The Offensive Development is the first course which is dedicated to building payloads that bypass modern AV/EDR products.
There are a lot of other courses which focus on concepts, discuss bypasses, but none of them take the student through building payloads from scratch and then bypassing EDR live.
This course focuses on a brief introduction towards Windows Internals and calling Windows API functions dynamically, and ends with students buildings payloads and bypassing modern defensive solutions.
Each student gets access to an isolated cyber range where they will develop their malware and deploy it with Cobalt Strike. That’s right, Cobalt Strike is built into the course.
During the course, you will learn how AV/EDR products work so that you can understand how brittle they truly are.
Topics that will be covered are: AMSI/ETW bypass, writing shellcode, writing BOFS, malleable C2 profile, various process injection techniques, hiding strings and imports, and more.
This course isn’t just for red teamers: you will learn how to hunt for default Cobalt Strike usage, detect process injection by looking at memory permissions and strange parent/child relationships, and detecting dynamically calling Windows APIs via LoadLibrary/GetProcAddress.
The total course duration is 2 days of online interactive training sessions over Zoom. Students will receive an email inviting them to the training.
Inside the cloud environment, the students will have access to a plethora of Windows machines with various EDR/AV products installed. The students will also have access to the Cobalt Strike C2 platform for the duration of training. A detailed syllabus on the training content can be found here.
White Knight Labs provides Certificate Of Completion for every completed course. This certificate may be verified by contacting firstname.lastname@example.org using the enrolment ID from the given certificate.
This is an intermediate level course. If you’re completely new to porgramming and Windows Internals, it might be hard to keep up.
A background in the following topics would be useful before taking this course:
During the course, we will be interacting with different AWS EC2 instances using Guacamole.
Students will utilize their personal AWS account.
From that point, students will deploy the environment which consists of the following machines in the same subnet:
We strongly recommend that you create an AWS account BEFORE the course begins.
Here is a list of tools/requirements for the Offensive Development course (they’ll be preinstalled on the machines):