Evasion Techniques for Red Teams
Learn to bypass defenses in modern enterprise environments. Delve deep into the techniques used to bypass endpoint countermeasures like EDRs, Sysmon, ETW, ASR, DSE and more. Earn the CETP certification.
Starts: 5th December 2025 Duration: 3 days
Video course included!
What You Will Learn
This 3 days class is designed to equip information security professionals with the expertise needed to bypass defenses in modern enterprise environments.
Throughout the course, you will learn about Windows Internals, reversing EDRs, bypassing Microsoft Defender for Endpoint (MDE), Elastic EDR, Sysmon weaponizing kernel exploits for defense evasion and bypassing security controls like Protected Processes (PP), Process Protection Light (PPL), Digital Signature Enforcement (DSE), Attack Surface Reduction (ASR) rules and incapacitating Event Tracing for Windows (ETW) telemetry and a lot more.
3 Days class
8 Hrs Per Session
8 Weeks Lab Access
50 Flags To Be Collected
23 Lab Exercises
1 CETP Attempt
Video course included
Build Your Cybersecurity Credentials
Become a Certified Evasion Techniques Professional (CETP)
A Certified Evasion Techniques Professional (CETP) has the skills to understand, analyze, and exploit the intricacies of Windows and EDR internals, using reverse-engineering tools like IDA Pro and WinDbg. They can successfully write and deploy custom rootkits, and exploit vulnerable drivers to evade defenses.
Course Completion Certificate
Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.
Enumeration, Offensive PowerShell and .NET Tradecraft
Schedule
Daily 8 hours sessions start at 09:00am IST and end at 05:00pm IST.
DATE
Topics
05 December 2025
Windows Internals, EDR Internals, Static Detection Bypass, Initial Access Techniques, Introduction to Windows Kernel Programming
06 December 2025
Road to Kernel, EDR Killing, Attack on EDR's Kernel Callbacks, Attack on ETW, PP & PPL Bypass, Extra Offensive Rootkit Techniques
07 December 2025
C2 Traffic Tunneling, Block EDR's Traffic, ASR rules Bypass, Attack on Sysmon, UAC Bypass, Anti-Analysis
Prerequisites
1. Ability to use command line tools.
2. Understanding of Windows API is a plus but will be covered in the class
3. Basic programming knowledge in C and Python is a plus but relevant code will be covered in the class
Syllabus
The course is split in four modules across three days:
Module I
Understand User-mode and Kernel-mode presentation of a process, PE structure, User-mode and Kernel-mode Separation and Execution flow using IDA Pro and WinDbg
Reversing EDR's Internals using IDA Pro and WinDbg and how EDR's Telemetries are collected
Using Obfuscators & Code Virtualization to protect your code against static detection, analyzing, reverse-engineering
Signed ClickOnce Backdooring
Understand how a process can communicate with driver from userland. Create your own User-mode code that send and receives data from kernel driver
Module II
Reversing R/W kernel primitive Vulnerable driver and exploit it to Load unsigned code to kernel using IDA Pro. Learn methodology to hunt for Leaked Certificate and how to leverage outdated Certificate to sign your rootkit
Learn methodology to hunt for signed Killer driver, Reversing multiple Killer drivers using IDA Pro. Exploit Killer drivers to kill EDR's processes and writing your own Killer rootkits
Understanding & Reversing Kernel Callbacks using WinDbg and IDA Pro, what telemetries Kernel Callbacks is collecting and for what purpose is used. Writing your own user-mode code and kernel driver toolkit to enumerate and remove kernel callbacks. Exploiting R/W kernel primitive vulnerable driver to enumerate and remove kernel callbacks
Module III
Understanding & Reversing ETW Internals.Disabling ETW Providers
Understanding & Reversing Process Protection Level using WinDbg. Exploiting R/W kernel primitive vulnerable driver to manage process's Protection Level. Writing your own user-mode code and kernel driver toolkit to manage process's protection level. Dumping LSA protected LSASS
Hide Processes/Drivers from analysts and user-mode processes. Hide Kernel functions from the Import Address Table. Learn efficient dynamic kernel offsets resolving
Write your own Data Exfiltration tool that hide Malicious Traffic inside multiple trusted APIs like Slack
Module IV
Discover & code multiple ways to prevent EDR's processes from sending alerts to SOC's management consoles
Reversing ASR rules and bypassing them
Understanding & Reversing Sysmon. Discover & Code multiple ways to blind Sysmon
Discover multiple ways to bypass Windows User Account Control
Discover & Code multiple Anti-Debugging/Anti-Disassembling/Anti-Virtualization/Anti-Sandbox/Anti-Code Injection techniques
Purchase Options
Purchase Includes
60 DAYS LAB ACCESS + ONE COURSE COMPLETION CERTIFICATE +
LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT
₹39,999 + GST
.
.
Manthan Chhabra
MEET THE INSTRUCTOR
Manthan is a security researcher at Altered Security with a strong passion for enterprise security, red teaming and Active Directory security. He specializes in testing enterprise security defences with a deep understanding of offensive strategies, including EDR evasion and Active Directory attacks.
He continuously researches emerging threats, attack techniques, and mitigation strategies to stay ahead of evolving adversaries.
Terms of Service © 2025 by Altered Security Solutions Pvt Ltd. All Rights Reserved Privacy Policy Code of Conduct