you supply your email, the system will present you a price with suggested VAT rate, and, if a tax rate is inappropriate or you do not qualify for VAT because of your tax residence, adjust the rate by clicking on update and chose your country of residence.

Can I get a Certificate of Completion?

When the course is finished, Certificate of Completion will be generated automatically. The notification email will be send with CoC access details.
To include your name on the certificate, please provide your first and last name in your profile Settings.

Can I share my account with others?

Unfortunately, we consider this unfair and therefore it is prohibited. We try to keep our prices affordable so that the course can reach as many students as possible.

Legal Disclaimer

All the materials are for educational and research purposes only.

Do not attempt to violate the law with anything contained in materials produced by Sektor7. Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

By using institute.sektor7.net and its contents, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests for your customers and clients.

Do not abuse this material. Be responsible.