SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control

  • In Person (6 days)
  • Online
46 CPEs

SEC670 prepares you to create custom-compiled programs specifically for Windows and introduces students to techniques that real nation-state malware authors are currently using. You will learn the essential building blocks for developing custom offensive tools through required programming, APIs used, and mitigations for techniques covering privilege escalation, persistence, and collection.

What You Will Learn

Learning how to develop custom-compiled tools for Windows is a skillset that is not being taught by universities or other academic organizations and, as a result, the cybersecurity industry has a severe skills deficit that is limiting the overall capability of red team operations. Defense contractors and industries looking to hire Windows tools developers are facing a severe shortage of talent and are unable to further hone their defenses.

SEC670: Red Team Operations - Developing Custom Tools for Windows is the first course of its kind, giving students hands-on lab experience creating custom-compiled programs specifically for Windows using the C/C++ programming languages. Students will learn the internal workings of existing offensive tools that offer capabilities such as privilege escalation, persistence, and collection by creating their own tools using Windows APIs. Windows defenses have become more robust, and cloud-connected AV solutions are making it more challenging to operate under the radar. In response, this course introduces students to techniques that real nation-state malware authors are currently implementing in their implants.

The course starts with an introduction to developing Windows Computer Network Operations (CNO) tools. We'll explore current offensive and defensive tools like Moneta and PE-Sieve that are designed to detect malicious actions. Students will then quickly ramp up to create their first compiled program. Students will move through the course learning how to obtain target information, what operational actions (such as injection and privilege escalation) can be carried out using this information, and how to take advantage and maintain system access through persistence. They'll also learn how to take shellcode, encrypted or otherwise, and execute it in a process using the C programming language and leveraging compiler tricks. Finally, they'll learn how to evade AV solutions by bypassing their function-hooking engine, patching key functions like AmsiScanBuffer and code caves. The course will even discuss scenarios where going after "low-hanging fruit" is preferred to dropping more complicated and sensitive implant capabilities.

SEC670 culminates with an immersive Capture-the-Flag event that will challenge students like no other event ever has. Students must leverage the tools and capabilities they have built during the week to solve complex challenges like getting information from a remote process memory. By the end of the course, students will have built a lightweight Windows implant that can enumerate the Windows Registry, files, folders, network connections, users, and processes; bypass UAC and AV products; escalate privileges; persist across reboots; inject into other processes; and hide from users and other tools.

Business Takeaways

  • New calling conventions and data types specific to Windows
  • How Windows processes, threads, and services work internally
  • How to abuse Windows APIs to inject shellcode into other processes without detection
  • How to create a hidden, persistent service
  • How to hide from user-mode tools like Task Manager
  • How to create and execute shellcode without detection
  • How to bypass user-land hooks and implement your own
  • How to control your implant from your C2

Skills Learned

  • Create custom compiled Windows implants
  • Collect target information
  • Hide processes from user mode tools
  • Hook and unhook functions for AV bypasses
  • Generate and execute custom shellcode
  • Escalate privileges from medium integrity levels to high (NT AUTHORITY\SYSTEM)
  • Persist across reboots
  • Beacon out to configured C2 infrastructure

Syllabus (46 CPEs)

Download PDF
  • Overview

    The course begins by introducing students to Windows Internals, starting with a high-level overview, and gradually diving deeper into some of the core mechanisms that make the Operating System tick. We'll discuss key differences between offensive and defensive tools as well as the need for them. Equipped with a solid understanding of Windows programming, students can choose to create offensive or defensive tools for Windows. However, the course will only focus on creating offensive cyber capabilities using the C/C++ programming languages. Key differences between Linux and Windows are important and help to ease the transition from Linux to Windows. The C programming language has core data types, but Windows introduces its own data types, which are presented in this course section. We'll also introduce students to calling conventions and how Windows brought its own into the programming arena. At the end of the section, we will present the Windows Application Programming Interface (API) more formally by having students use key Windows APIs in a lab to bring it all together.

    • Detecting Process Injection with PE-Sieve
    • Exploring the Windows Boot Sequence with Process Monitor
    • Building a Hello World DLL
    • Identifying Calling Conventions
    • Understanding and Using SALv2
    • Exploring the Windows API to Create Objects
    • Developing Offensive Tools
    • Developing Defensive Tools
    • Setting up Your Development Environment
    • Similarities and Difference with *Nix Dev
    • Windows Data Types
    • Call Me Maybe
    • SAL Annotations
    • Windows API
  • Overview

    This course section introduces students to the art of on-target reconnaissance. One of the first actions red team operators might take after gaining initial access is to conduct in-depth enumeration, or recon, against the target. This step is often overlooked, since it can take a while to perform, and it is not as glamorous as using a 0-day to exploit something. However, it is vital to know what type of environment you are in and what you can do next. Students will learn how to programmatically survey the lay of the land using a detailed approach, then prepare a final product to obtain information about the operating system version build, patches, and processes, installed applications, the filesystem, users and groups, the network, services, tasks, the registry, and more.

