top of page
Active Directory Attacks for Red and Blue Teams - Advanced Edition (CRTE)

Advanced Windows Tradecraft - Evasion Techniques for Red Teams 

 

Overview & Course Content

In recent years, Endpoint countermeasures have improved rapid in their detection and response capabilities. It now takes a lot of investment by red teams to develop tradecraft and techniques that can reliably evade or bypass these countermeasures.

This class is designed to equip information security professionals with the expertise needed to bypass defenses in modern enterprise environments. This course delves deep into the techniques and methodologies used to bypass endpoint countermeasures like EDRs. You will gain a comprehensive understanding of Windows internals, including the distinction between user-mode and kernel-mode components, also you will gain a comprehensive understanding of EDRs internals, and how telemetries are collected.

Throughout the course, you will learn about Windows Internals, reversing EDRs, bypassing  Microsoft Defender for Endpoint (MDE), Elastic EDR, Sysmon weaponizing kernel exploits for defense evasion and bypassing security controls like Protected Processes (PP), Process Protection Light (PPL), Digital Signature Enforcement (DSE), Attack Surface Reduction (ASR) rules and incapacitating Event Tracing for Windows (ETW) telemetry and a lot more .

  • Windows Internals 

    • Understand User-mode and Kernel-mode presentation of a process.

    • Understand PE structure.

    • Understand User-mode and Kernel-mode Separation and Execution flow using IDA Pro and WinDbg.

  • EDR Internals 

    • Reversing EDR's Internals using IDA Pro and WinDbg.

    • Understand how EDR's Telemetries are collected.

  • Static Detection Bypass 

    • Using Obfuscators & Code Virtualization to protect your code against static detection, analyzing, reverse-engineering.

  • Introduction to Windows Kernel Programming 

    • Understand how a process can communicate with driver from userland.

    • Create your own User-mode code that send and receives data from kernel driver.

  • Road to Kernel 

    • Reversing R/W kernel primitive Vulnerable driver and exploit it to Load unsigned code to kernel using IDA Pro.

    • Learn methodology to hunt for Leaked Certificate.

    • Learn how to leverage outdated Certificate to sign your rootkit.

  • EDR Killing 

    • Learn methodology to hunt for signed Killer driver.

    • Reversing multiple Killer drivers using IDA Pro.

    • Learn how to exploit Killer drivers to kill EDR's processes.

    • Writing your own Killer rootkits.

  • Attack on EDR's Kernel Callbacks

    • Understanding & Reversing Kernel Callbacks using WinDbg and IDA Pro.

    • Understanding what telemetries Kernel Callbacks is collecting and for what purpose is used.

    • Writing your own user-mode code and kernel driver toolkit to enumerate and remove kernel callbacks.

    • Exploiting R/W kernel primitive vulnerable driver to enumerate and remove kernel callbacks.

  • Attack on ETW

    • Understanding & Reversing ETW Internals.

    • Disabling ETW Providers

  • PP & PPL Bypass

    • Understanding & Reversing Process Protection Level using WinDbg.

    • Exploiting R/W kernel primitive vulnerable driver to manage process's Protection Level.

    • Writing your own user-mode code and kernel driver toolkit to manage process's protection level.

    • Dumping LSA protected LSASS.

  • Extra Offensive rootkit techniques 

    • Hide Processes/Drivers from analysts and user-mode processes.

    • Hide Kernel functions from the Import Address Table.

    • Learn efficient dynamic kernel offsets resolving

  • C2 Traffic Tunnelling 

    • Write your own Data Exfiltration tool that hide Malicious Traffic inside multiple trusted APIs like Slack.

  •  ASR rules Bypass 

    • Reversing ASR rules and bypassing them.

  • Attack on Sysmon 

    • Understanding & Reversing Sysmon.

    • Discover & Code multiple ways to blind Sysmon.

  • UAC Bypass 

    • Discover multiple ways to bypass Windows User Account Control.

  • Anti-Analysis 

    • Anti-Debugging, Anti-Disassembling, Anti-Virtualization, Anti-Sandbox and Anti-Code Injection techniques.

You get two months access to an enterprise-like lab that has multiple EDRs and other countermeasures during and after the class and an attempt to Certified Evasion Techniques Professional (CETP) certification exam.

Who should take this course?

Red teamers and penetration testers who want to improve their skills should take this class. Blue teamers, system administrators and security professionals who want to understand the approach and techniques of adversaries should take this class.

What's Included

  • Access to a lab environment (One/Two/Three months) with updated Server 2022 machines. Lab can be accessed using a web browser or VPN.

  • A ready to use student VM in the cloud that has all the tools pre-installed.

  • ​Life time access to all the learning material (including course updates).

  • 33+ hours of video course

  • Course slides.

  • Lab manual.

  • Walk-through videos.

  • One Certification Exam attempt for Certified Evasion Techniques Professional (CETP) certification.

  • Support on email and Discord.

What will you Learn?

The Evasion Lab enables you to:

  • Learn to bypass EDRs like Microsoft Defender for Endpoint (MDE) and ElasticEDR.

  • Dive into Windows Internals & Understand the user-mode and kernel-mode components.

  • Reverse-engineer EDR solutions to understand their telemetry collection.

  • Weaponizing Kernel Exploits to evade defenses.

  • Writing rootkits for evasion purposes.

  • Hunting vulnerable Drivers for EDR Killing.

  • Bypassing Static detection with obfuscators and code virtualization.

  • Bypassing multiple Security controls like : PP/PPL, DSE, ASR, UAC and more.

  • Bypassing Network restrictions.

  • Preventing EDR's alerts reporting.

  • Gain insights into disabling or blinding Sysmon.

Prerequisites for the course

  • Ability to use command line tools.

  • Understanding of Windows API is a plus but will be covered in the class.

  • Basic programming knowledge in C and Python is a plus but relevant code will be covered in the class.

Top 3 takeaways

1

This course allows students to practice attacks against a lab environment with two different EDRs, Sysmon and other modern defenses. These techniques can be directly applied in a red team operation in their job.

2

The focus of the course is understanding the inner workings and telemetry of EDRs. This helps in outsmarting even those defenses that are not covered in the course.

3

The course goes beyond EDRs to bypass other modern defenses like ASR, DSE, Sysmon, Network restrictions and more.

About the Trainer

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com. As a global leader in cybersecurity education, he has nurtured the field, helping bring it from niche groups to the mainstream.

Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

bottom of page