As the defensive capabilities of the Windows platform evolve, attackers must continue to improve their tradecraft to circumvent them and defenders must understand these techniques to further improve their detection and prevention capabilities.
Attackers avoid touching the disk by using the live-off-the-land approach which takes full advantage of the tools and scripting languages that are built into the system to execute in-memory fileless attacks. While there are multiple publicly available offensive tools and frameworks that facilitate script-based attacks, many of them get flagged by endpoint security solutions. Understanding the inner workings of these tools and techniques enables red teamers to create unique implementations and variants that fly right past these defenses.
This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by modern fileless attacks at every stage of their execution.
Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training, will help attendees with real-world red teaming engagements and in defending against fileless malware. Attendees learn about modern fileless malware which uses scripting languages, executes in memory, avoids touching the disk, and evades endpoint security solutions.
This training is a mix of theory, instructor-led demos, lab exercises, and source code walkthroughs. More than 50% of this course is focused on hands-on labs where attendees practice living-off-the-land (LoL) techniques using signed and whitelisted binaries in the system.
In the hands-on labs, attendees implement various techniques used by modern malware, test them, observe their noise level in logs, and understand their forensic footprint. All labs are performed on the latest version of Windows 10 64-bit so attendees can observe the impact of ETW, SysMon, PowerShell Logging, AMSI, etc. and learn about techniques to evade such logging.
Attendees must have a good understanding of Window operating system and familiarity with the attack life cycle.
Attendees are expected to have prior experience with using PowerShell on Windows 10.