In recent years, evading Endpoint Protection Products (EPPs) and Endpoint Detection and Response Products (EDRs) has become more difficult and is now a really important part of any Red Team engagement. Every EPP/EDR is different and has different strengths and weaknesses, and there is no silver bullet for EPP/EDR evasion. But at the very least, knowing the basics of EPP/EDR evasion and shellcode loader development is essential, even for juniors.
Over the past five years, I have gained a lot of experience in endpoint security evasion with many different products, and I want to share some of my knowledge in my "Endpoint Security Evasion Basics" course. First, we will learn a bit about the Windows Internals to better understand how EDRs work and how they work on Windows. Then we will take a closer look at EDR defence mechanisms such as user mode hooking and ETW, and then we will look at possible techniques such as unhooking, direct syscalls or indirect syscalls, playing with metadata, entropy, etc. to get around these mechanisms or the EDR.
A good part of the course time (about 50%-60%) will be spent on step-by-step development and debugging of various types of basic shellcode loaders in C (and partly in assembly), focusing on direct syscalls, indirect syscalls, encryption, metadata, entropy, etc. In general, most of the course time (about 70-80%) is hands-on time for the students. As the focus of this course is not entirely or only on malware development, students will not have to write code from scratch, but will have to solve different types of tasks in each module to complete different types of shellcode loader POCs. For me as an instructor, the most important thing is that each student is able to fully understand the functionality of each evasion technique and also fully understand the functionality of each part of each shellcode loader. Focusing on Windows OS, this live online training will methodically guide you through the creation of various shellcode loaders using Visual Studio. We'll also debug these loaders to decipher their behaviour and the potential Indicators of Compromise (IOCs) that EDRs use for detection.
I am committed to ensuring your training experience is unparalleled and far from a monotonous 3-day lecture. Each module begins with a brief theoretical overview, after which you'll dive into practical tasks. Recognizing the challenges of intensive trainings, each participant will receive detailed slides and a comprehensive 250-300-page playbook. This resource acts as a reliable guide throughout the workshop and beyond, ensuring you have continuous support. And remember, I'm always here for questions, both during and after our sessions. For those keen on examining my meticulous approach, I invite you to review the free course material from my DEF CON 31 training.
This is a brief overview of the 3-day live online training. Full details, including course specifics, key learning objectives, intended audience, course schedule and more are available in the attached PDF below. Feel free to download the PDF for your convenience. The course is designed to deepen your understanding of Windows EDRs and introduce you to the basics of designing and troubleshooting different shellcode loaders. As your instructor, I'm responsible for providing the essential theory and concepts for each module, which make up about 20%-30% of the course material. The remaining 70-80% is dedicated to hands-on experience, during which I'll be guiding the students and answering their questions.
Please note that the content of this course is subject to potential updates and revisions. As the course progresses and new insights emerge, there may be additions, modifications, or improvements to the materials. Rest assured, any changes will be aimed at enhancing your learning experience and ensuring the course remains up-to-date with the latest developments.
Who should participate?
The course will be of particular interest to Penetration Testers (Junior and Senior) and Junior Red Teamers. I also invite interested Senior Red Teamers, Blue Teamers and Threat Hunters who want to deepen their knowledge of EDRs on Windows, how they work in detail and how Red Teamers try to evade them.
In general, the Endpoint Security Evasion Basics course is designed for infosec professionals who want to learn more about Windows Internals to better understand the functionality of EPPs/EDRs on Windows, learn some basics in creating, debugging and understanding their own shellcode loaders with a focus on basic evasion capabilities.
Each student will receive
- A dynamic 3-day online training with interactive learning (70%-80% hands-on)
- Access LAB-VM with EDR in place -> Test your shellcode loader
- Comprehensive slides and detailed playbooks for all modules
- Access to all Training POCs
- Access to all Solution POCs
- A 60-day window to the dedicated Discord workshop channel
- Post Q&A online session for all students (7 days after the end of the course)
- A Certificate of Completion to acknowledge your achievement
Book your seat on the comprehensive "Endpoint Security Evasion Basics" training to develop your expertise in EDR evasion, as well as building, debugging and understanding evasive shellcode loaders with a focus on native APIs, direct- and indirect syscalls. Please use your work email address to register for the workshop. This will ensure a seamless and professional communication experience for all attendees.
Key course facts
- Training format: Live online event
- Training date: 18/03/24 - 20/03/24
- Seating limit: 12
- Ticket price: 2499€ (exclusive VAT)
To book your seat, please email firstname.lastname@example.org. If you have any questions or queries about the training, please do not hesitate to contact me. I'm here to help. Kindly note that the training will proceed only if there is a minimum booking of 8 seats.
Looking forward to a fantastic training!
Daniel Feichter @VirtualAllocEx