User mode malware on Windows is ubiquitous and custom user mode implants are used regularly in red-team engagements. Knowledge of the latest malware techniques helps red teamers improve their custom tooling, malware analysts in taking apart malware, and anti-malware solution developers in designing behavioral solutions to detect malicious activity. The common theme amongst all Windows malware and implants is that they abuse the facilities provided by the Windows platform to achieve their objectives. Knowledge of the rich set of Windows APIs, understanding their usage in various stages of an implant, and leveraging them to detect and bypass various defenses in the system is essential for red and blue teamers. This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by PE file-based implants at every stage of their execution. Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training will help attendees with real-world red teaming engagements and in defending against both custom advanced persistent threat (APT) tooling and common-off-the-shelf (COTS) malware. Attendees will learn about how malware and implants interact with the latest version of Windows and how the different stages of malware abuse and exploit various components of Windows OS to achieve their goals and evade defenses.
Syllabus
Introduction
- Offense and defense
- Platform mitigations
- Attack execution stages
- Initial access methods
- Staging payloads
- System logging
- Ecosystem review
Shellcoding
- Shellcoding tools
- Shellcode injection
- Position independent code
- Trampolines
- Compiler and linker flags
- Runtime checks & dependencies
System Interfaces
- Module lists
- Compiler intrinsics
- PE parsing
- Import hashing
- Structured exception handling
- Dynamic exception handlers
Code Injection
- Injection & execution
- Process injection techniques
- Classic DLL injection
- Reflective injection
- Process hollowing
- WoW64 process injection
Hooking
- Inline hooking
- Code caves
- Binary trojaning
- Import hooking
- Windows hooks
- Hook subversion
Persistence
- Registry ASEPs
- System execution vectors
- DLL hijacks
- DLL proxies
- COM object hijacks
- Service hijacks
Communications
- Network enumeration
- HTTP proxies
- C2 infrastructure
- Beacons and tasking
- Protocol tunneling
- DNS data exfiltration
Self-Defense
- Environment detection
- Debugger detection
- VM detection
- Event logging bypass
- Security product detection
- Evasion techniques