Overview
Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how
these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of
downloading that binary from the internet and pointing it at a remote machine are over. Today’s
defenses oftentimes call for multiple bypasses within a single piece of code.
This course is designed to take you deep into defensive and offensive tooling – an apex attacker must
know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving
behind.
Who Should Attend?
This course is intended for penetration testers that are attempting to break into red teaming and
engineers that are curious to understand how EDR products inorder to break/bypass them. Students
with a strong understanding of the fundamentals of cybersecurity, experience with penetration testing
should attend. This course is also recommended for blue teamers that want to understand hyper-
current techniques for bypassing modern-day defenses.
This course is intended for penetration testers that are attempting to break into red teaming and
engineers that are curious to understand how EDR products inorder to break/bypass them. Students
with a strong understanding of the fundamentals of cybersecurity, experience with penetration testing
should attend. This course is also recommended for blue teamers that want to understand hyper-
current techniques for bypassing modern-day defenses.
PE file format for shellcode storage
Windows API Primer
Introduction to Process Injection and Loaders: CRT/Early Bird/Process Hollowing/MockingJay
Calling APIs with Direct and Indirect System Calls
Encrypting Windows API Calls via XOR
Cobalt Strike C2 Deep Dive (Malleable C2 Profiles and BOFs)
Hiding Imports via Dynamic Resolution
Defeating sandbox detection
DLL Proxying for Persistence
DInvoke and AMSI Bypass
ClickOnce for EDR Bypass
AppDomain Injection for EDR Bypass
Custom Reflective Loaders
Windows API Primer
Introduction to Process Injection and Loaders: CRT/Early Bird/Process Hollowing/MockingJay
Calling APIs with Direct and Indirect System Calls
Encrypting Windows API Calls via XOR
Cobalt Strike C2 Deep Dive (Malleable C2 Profiles and BOFs)
Hiding Imports via Dynamic Resolution
Defeating sandbox detection
DLL Proxying for Persistence
DInvoke and AMSI Bypass
ClickOnce for EDR Bypass
AppDomain Injection for EDR Bypass
Custom Reflective Loaders
This is an intermediate/advanced level course – a background in C programming, Windows Internals,
.NET programming, and how AV/EDR products work would be useful.
Lab Environment
Students will be given a Terraform scripts to spin up their own lab environment in AWS that consists
of the following:
Ubuntu C2 box /w fully licensed Cobalt Strike
Ubuntu Desktop
Windows Sophos Intercept X EDR Bopx
Windows Dev Box
Windows OpenEDR Box
Windows Elastic EDR Box
Windows Defender BoxHardware/Software Requirement
Students must have an active AWS admin account with programmatic access.Note: Please note that the syllabus provided is intended to be a general outline of the course content
and does not reflect the true nature of the course guide or starting and ending points. This course is
hyper-current and changes are always made at the last minute to ensure that students receive the
most up-to-date and relevant content possible. As a result, the syllabus is subject to change, and
course content may be modified based on student skill level, course progression, and other factors.
.NET programming, and how AV/EDR products work would be useful.
Lab Environment
Students will be given a Terraform scripts to spin up their own lab environment in AWS that consists
of the following:
Ubuntu C2 box /w fully licensed Cobalt Strike
Ubuntu Desktop
Windows Sophos Intercept X EDR Bopx
Windows Dev Box
Windows OpenEDR Box
Windows Elastic EDR Box
Windows Defender BoxHardware/Software Requirement
Students must have an active AWS admin account with programmatic access.Note: Please note that the syllabus provided is intended to be a general outline of the course content
and does not reflect the true nature of the course guide or starting and ending points. This course is
hyper-current and changes are always made at the last minute to ensure that students receive the
most up-to-date and relevant content possible. As a result, the syllabus is subject to change, and
course content may be modified based on student skill level, course progression, and other factors.
Bios
Greg Hatcher
Greg Hatcher has a background in Army Special Forces and teaching Windows internals at
the NSA. He has authored and taught WKL’s flagship course, Offensive Development, at
Wild West Hackin’ Fest, Hack Red Con and virtually on the Antisyphon platform. He’s
passionate about C programming for the Windows operating system and abusing Active
Directory. Greg has the following certifications: GXPN, GCPN, CRTP, GWAPT, and GPEN.
Greg regularly publishes research, speaks at conferences, and is an active member of the
West Michigan Cloud Security Alliance and misec. Greg enjoys spending time with this
family, lifting weights, and running ultramarathons.
the NSA. He has authored and taught WKL’s flagship course, Offensive Development, at
Wild West Hackin’ Fest, Hack Red Con and virtually on the Antisyphon platform. He’s
passionate about C programming for the Windows operating system and abusing Active
Directory. Greg has the following certifications: GXPN, GCPN, CRTP, GWAPT, and GPEN.
Greg regularly publishes research, speaks at conferences, and is an active member of the
West Michigan Cloud Security Alliance and misec. Greg enjoys spending time with this
family, lifting weights, and running ultramarathons.