SEC670: SANS Live Online Europe October 2024

Provided by

Enquire about this course

What You Will Learn

Learning how to develop custom-compiled tools for Windows is a skillset that is not being taught by universities or other academic organizations and, as a result, the cybersecurity industry has a severe skills deficit that is limiting the overall capability of red team operations. Defense contractors and industries looking to hire Windows tools developers are facing a severe shortage of talent and are unable to further hone their defenses.

SEC670: Red Team Operations - Developing Custom Tools for Windows is the first course of its kind, giving students hands-on lab experience creating custom-compiled programs specifically for Windows using the C/C++ programming languages. Students will learn the internal workings of existing offensive tools that offer capabilities such as privilege escalation, persistence, and collection by creating their own tools using Windows APIs. Windows defenses have become more robust, and cloud-connected AV solutions are making it more challenging to operate under the radar. In response, this course introduces students to techniques that real nation-state malware authors are currently implementing in their implants.

The course starts with an introduction to developing Windows Computer Network Operations (CNO) tools. You will explore current offensive and defensive tools like Moneta and PE-Sieve that are designed to detect malicious actions. Students will then quickly ramp up to creating their first compiled program. Students will move through the course learning how to obtain target information, what operational actions (such as injection and privilege escalation) can be carried out using this information, and how to take advantage and maintain system access through persistence. You will also learn how to take shellcode, encrypted or otherwise, and execute it in a process using the C programming language and leveraging compiler tricks. Finally, students will learn how to evade AV solutions by bypassing their function-hooking engine, patching key functions like AmsiScanBuffer and code caves. The course will even discuss scenarios where going after low-hanging fruit is preferred to dropping more complicated and sensitive implant capabilities.

SEC670 culminates with an immersive Capture-the-Flag event that will challenge students like no other event ever has. Students must leverage the tools and capabilities they have built during the week to solve complex challenges like getting information from a remote process memory. By the end of the course, students will have built a lightweight Windows implant that can enumerate the Windows Registry, files, folders, network connections, users, and processes; bypass UAC and AV products; escalate privileges; persist across reboots; inject into other processes; and hide from users and other tools.

What You Will Learn
  • New calling conventions and data types specific to Windows
  • How Windows processes, threads, and services work internally
  • How to abuse Windows APIs to inject shellcode into other processes without detection
  • How to create a hidden, persistent service
  • How to hide from user-mode tools like Task Manager
  • How to create and execute shellcode without detection
  • How to bypass user-land hooks and implement your own
  • How to control your implant from your C2
After completing this course, you will be able to
  • Create custom compiled Windows implants
  • Collect target information
  • Hide processes from user mode tools
  • Hook and unhook functions for AV bypasses
  • Generate and execute custom shellcode
  • Escalate privileges from medium integrity levels to high (NT AUTHORITY\SYSTEM)
  • Persist across reboots
  • Beacon out to configured C2 infrastructure


Start date Location / delivery
28 Oct 2024 Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...