White Knight Labs - Offensive Development (On-Site)

May 13, 14 and 15 2024

Overview

Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.

This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.

Who Should Attend?

This course is intended for penetration testers that are attempting to break into red teaming and engineers that are curious to understand how EDR products in order to break/bypass them. Students with a strong understanding of the fundamentals of cybersecurity, and experience with penetration testing should attend. This course is also recommended for blue teamers that want to understand hyper-current techniques for bypassing modern-day defenses.

Key Learning Objectives

  • PE Format Primer
  • Windows API Primer
  • Process Injection: CRT/Early Bird/Mockingjay/Hollowing/Caro-Kann/Pool Party
  • Direct & Indirect Syscalls
  • Dynamic Module and API Resolution with Hashing
  • Dynamic SSN resolution with HalosGate
  • Call Stack Tampering: Return Address Patching
  • Understanding Cobalt Strike
  • Payload Guardrails
  • Understanding EDR detections: Hooking, ETW, Callbacks
  • Custom Reflective DLL Loaders
  • Different ways to weaponize loaders for initial access

Prerequisite Knowledge

This is an intermediate/advanced level course – a background in C programming, Windows Internals, .NET programming, and how AV/EDR products work would be useful.

Lab Environment

Students will have access to their own lab environment in AWS that consists of the following:

  • Windows Sophos Intercept X EDR VM
  • Windows Crowdstrike EDR VM
  • Windows Elastic EDR VM
  • Windows Bitdefender EDR VM
  • Ubuntu Cobalt Strike Team Server
  • Windows 10 Development Machine

Hardware/Software Requirement

  • Students must have an active AWS admin account with programmatic access to run the Terraform script that create the lab environment.

Syllabus

Day 1

  • Guacamole walkthrough
  • PE Primer
  • Windows API Primer
  • Converting PE files to Shellcode
  • Shellcode Storage
  • Process Injection: CRT, Hollowing, Early Bird
  • Dynamic Module and Function Resolution with Hashing
  • Introduction to CS
  • Malleable C2 Profiles and Beacon Object Files (BOFs)

Day 2

  • Identifying the EDR
  • Patching the EDR’s patch
  • Direct and Indirect Syscalls
  • ETW & Caro-Kann
  • Mockingjay
  • Return Address Patching
  • Amsi & Bypassing Amsi
  • Custom Reflective DLL Loaders

Day 3

  • DLL Sideloading for Persistence and Initial Access
  • Pinvoke and Dinvoke
  • AppDomain Manager Injection
  • ClickOnce for Initial Access
  • Making the final binary to bypass multiple EDR products

Bio

White Knight Labs Experience

White Knight Labs is a boutique offensive cyber security consultancy that specializes in penetration testing, adversarial emulation, and red team engagements. The founders, John Stigerwalt and Greg Hatcher, have deep experience leading red team engagements in highly scrutinized, complex environments. White Knight Labs has been in business since 2017 (6 years). WKL is regularly hired by other red teams to assist with implant development and infrastructure automation. We are an elite tactical unit that operates similarly to a Special Forces team.

Greg Hatcher , White Knight Labs

Greg has a background in Army Special Forces and teaching Windows internals at the NSA. He also led a 3-man red team for CISA that specialized in attacking America’s critical infrastructure. He authored and teaches WKL’s flagship course, Offensive Development, at Wild West Hackin’ Fest and virtually on the Antisyphon platform. Greg is passionate about C programming for the Windows operating system and abusing Active Directory. Greg is an active member of the following organizations: Cloud Security Alliance, the Right Place, American Corporate Partners, West Michigan Technology Council. He regularly appears in the news discussing cyber warfare and the impact of Chinese APTs on America's critical infrastructure. Greg has the following certifications: GXPN, GCPN, CRTP, CISSP, GWAPT, and GSEC.

John Stigerwalt , White Knight Labs

John has worked as blue teamer, vCISO, developer, senior penetration tester, and red team lead. John served as the F-Secure red team lead for the western hemisphere. He has led long‐term red team engagements in highly complex Fortune 500 companies. He has worked together with Microsoft to increase kernel security for the Windows operating system. He has led training at BlackHat, DerbyCon, and Wild West Hackin’ Fest. He is the author WKL’s Advanced Red Team Operations course (ARTO). John has the following certifications: OSCP, OSCE, CRTP (Certified Red Team Professional), CRTE (Certified Red Team Expert), and SLAE (Assembly Language and Shellcoding). John is known as one of the most talented offensive cyber security experts in the world and can do whatever is asked of him on a computer.

Return to training sessions