Advanced Windows Tradecraft

Course Description

Organizations with a mature security model want to test their security controls against sophisticated adversaries. Red teams that want to simulate such adversaries need an advanced tradecraft. Such a tradecraft must include the ability to adapt to the target environment, modify existing tactics and techniques to avoid detection, swiftly switch between tools written in different languages supported on Windows, break out of restrictions, utilize functionality abuse and keep up with the game of bypassing countermeasures. If you want to take your Windows tradecraft to the next level then this is the course for you.

This training takes you through a tradecraft for Red Teaming a Windows environment with nothing but trusted OS resources and languages. We will cover multiple phases of a Red Team operation like initial foothold, enumeration, privilege escalation, persistence, lateral movement, exfiltration etc. in a fully updated and patched lab with countermeasures enabled.

Some of the topics covered in the class:

  • Offensive C#, PowerShell, Jscript/VBScript
  • Bypassing Application Whitelisting
  • Bypassing host countermeasure
  • Evading process tree based detection
  • Evading advanced logging (Command line, PowerShellv5, Sysmon etc.)
  • In-memory assembly and shellcode execution
  • Offensive WMI COM hijacking
  • Advanced Client Side Attacks on restricted and secure environments
  • Local and domain privilege escalation

Attendees will get free one month access to a lab configured like an enterprise environment during and after the training.

Course contents

Day 1

  • Introduction to the methodology
  • Windows as an attack platform
  • Offensive PowerShell
  • PowerShell without powershell.exe
  • Offensive C#
  • Offensive Jscript/VBScript Offensive WMI

Day 2

  • COM Hijacking
  • Bypassing application whitelisting
  • Bypassing host countermeasures
  • Evading process tree based detection
  • Evading advanced logging (Command line, PowerShellv5, Sysmon etc.)
  • Advanced Client Side Attacks in restricted environment (AWL and ASR enabled)

Day 3

  • Local and Domain privilege escalation
  • Persistence (on host, domain and forest)
  • Advanced Lateral Movement
  • Defenses and Detection

Who should take this course?

Red teamers and penetration testers who want to take their Windows tradecraft to the next level will find this course very useful. Blue teamers and security professionals who want to understand the how sophisticated adversaries target their organization should take this course.


  • Prior experience with Red Teaming or penetration testing.
  • Prior experience with using Windows as an attack platform will be helpful.

What students should bring

  • System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.
  • Privileges to disable/change any antivirus or firewall.
  • Ability to connect to remote machines using web browser (for browser based access)

Trainer Biography

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 11+ years of experience in red teaming. He specializes in assessing security risks at secure environments that require novel attack vectors and “out of the box” approach. He has worked extensively on Active Directory attacks, defense and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of multiple tools like Nishang, a post exploitation framework in PowerShell and Deploy-Deception a framework for deploying Active Directory deception. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.