Advanced Threat Emulation: Evasion

Evasion is a foundational skill for any OffSec operator. Through the exploration of code obfuscation theory and the application of advanced TTPs like API unhooking and code migration to IronPython, students will raise their skills to the next level.

Course Overview

1. Introduction
2. Course Material
3. Using Snaps Labs
1. The Funnel of Fidelity and Attacking It
2. Host Based Detection Tools
3. Network Based Detection Tools
1. .NET Deep Dive
2. .NET and PowerShell Security Features
3. WMI - What is it?
4. ETW - The Backbone of Modern Defense
5. AMSI and Defender Bypasses
6. API (Un)hooking
1. Why Obfuscation?
2. Code Element Obfuscation
3. Flow Control Obfuscation
4. Data Obfuscation
5. Method Obfuscation
6. Code Translation - Leveraging IronPython
1. Targeting EDR vs "Universal" Evasion Methods
2. .NET Obfuscation Techniques
3. Leveraging Automated Tools
4. Breaking Blue's Chain- Putting it Together
1. Targeting the Human Element
2. Network Comms Profile Abuse
3. Leaning on Domain Trust
4. Platform-as-a-Service and FiIe Hosting Services for Evasion
5. JA3 and JARM

Key Takeaways

Understand How AV and EDR Detect Threats
Apply Code Obfuscation to Extend the Useful Life of Tools
Learn How to Attack the Human Element of the SOC

Advanced Threat Emulation: Evasion

Course Overview

Introduction

Analyzing Blue's Kill Chain

Modern Windows Environments

Theory of Obfuscation

Practical Implementation

Evading Blue Team Hunt

Key Takeaways

Interested in Taking This course?