Introduction

Engaging in red-team activities within enterprise networks often involves encountering and bypassing endpoint protection solutions, specifically Endpoint Detection and Response (EDR) systems. These EDRs are intricate and sophisticated systems designed to monitor and defend against various threats, including unauthorized access attempts by red team operators seeking to infiltrate the target network.

 This course aims to provide a comprehensive understanding of the architecture of modern EDRs and their underlying Antivirus (AV) systems. It delves deeply into the complexity of modern EDRs, their structure, including the components responsible for real-time monitoring, data collection, and threat analysis.

 The course also explores how internal Antivirus (AV) systems operate within the EDR framework, their role in threat detection, and their interaction with other security components.

 In addition to examining detection mechanisms employed by EDRs, participants will learn about evasion techniques. This includes tactics and strategies to evade detection by EDRs, such as bypassing signature-based scans, disguising malicious behavior, and exploiting potential vulnerabilities in EDR configurations.

 The techniques will be demonstrated in two ways: first, by reversing real malware samples, and then by re-implementing an improved version of the malware code.

The training is designed from an attacker's point of view, teaching red-teams how to make their implants stealthier, but it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class.

The course focuses on Windows malware and on the analysis, tweaking and re-purposing of real malware samples. Participants will be provided with plenty of custom code to facilitate the understanding of complex malware techniques.

As part of the course, theory sessions will be followed by exercises where participants will reverse and re-implement specific parts of real malware in order to fully understand the hidden corners of all the techniques involved. The 50% of the course will be dedicated to hands-on labs that will show how to translate the theory principles into practice.

Labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn.

This Class is complementary to our main training covering techniques not present in the main class.

This course is valuable not only for red team operators but also for blue team professionals. Blue team members can gain insights into how their detection systems may be bypassed, helping them enhance their security measures and stay one step ahead of potential threats.

 This course equips security professionals with a deep understanding of modern EDRs and their AV systems, enabling them to better simulate advanced threat scenarios, improve their evasion detection skills, and contribute to the overall enhancement of security within enterprise networks.

 Key Learning Objective

•  Be able to recognize, implement and deal with stealthy malware/backdoors evasion techniques and tradecrafts.

• Be able to modify malware components to protect them against reversing efforts.

• Familiarize with the .NET advanced obfuscation system.

• Be able to build custom obfuscators and to recognize some pattern left by some obfuscation transforms.

• Learn tradecrafts used by attackers to prevent and effectively impair defensive incident responders from analyzing their tools, payloads, and backdoors.

Who should attend

 Developers and Reverse engineers who want to understand tradecrafts from a different point of view, red-team members who want to go beyond using third-party implants, and researchers who want to develop anti-detection techniques of real malware/apt.

 Prerequisites

• Programming experience (C, C++, Python, .NET, and PowerShell)

• Be comfortable with assembly language and Debuggers (IDA pro, WinDBG)

Hardware/Software Requirements:

 Laptop Requirements:

• Virtualization capable CPU(s)

• Minimum 8GB of RAM (for running one guest VM)

• Minimum 80 GB free disk space

• Host CPU intel (ARM is not supported)

Software Requirements:

• Host OS Windows 10 64-bit

• Debugging Tools for Windows (Ida Pro, WinDBG). Decompiler recommended.

• SysInternals Toolsuite

• Virtualization Software (VMWare, VirtualBox)

• Guest OS Windows 10 64-bit Version 20H2

• System Administrator access required on both host and guest OSs

Course Agenda 

Module 1

• The shortest Intro

• Give a shout to the Alpaca

• The reference architecture

• Minifilter drivers

  • Architecture, altitute

  • pre/post operation Callbacks

  • Self-protection

• Kernel to user dll injection

  • APC injection

  • Hooking library

  • Hook detection / Unhooking strategies

  • Show the openedr implemenetation

  • Look at a couple of proprietary DLL s

• Unhooking the watchers in all the possible ways

  • Restore the original ntdll

  • Patch the hooked ntdll in memory

  • The right ways of using call gates

  • Indirect syscall

• Labs:

  • Unhook

  • Disable self-protection

Module 2

• Using ROP to do good or better bad things…

  • Write your ROP injector

• Protected Processes and Protected Process Light

  • Internals: Core kernel data structures

  • Anti-Malware and ELAM

• Mastering ETW and get the forbidden feed

  • Providers, Consumers, Sessions

  • User-space provider bypass

  • The Threat Intelligence Provider

• Labs:

  • Using ROP to minimize the presence in ETW logs

Module 3

• Primer on the Windows Filtering Platform

• File Scanners

• Memory Scanners

  • Moneta

  • PE-sieve

  • Other memory scanner tools

• Smashing the stack for fun and evasions

  • Stack spoofing

  • Sleep Obfuscation

• Local Privilege Escalation

  • SID, UAC, DACL, PPL, PP

  • Abuse WinSxS

  • Handle stealer

• Labs

  • LPE and get Admin

  • Create your stack spoof 

Module 4

• Notification callbacks

  • Process, Threads, Objects

  • OpenEDR implementation

  • Vendor specific implementations?

  • Weaponize vulnerable signed drivers to bypass EDR detections      

• .NET internals

  • C# file format and internals

  • C# Interoperability C++ (IJW)

  • Obfuscate and make hard to reverse your C# stage0

• Lab .NET obfuscation

Introduction

 This intensive hands-on course transforms skilled developers and security professionals into expert malware analysts and adversary emulators. Through practical reverse engineering of real-world threats, participants will master advanced analysis techniques, understand sophisticated malware architectures, and gain the skills to accurately recreate malicious capabilities for emulation purposes. From loaders to ransomware, students will dive deep into modern malware complexity while building their own implementations in a controlled environment.

