Offensive Development

The Offensive Development is the first course which is dedicated to building payloads that bypass modern AV/EDR products

Most courses teach concepts

Our Offensive Development is the first course dedicated to building payloads that bypass modern AV/EDR products

There are a lot of other courses which focus on concepts, discuss bypasses, but none of them take the student through building payloads from scratch and then bypassing EDR live.

This course focuses on a brief introduction towards Windows Internals and calling Windows API functions dynamically, and ends with students buildings payloads and bypassing modern defensive solutions.

Each student gets access to an isolated cyber range where they will develop their malware and deploy it with Cobalt Strike. That’s right, Cobalt Strike is built into the course.

During the course, you will learn how AV/EDR products work so that you can understand how brittle they truly are.
Topics that will be covered are: AMSI/ETW bypass, writing shellcode, writing BOFS, malleable C2 profile, various process injection techniques, hiding strings and imports, and more.

This course isn’t just for red teamers: you will learn how to hunt for default Cobalt Strike usage, detect process injection by looking at memory permissions and strange parent/child relationships, and detecting dynamically calling Windows APIs via LoadLibrary/GetProcAddress.

Illustration of network topology used in training program


Development Course


The total course duration is 2 days and consists of online interactive training sessions over Zoom. Students will receive an email inviting them to the training.

Inside the cloud environment, the students will have access to a plethora of Windows machines with various EDR/AV products installed. The students will also have access to the Cobalt Strike C2 platform for the duration of training. 

We strongly recommend that you create an AWS account BEFORE the course begins

This is an intermediate level course

If you’re completely new to programming and Windows Internals, it might be difficult to keep up.

A background in the following topics would be useful before taking this course:

During the course, we will be interacting with different AWS EC2 instances using Guacamole.

Students will utilize their personal AWS account.

From that point, students will deploy the environment which consists of the following machines in the same subnet:

Here is a list of tools/requirements for the Offensive Development course (they’ll be preinstalled on the machines):

Offensive Development Course

Overview and Syllabus


Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.

This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.

Who Should Attend?

Anybody that is deeply passionate about red teaming and has a stron

Key Learning Objectives

Learn the IOCs and artifacts of using off-the-shelf tooling. Without understanding the defender’s capabilities, an attacker brings little value to a red team engagement.

Prerequisite Knowledge

This is an intermediate level course – a background in C programming, Windows Internals, .NET programming, and how AV/EDR products work would be useful.

Lab Environment

Students will have access to their own contained lab environment within Snap Labs that consists of the following:

  • Windows Server 2019 running Sophos Intercept X EDR
  • Ubuntu Cobalt Strike Team Server
  • Windows 10 Development Machine
  • Kali Linux
  • Admin Machine running Apache Guacamole
  • Fully Patched Windows 10 Machine

Hardware/Software Requirement

Ability to connect to the SnapLabs cyber range (must create an account)


Day 1 – Understanding Modern Defenses

  • Hiding from the Import Address Table (IAT)
  • Dynamically Building Your Strings
  • Defeating string detection via encryption
  • Finding EDR’s DLL
  • Unhooking EDR products
  • .NET and Assembly.Load
  • Obfuscating .NET assemblies and their IOCs
  • AMSI bypass
  • ETW bypass

Day 2 – Process Injection and Cobalt Strike

  • Process Injection Variants
  • Malleable C2 Profiles
  • Beacon Object Files
  • Cobalt Strike IOCs
  • Attacking AV/EDR Products
  • Dumping LSASS in 2022
  • Making the final binary to bypass multiple EDR products
binary indications of cyber intrusion

Certificate of Completion


White Knight Labs provides Certificate Of Completion for every completed course.

This certificate may be verified by contacting us at and providing the enrolment ID from the certificate in question..


Let’s Chat

Are you ready to elevate your cybersecurity skills?

Reach out to White Knight Labs today to learn about our Offensive Development training, a course meticulously curated that delves deep into AV/EDR products, shellcode writing, and various process injection techniques.