RTO series

RED TEAM Operator: Malware Development Advanced - Vol.1 Course

Advanced offensive security tool (OST) development topics for Windows user land only, including: hidden data storage, rootkit techniques, finding privileged objects in system memory, detecting new process creation, generating and handling exceptions, building COFFs and custom RPC-like instrumentation, and more.
Write your awesome label here.

Welcome to Malware Development Advanced (Vol.1) course!

In the previous Intermediate course we covered some of the more advanced offensive security tools (OST) development topics.

This time we will be focusing on extending your payload with additional userland techniques to bury it in the depths of the system. That includes:
  • ways to hide your payload inside NTFS and registry hive
  • learning object enumeration alternatives in the system memory
  • manipulating Process Environment Blocks to hide your module and confuse the potential defender
  • finding .NET process with RWX memory ready to abuse
  • detecting new process creation (from userland)
  • setting up global hooks
  • learning few userland rootkit techniques to hide your files, registry keys and processes
  • abusing memory and hardware breakpoints for hooking
  • hiding payload with Gargoyle and similar techniques
  • creating custom "RPC" allowing to call any API function with any number of parameters in a remote process
  • learning COFF objects, how to build, parse, load and execute them in the memory
The course ends with a custom project, employing some of the discussed techniques.

You will receive a virtual machine with complete environment for developing and testing your software, and a set of source code templates which will allow you to focus on understanding the essential mechanisms instead of less important technical aspects of implementation.

COURSE IN A NUTSHELL

What Will You
Learn?

  • Hide payloads in the corners of NTFS and Registry

  • Enumerate processes, modules and handles

  • Find a perfect process for injection

  • Set up global hooks

  • Use few userland rootkit techniques

  • Abuse exception handlers

  • Hide a payload in a memory

  • Call any API (with any number of params) in a remote process

  • Build custom COFF objects

    • What Will You Get?

    • Full-blown videos explaining all techniques in detail
    • Transcription with English subtitles
    • Text supplements with additional information 
    • Source code with code templates for rapid development
    • VM image with ready-to-use development environment
    • Life-time access to the content

    Requirements

    • Understanding of operating system architecture
    • Some experience with Windows OS
    • Basic knowledge about C and Intel assembly
    • Computer with Intel-compatible CPU, min. 8 GB of RAM + 40 GB of free disk space
    • VirtualBox 7.0+ installed
    • Strong will to learn and having fun

    Target Audience

    • Ethical Hackers
    • Penetration Testers
    • Blue Teamers
    • Threat Hunters
    • All security engineers/professionals wanting to learn advanced offensive tactics

    Contents

    Instructor: reenz0h

    Chief Research Officer at SEKTOR7. In the industry for over 20 years. Worked in global Red Team for almost a decade. Simulated threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) around the world. Speaker at HackCon, PWNing, WTH@ck, Sec-T, T2, DeepSec. Gave guest lectures at several military and civil academies and universities.

    Founder of x33fcon security conference and SEKTOR7 offensive research company


    Frequently asked questions

    Why malware development?

    So-called malware development in the context of legal security testing is also known as offensive security tool (OST) development or Offensive Coding. The goal is to teach all cybersecurity professionals, both red and blue teams, to use this knowledge to better understand how real threat actors operate and use different techniques (TTP). This approach should significantly improve the skillset of offensive and defensive teams in testing and securing the production environments of their customers and employers in the long run.

    How long is the course?

    All videos are about 6h long.

    What language is used in the course?

    All videos, text and materials are in English.

    Is it on-line course only?

    Each course is composed of 2 types of materials. Videos with text supplements, which are available on-line only, and virtual machine with source code templates, which can be downloaded and stored on your computer, so you can access it later off-line.

    In case of video or text material download attempts, access to the content will be revoked.

    How long is the course available after purchase?

    After you purchase the course as an individual (not team/business), you have access to all the videos and materials for life-time. You can learn whenever you want, the content will always await for you.

    Moreover, any updates to the course materials (ie. new modules, new videos, new files, etc.) will also be available for anyone who purchased the course without any extra charge.

    Do I have to be an expert in C language or Intel assembly?

    No. Although some level of experience in C programming and Intel assembly reading is required, you don't have to be an expert in this field. Basic knowledge about the syntax, data structures and function calling convention is enough during the course.
    For refresher check these resources: 

    How can I get an invoice?

    You can get an invoice after you purchase the course.

    After logging into your account, first go to "My Account" in the top bar, then select "Billing details" and fill out all necessary fields. Then go to "Payments" and download the appropriate document,.

    Can I get a Certificate of Completion?

    When the course is finished, Certificate of Completion will be generated automatically. It is available at the very end of the course (last module of the course).

    Can I share my account with others?

    We try to keep our prices affordable so that the course can reach as many students as possible.

    Therefore, we consider sharing access as unfair and it is strictly prohibited. In such cases the access will be revoked.

    Legal Disclaimer

    All the materials are for educational and research purposes only.
     
    Do not attempt to violate the law with anything contained in materials produced by SEKTOR7. Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

    By using sektor7.institute, its sub- and related domains hosting its contents, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests for your customers and clients.

    Do not abuse this material. Be responsible.