top of page
BruCON-2022-102 (1).png

Altered Security - Advanced Windows Tradecraft - Evasion Techniques for Red Teams

3-day virtual course

In recent years, Endpoint countermeasures have improved rapidly in their detection and response capabilities. It now takes a lot of investment by red teams to develop tradecraft and techniques that can reliably evade or bypass these countermeasures.


This class is designed to equip information security professionals with the expertise needed to bypass defenses in modern enterprise environments. This course delves deep into the techniques and methodologies used to bypass endpoint countermeasures like EDRs. You will gain a comprehensive understanding of Windows and EDR internals, including the distinction between user-mode and kernel-mode components, also you will gain a comprehensive understanding of EDRs internals, and how telemetries are collected.


Throughout the course, you will learn about Windows Internals, reversing EDRs, bypassing Microsoft Defender for Endpoint (MDE), Elastic EDR, Sysmon weaponizing kernel exploits for defense evasion and bypassing security controls like Protected Processes (PP), Process Protection Light (PPL), Digital Signature Enforcement (DSE), Attack Surface Reduction (ASR) rules and incapacitating Event Tracing for Windows (ETW) telemetry and a lot more .

Course Overview


Throughout the course, you will learn about Windows Internals, reversing EDRs, bypassing Microsoft Defender for Endpoint (MDE), Elastic EDR, Sysmon weaponizing kernel exploits for defense evasion and bypassing security controls like Protected Processes (PP), Process Protection Light (PPL), Digital Signature Enforcement (DSE), Attack Surface Reduction (ASR) rules and incapacitating Event Tracing for Windows (ETW) telemetry and a lot more .


Agenda

Non-exhaustive list of topics:


  • Windows Internals

  • EDR Internals (Reversing EDRs and understand Telemetries)

  • Static Detection Bypass

  • Introduction to Windows Kernel Programming

  • Road to Kernel (Load unsigned code to kernel, sign your rootkit and more)

  • EDR Killing (Abuse signed drivers, write your own killer rootkits and more

  • Understanding Kernel Callbacks

  • Enumerate and remove kernel callbacks (User-mode and R/W kernel primitive vulnerable drivers)

  • Attack on ETW

  • PP & PPL Bypass

  • Hide Processes and Drivers

  • Hide Kernel functions from the Import Address Table.

  • C2 Traffic Tunnelling

  • Reversing ASR rules and bypassing them.

  • Attack on Sysmon

  • Anti-Analysis (Anti-Debugging, Anti-Disassembling, Anti-Virtualization, Anti-Sandbox and Anti-Code Injection techniques)


Lab Overview

You get two months access to an enterprise-like lab that has multiple EDRs and other countermeasures during and after the class and an attempt to Certified Evasion Techniques Professional (CETP) certification exam.


Target Audience

 

Red Teamers, Penetration Testers, Malware Analysts

Pre-requisites


To be completed

Trainer Bio


Manthan Chhabra is a security researcher with a strong passion for enterprise security, red teaming and Active Directory security. He specializes in testing enterprise security defences with a deep understanding of offensive strategies, including EDR evasion and Active Directory attacks. He continuously researches emerging threats, attack techniques, and mitigation strategies to stay ahead of evolving adversaries.


He works as a Security Researcher at Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/


bottom of page