In recent years, the task of evading Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) products has become increasingly challenging and is now a critical aspect of any red team engagement. Each EPP/EDR system has its own unique set of strengths and weaknesses, and there is no one-size-fits-all solution to EPP/EDR evasion. However, a solid understanding of the basics of EPP/EDR evasion and shellcode loader development is essential, even at the junior level.
Over the past six years, I have gained extensive knowledge of endpoint security evasion using a variety of different endpoint security products. I would like to share this knowledge in the context of shellcode loaders and EPP/EDR evasion in my new course "Endpoint Security Insights: Shellcode Loaders and Evasion".
Endpoint Security Insights: Shellcode Loaders and Evasion is a 4-day live online training designed for infosec professionals. My role as instructor is to present the essential theory and concepts for each module or chapter, which is about 20%-30% of the content. The remaining 70%-80% is devoted to practical exercises, guiding you trough the material and answering your questions. The focus in relation to the shellcode loader part is not only to build the loader in C and partly in assembly, furthermore we want to debug and understand each loader going in the direction of building step by step an evasive shellcode loader.
As the focus of this course is not entirely or only on malware development, students will not have to write code from scratch, but will have to solve different types of tasks in each module to build each loader and analyse them via debugging.
For full details, including course specifics, key learning objectives, intended audience, course schedule and more, please see the attached PDF at the bottom of this page. Feel free to download the PDF for your convenience.
Who should participate?
The "Endpoint Security Insights: Shellcode Loaders and Evasion" course is aimed at both beginners and advanced students. It provides IT security professionals, penetration testers (junior and senior), junior red teamers (interested senior red teamers are also welcome), blue teamers and threat hunters with a structured insight into how to build an evasive shellcode loader and how endpoint security products such as Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) work in detail.
Students will learn step-by-step how to build and debug an evasive shellcode loader and how to bypass endpoint security products such as EPP/EDR. It also provides a basic understanding of the necessary parts of the Windows Internals to better understand the technical functionality of endpoint security products and shellcode loaders on Windows.
Each student will receive
By attending the Endpoint Security Insights course, each student will receive:
- A dynamic 4-day online training course with interactive learning (70%-80% hands-on)
- Access to a dedicated LAB for each participant
- Comprehensive slides and detailed playbooks for all modules
- Access to all workshop POCs
- A 60-day window to the dedicated workshop Discord channel
- A certificate of completion in recognition of participation in the course
Expand your knowledge of endpoint security evasion and evasive shellcode loaders in a structured way and secure your place in the course "Endpoint Security Insights: Shellcode Loaders and Evasion".
Key course facts
- Training format: Live online
- Training date: TBA
- Seating limit: 8
- Ticket price: 2499€ (exclusive VAT)
To register for the course, please send an email to email@example.com. Please note that your company email address is mandatory for course registration. Requests via email providers such as gmx, gmail etc. will not be answered.
The basic content for this training is freely available on the internet in various forms. I want to make it clear that I am not introducing any new tactics, techniques etc. in my training. If you share my enthusiasm for self-taught learning, I encourage you to explore these resources for yourself and take advantage of the vast wealth of information available online.
However, if you are looking for high quality live training and a structured approach to learn about some essential concepts of endpoint security evasion and shellcode loaders, then my course "Endpoint Security Insights: Shellcode Loaders and Evasion" is a good choice for you.
Please note that each student is required to sign a Non-Disclosure Agreement (NDA) before the course begins. This ensures that the student agrees not to disclose their personal course material to any third party, to use anything they learn only in an ethical context, and not to disclose any data/information about what they have learnt or the course itself to security product vendors. Detailed information or the explicit NDA document will be sent to all students prior to the course.
Looking forward to a fantastic training session!
Frequently Asked Questions (FAQs)
Is it mandatory to send the signed Non Disclosure Agreement (NDA) to RedOps GmbH before the course starts?
Yes, it is mandatory to send the signed NDA separately for each course participant. Please send it to firstname.lastname@example.org at least 1 week before the course starts.
Will I receive course materials such as slides and handouts?
When you register for the course, you will receive a watermarked PDF copy of the course materials. This PDF file, which will include your full name and email address, will be sent to you electronically before the course starts. It is strictly forbidden to pass this on to anyone else and will result in you being disqualified from future courses.
Can I contact you before the course starts so that I can prepare myself?
Yes, of course you can. If you have any questions or concerns, please contact email@example.com. To speed up the process, please mention "Training Preparation" in the subject line of your email. In general, however, there is no need to prepare in advance as we cover all the necessary basics in the course.
What software do I need to take the course?
- Host operating system Windows 10 Professional 64-bit
- Microsoft Remote Desktop Client (to access the host)
- Zoom client (to join the workshop)
- Discord account (for written questions during the workshop)
How do I access the LABs associated with this course?
Access to the labs is via RDP (3389), which can be accessed via the Microsoft Remote Desktop Client from any unrestricted internet connection.
Will the labs be available online after the course?
Please note that the labs are only available for the duration of the course. At the end of the course, the labs will be deactivated. However, you will receive all the workshop POCs and can continue to use them in your own lab in your company or at home.
Can I use my favourite Command and Control (C2) framework for the lab exercises?
In the officially provided LAB environment, only the free version of the Metasploit framework is used. The provided shellcode loader POCs are basically designed to be used with different C2 frameworks. However, you are welcome to use your favourite C2 framework outside the official LAB environment, but please note that I may not be familiar with your chosen C2 framework and will not be able to fully support you during the exercises.
Do students receive a certificate at the end of the course?
All students who complete the course will receive a digital certificate of attendance.
Is there a minimum number of participants for a course to run?
Yes, we reserve the right to cancel the course if there are not enough participants. We will inform you as soon as possible and offer you a full refund or a place on a future course.