General Description

This advanced technical course bridges the gap between malware analysis and practical adversary emulation. The program is structured as a progressive journey through modern malware complexity, starting with foundational concepts and building toward advanced implementation techniques.

The course begins by establishing a solid contextual framework, covering the current threat landscape and the critical differences between adversary emulation, simulation, and false flag operations. Participants will learn how to translate threat intelligence reports into actionable technical objectives.

Moving into technical depth, the course covers sophisticated binary analysis techniques, exploring everything from compiler artifacts to architectural design patterns. Through hands-on labs, students will master dynamic API resolution, communication protocols and memory manipulation techniques used by modern malware.

The core of the course focuses on practical implementation, with students reverse engineering and recreating key malware components including loaders, command processors, and communication protocols. Special attention is given to ransomware architectures and information stealers, providing students with deep insights into these high-impact threats.

Each module combines theoretical knowledge with extensive hands-on labs, ensuring students not only understand malicious techniques but can accurately reproduce them in controlled environments.

This course is ideal for:

·         Malware analysts seeking to advance into adversary emulation

·         Red team operators wanting to deepen their technical capabilities

·         Security researchers focusing on advanced threat analysis

·         Defensive engineers building detection systems

Prerequisites include strong programming skills, basic reverse engineering knowledge, and familiarity with Windows internals. All practical work is conducted in isolated lab environments following strict safety protocols.

Key Learning Objectives

By the end of this course, participants will be able to:

• Conduct comprehensive static and dynamic analysis of sophisticated malware samples

• Reverse engineer and reconstruct complex malware architectures and execution chains

• Implement advanced malware functionalities including custom loaders, API resolution, and encryption systems

• Analyze and recreate malware communication protocols and data serialization methods

• Understand and replicate advanced evasion techniques and environmental checks

• Develop ransomware simulation capabilities

• Apply threat intelligence insights to adversary emulation scenarios

   

 Who should attend

 This course is designed for:

• Developers and Reverse Engineers: Gain a deeper understanding of malware by analyzing it from an adversary's perspective. Learn to identify the unique characteristics that define each malware family.

• Red Teamers: Master the art of high-quality adversary emulation. Learn how to craft realistic emulations that mimic real-world attacks, including the subtle indicators that blue teams use for attribution."

   

Prerequisites

• Programming experience (C, C++, Python, .NET, and PowerShell)

• Be comfortable with assembly language and Debuggers (IDA pro, WinDBG)

Hardware/Software Requirements:

Laptop Requirements:

• Virtualization capable CPU(s)

• Minimum 8GB of RAM (for running one guest VM)

• Minimum 80 GB free disk space

• Host CPU intel (ARM is not supported)

 Software Requirements:

• Host OS Windows 10 64-bit

• Debugging Tools for Windows (Ida Pro, WinDBG). Decompiler recommended.

• SysInternals Toolsuite

• Virtualization Software (VMWare, VirtualBox)

• Guest OS Windows 10 64-bit Version 20H2

• ystem Administrator access required on both host and guest OSs

Course Agenda

 Module 1

• Introduction & Context

  • Overview of the modern threat landscape and emerging threats.

  • Differentiating between adversary emulation, simulation, and false flags.

  • Understanding the anatomy of a threat intelligence report.

  • Defining problem statements and establishing mission objectives for malware analysis.

•  Getting started

  • Refresh on malware reverse-engineering

  • Refresh on system programming

•  Binary Layout & Architecture

  • Triage of binary files: Imports, dependencies, and API sets

  • File information decoy: fake signatures

  • Investigating compiler artifacts and their impact on analysis.

  • Analysing architectural design choices: Memory management, error handling, and recovery mechanisms.

  • LAB: Creating the external box

• Loaders & Execution Chains

  • Exploring modern loader architectures and loading techniques.

  • Understanding runtime API resolution and executable sections

  • Investigating memory-only execution paths and process hollowing variations.

  • Analysing multi-stage execution chains and inter-stage communication mechanisms.

  • Filesystem access fingerprinting

  • LAB: reimplement dynamic api resolution and api call sequence (requires static and dynamic analysis)

Module 2

• Advanced Static Analysis

  • Identifying code structures: Control flow graph analysis, function identification, and compiler pattern recognition.

  • Recognizing algorithms: Cryptographic routines, hashing, CRC, common data structures, and string encoding/decoding techniques.

  • LAB: advanced static analysis of the sample to emulate

•  Understanding the Malware layout

  • Reconstructing malware operation modes, transition triggers, and error states.

•  Core Implant Functionalities

• Analysing command processing systems: Command dispatchers, parameter handling, and response formatting.

• Investigating encryption implementations: Key management, algorithm selection, and secure communications.

• Implementing their persistence mechanism

• Understanding configuration parameters

• LAB: reversing and reimplementing the core functionalities of the target malware

Module 3

• Data Serialization & Communication Protocols

  • Understanding data serialization techniques used by malware.

  • Analysing communication protocols used by malware to communicate with command-and-control (C&C) servers.

•  Ransomware emulation

  • Deep dive into ransomware architectures: Encryption strategies and file handling techniques.

  • Analysing information stealers: Data identification and exfiltration methods.

  • Handling environmental checks