SEC670: OnDemand

Provided by

Enquire about this course

What You Will Learn

Learning how to develop custom-compiled tools for Windows is a skillset that is not being taught by universities or other academic organizations and, as a result, the cybersecurity industry has a severe skills deficit that is limiting the overall capability of red team operations. Defense contractors and industries looking to hire Windows tools developers are facing a severe shortage of talent and are unable to further hone their defenses.

SEC670: Red Team Operations - Developing Custom Tools for Windows is the first course of its kind, giving students hands-on lab experience creating custom-compiled programs specifically for Windows using the C/C++ programming languages. Students will learn the internal workings of existing offensive tools that offer capabilities such as privilege escalation, persistence, and collection by creating their own tools using Windows APIs. Windows defenses have become more robust, and cloud-connected AV solutions are making it more challenging to operate under the radar. In response, this course introduces students to techniques that real nation-state malware authors are currently implementing in their implants.

The course starts with an introduction to developing Windows Computer Network Operations (CNO) tools. We'll explore current offensive and defensive tools like Moneta and PE-Sieve that are designed to detect malicious actions. Students will then quickly ramp up to create their first compiled program. Students will move through the course learning how to obtain target information, what operational actions (such as injection and privilege escalation) can be carried out using this information, and how to take advantage and maintain system access through persistence. They'll also learn how to take shellcode, encrypted or otherwise, and execute it in a process using the C programming language and leveraging compiler tricks. Finally, they'll learn how to evade AV solutions by bypassing their function-hooking engine, patching key functions like AmsiScanBuffer and code caves. The course will even discuss scenarios where going after "low-hanging fruit" is preferred to dropping more complicated and sensitive implant capabilities.

SEC670 culminates with an immersive Capture-the-Flag event that will challenge students like no other event ever has. Students must leverage the tools and capabilities they have built during the week to solve complex challenges like getting information from a remote process memory. By the end of the course, students will have built a lightweight Windows implant that can enumerate the Windows Registry, files, folders, network connections, users, and processes; bypass UAC and AV products; escalate privileges; persist across reboots; inject into other processes; and hide from users and other tools.

Business Takeaways
  • New calling conventions and data types specific to Windows
  • How Windows processes, threads, and services work internally
  • How to abuse Windows APIs to inject shellcode into other processes without detection
  • How to create a hidden, persistent service
  • How to hide from user-mode tools like Task Manager
  • How to create and execute shellcode without detection
  • How to bypass user-land hooks and implement your own
  • How to control your implant from your C2
Skills Learned
  • Create custom compiled Windows implants
  • Collect target information
  • Hide processes from user mode tools
  • Hook and unhook functions for AV bypasses
  • Generate and execute custom shellcode
  • Escalate privileges from medium integrity levels to high (NT AUTHORITY\SYSTEM)
  • Persist across reboots
  • Beacon out to configured C2 infrastructure


Start date Location / delivery
No fixed date Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...