The Evasion Lab [March 2026]
Learn to bypass defenses in modern enterprise environments. Delve deep into the techniques used to bypass endpoint countermeasures like EDRs, Sysmon, ETW, ASR, DSE and more. Earn the CETP certification.
Starts: 14th March 2026 Duration: 5 weeks
Recordings of live sessions included!
-01.png)
What You Will Learn
This bootcamp is designed to equip information security professionals with the expertise needed to bypass defenses in modern enterprise environments.
Throughout the course, you will learn about Windows Internals, reversing EDRs, bypassing Microsoft Defender for Endpoint (MDE), Elastic EDR, Sysmon weaponizing kernel exploits for defense evasion and bypassing security controls like Protected Processes (PP), Process Protection Light (PPL), Digital Signature Enforcement (DSE), Attack Surface Reduction (ASR) rules and incapacitating Event Tracing for Windows (ETW) telemetry and a lot more.
5 Live Sessions
4 Hrs Per Session
4 Weeks Access
50 Flags To Be Collected
26 Lab Exercises
1 CETP Attempt
Recordings Of Live Sessions
Build Your Cybersecurity Credentials
Become a Certified Evasion Techniques Professional (CETP)
A Certified Evasion Techniques Professional (CETP) has the skills to understand, analyze, and exploit the intricacies of Windows and EDR internals, using reverse-engineering tools like IDA Pro and WinDbg. They can successfully write and deploy custom rootkits, and exploit vulnerable drivers to evade defenses.
Bootcamp Completion Certificate
Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.
-01.png)
Live Session Schedule
Weekly 4 hours sessions start at 10:00am ET and end at 02:00pm ET.
DATE
LIVE SESSIONS
14 March 2026
Windows Internals, EDR Internals, Static Detection Bypass, Initial Access Techniques
21 March 2026
Introduction to Windows Kernel Programming, Road to Kernel, EDR Killing, Attack on EDR's Kernel Callbacks
28 March 2026
Attack on ETW, PP & PPL Bypass, Extra Offensive Rootkit Techniques
04 April 2026
C2 Traffic Tunneling, Block EDR's Traffic, ASR rules Bypass
11 April 2026
Attack on Sysmon, UAC Bypass, Anti-Analysis
Prerequisites
1. Ability to use command line tools.
2. Understanding of Windows API is a plus but will be covered in the class
3. Basic programming knowledge in C and Python is a plus but relevant code will be covered in the class
Bootcamp Syllabus
The course is split in four modules across five weeks:
Module I
Understand User-mode and Kernel-mode presentation of a process, PE structure, User-mode and Kernel-mode Separation and Execution flow using IDA Pro and WinDbg
Reversing EDR's Internals using IDA Pro and WinDbg and how EDR's Telemetries are collected
Using Obfuscators & Code Virtualization to protect your code against static detection, analyzing, reverse-engineering
Signed ClickOnce Backdooring
Understand how a process can communicate with driver from userland. Create your own User-mode code that send and receives data from kernel driver
Module II
Reversing R/W kernel primitive Vulnerable driver and exploit it to Load unsigned code to kernel using IDA Pro. Learn methodology to hunt for Leaked Certificate and how to leverage outdated Certificate to sign your rootkit
Learn methodology to hunt for signed Killer driver, Reversing multiple Killer drivers using IDA Pro. Exploit Killer drivers to kill EDR's processes and writing your own Killer rootkits
Understanding & Reversing Kernel Callbacks using WinDbg and IDA Pro, what telemetries Kernel Callbacks is collecting and for what purpose is used. Writing your own user-mode code and kernel driver toolkit to enumerate and remove kernel callbacks. Exploiting R/W kernel primitive vulnerable driver to enumerate and remove kernel callbacks
Module III
Understanding & Reversing ETW Internals.Disabling ETW Providers
Understanding & Reversing Process Protection Level using WinDbg. Exploiting R/W kernel primitive vulnerable driver to manage process's Protection Level. Writing your own user-mode code and kernel driver toolkit to manage process's protection level. Dumping LSA protected LSASS
Hide Processes/Drivers from analysts and user-mode processes. Hide Kernel functions from the Import Address Table. Learn efficient dynamic kernel offsets resolving
Write your own Data Exfiltration tool that hide Malicious Traffic inside multiple trusted APIs like Slack
Module IV
Discover & code multiple ways to prevent EDR's processes from sending alerts to SOC's management consoles
Reversing ASR rules and bypassing them
Understanding & Reversing Sysmon. Discover & Code multiple ways to blind Sysmon
Discover multiple ways to bypass Windows User Account Control
Discover & Code multiple Anti-Debugging/Anti-Disassembling/Anti-Virtualization/Anti-Sandbox/Anti-Code Injection techniques
Purchase Options
Bootcamp
30 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT
$499
Extension
30 DAYS
LAB EXTENSION
+
ONE COMPLEMENTARY EXAM ATTEMPT
$349
Bootcamp
60 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT
$699
Bootcamp
90 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT
$899
Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.
Reattempt
EXAM
REATTEMPT
$99
Add to cart
.
Purchase includes : 30 days lab access + course material + one certification exam attempt
Manthan Chhabra
MEET THE INSTRUCTOR
Manthan is a security researcher at Altered Security with a strong passion for enterprise security, red teaming and Active Directory security. He specializes in testing enterprise security defences with a deep understanding of offensive strategies, including EDR evasion and Active Directory attacks.
He continuously researches emerging threats, attack techniques, and mitigation strategies to stay ahead of evolving adversaries.