Windows Malware Techniques Training


Description

User mode malware on Windows is ubiquitous and custom user mode implants are used regularly in red-team engagements. Knowledge of the latest malware techniques helps red teamers improve their custom tooling, malware analysts in taking apart malware, and anti-malware solution developers in designing behavioral solutions to detect malicious activity.

The common theme amongst all Windows malware and implants is that they abuse the facilities provided by the Windows platform to achieve their objectives. Knowledge of the rich set of Windows APIs, understanding their usage in various stages of an implant and leveraging them to detect and bypass various defenses in the system is essential for red and blue teamers.

This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by PE file-based implants at every stage of their execution.

Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training, will help attendees with real-world red teaming engagements and in defending against both custom advanced persistent threat (APT) tooling and common-off-the-shelf (COTS) malware. Attendees will learn about how malware and implants interact with the latest version of Windows and how the different stages of malware abuse and exploit various components of Windows OS to achieve their goals and evade defenses.

This training is a mix of theory, instructor-led demos, lab exercises, and source code walkthroughs. More than 50% of this course is focused on hands-on labs where attendees code, build, test, and debug techniques used by malware on Windows.

In the hands-on labs, attendees implement various post-exploitation techniques used by PE file-based user-mode implants using Win32 and Native APIs in C and X64-bit assembler. All labs are performed on the latest version of Windows 10 64-bit so attendees can observe the impact of the latest defenses built into the system and learn how to evade them.

Prerequisites

Attendees must have a solid understanding of Windows internals and familiarity with user mode development on Windows using Win32 APIs. This is a developer-oriented course and attendees are expected to have prior experience with C/C++ programming on Windows 10.

Learning Objectives

Modules

Details

Introduction

  • Offense and defense
  • Platform mitigations
  • Attack execution stages
  • Initial access methods
  • Staging Payloads
  • System logging

Shellcoding

  • Shellcoding Tools
  • Shellcode Injection
  • Compiler and Linker Flags
  • Position Independent Code
  • Compiler Intrinsics
  • Runtime Checks & Dependencies

System Interfaces

  • Module Lists
  • PE Parsing
  • Import Hashing
  • Dynamic Exception Handlers
  • Interfacing with C/C++
  • Context Manipulation

Code Injection

  • Injection & execution
  • Process injection techniques
  • Classic DLL injection
  • Reflective injection
  • Process hollowing
  • WoW64 process injection

Hooking

  • Inline hooking
  • Code caves
  • Binary Trojaning
  • Import hooking
  • Windows hooks
  • Hook subversion

Persistence

  • Registry ASEPs
  • System execution vectors
  • DLL hijacks
  • DLL Proxies
  • COM object hijacks
  • Service hijacks

Communications

  • Network enumeration
  • HTTP proxies
  • C2 infrastructure
  • Beacons and tasking
  • Protocol tunneling
  • DNS data exfiltration

Self-Defense

  • Environment detection
  • Debugger detection
  • VM detection
  • Event logging bypass
  • Security product detection
  • Evasion techniques