    • Obtaining Operating System Information
    • Exploring Various Methods to Enumerate Running Processes
    • Implementing Directory Enumeration Methods
    • Gathering Operating System Information
    • Service Packs/Hotfixes/Patches
    • Process Enumeration
    • Installed Software
    • Directory Walks
    • User Information
    • Services and Tasks
    • Network Information
    • Registry Information
  • Overview

    This course section focuses on actions that can be taken after initial access. Red team operators typically leverage process injection to execute desired actions. This section will teach students how to programmatically implement those capabilities, starting with a deep dive into the format of the Portable Executable (PE) header. Students will learn how to parse important sections of the PE header, which is a valuable skill that will allow them to create their own version of Windows APIs such as GetProcAddress. After mastering the PE format, we will look at the internals of Threads, their structure, and how they are created. The section will also explore how Asynchronous Procedure Calls can be queued to a Thread to aid in process injection. We'll cover several process injection methods, including the classic DLL injection where we force a Thread to load our malicious DLL in a target process. Another action is to escalate privileges to enable an operator to be more effective on target, so students will programmatically create privilege escalation modules for their implant and test them out on their target system.

    • Parsing the PE Header
    • Classic DLL Injection
    • Process Injection via Asynchronous Procedure Calls
    • Hijacking Thread Execution
    • Stealing Tokens
    • Creating Services
    • Understanding the PE Format
    • Creating Custom Equivalents to Win32 APIs
    • Exploring Thread Internals
    • Exploring Process Injection Methods
    • Programmatically Interacting with Remote Processes
    • Creating Custom Tools for Privilege Escalation
  • Overview

    This course section focuses exclusively on various methods to achieve persistence by surviving reboots. Gaining initial access is a great place to start, but steps must be taken to maintain that access in the event something unforeseen happens like a loss of power, unscheduled reboots, the initial access process dying, etc. Typically, operators will use persistence methods baked into existing tools or frameworks, but those tools had to have been developed at some point. During bootcamp challenges in this course section, students will programmatically implement persistence tools and then test the compiled products against their Windows 10 Test VM to see if access is maintained after a reboot.

    • Using Services for Persistence
    • Using Port Monitors for Persistence
    • Using Image File Execution Options for Persistence
    • In-memory Execution
    • Dropping to Disk
    • Binary Patching
    • Registry Keys
    • Services Revisited for Persistence
    • Port Monitors
    • Image File Execution Options
  • Overview

    This course section will cover more advanced techniques that developers must master to be successful. One great feature for implants is the ability to execute position-independent shellcode. The shellcode can come from existing tools like msfvenom, donut, or shellter, or it can be hand-crafted using the C programming language. Students will explore in detail how to execute shellcode locally in their own process as well as remotely across process address space boundaries. Since shellcode can be caught quickly unless it is obfuscated or encrypted, students will learn how to decrypt shellcode right before execution. Another implant capability is evading AV products. Evasion can be done via several methods, but this course section will focus on unhooking functions, restoring system calls, and implementing our own hooks. Executing shellcode and lowering AV detection rates are great, but they can be useless if there is no method of collecting information from the target machine. Students will explore how implants can send back information to an operator for offline analysis and accept tasking for what to do next.

    • Executing Shellcode in Local and Remote Processes
    • Hiding Processes from Users
    • Dealing with Function Hooks
    • Patching Functions to Execute Malicious Payloads
    • Shellcode Generation and Execution
    • Hiding Processes
    • Doppelgänging
    • Unhooking Hooks
    • Code Caves
    • AV Product Bypasses
    • Calling Home
    • Writing Shellcode in C
  • Overview

    This Capture the Flag event involves solving an array of hands-on challenges that mimic real-world events. Students play the role of senior developers as part of a nation-state team to create cyber capabilities to leverage against their targets. The challenges will require students to apply everything that they learned during the week. However, that foundation of skills will be just the starting point. Since not every target will be the same, students will have to take their initial access to a target and then expand on that access using only tools that have been custom developed for that specific target.

    • Target Survey and Recon
    • AV Bypass
    • Privilege Escalation
    • Persistence
    • Hooking
    • Code Injection


It is strongly recommended that students have experience with developing programs in C/C++ for either Linux or Windows platforms. Additionally, students should have C/C++ experience programming loops, conditional statements, and switch statements, creating functions and function pointers, and using pointers, linked lists, and type casting.

If you do not have experience with C/C++ just yet, do not worry, there is a series of free workshops that will introduce you to the C programming language, for Windows:

In addition, students should have a basic understanding of how Windows works internally. A basic understanding of process address space, virtual memory, physical memory, the registry, etc. would be a great place to start. The book titled Windows Via C/C++ is a solid resource to understand Windows and getting to learn programming at the same time.

Courses that lead into SEC670:

SEC670 gives alumni of these courses a more in-depth look at how the tools used in them operate. It also shows students how to make their own tools and add missing features that other compiled tools might not have.  As an example, in SEC660, there is a brief mention of tampering with Windows AMSI and AMSI bypasses.  SEC670 will take you behind the scenes where students will create their own, fully customized AMSI bypass.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled, or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"Penetration testers, red team operators (RTO), exploit developers, and those in the Intel Community (IC) have all used amazing tools and frameworks to get their jobs done. These amazing tools have one thing in common: they were developed by an effective team or by one dedicated individual. The developers are the enablers of operations, and without them we would not be where we are today. Creating offensive tools is a broad task and can have many areas of focus. One particularly important area is building implants or agents that are dropped on a victim computer to establish that shell with an operator. This course will focus on building implants for Windows targets using the C/C++ programming languages. The course is heavy on labs and hands-on development, giving you ample time to fully grasp how Windows does things differently than other operating systems. By the end of the week, you should have a fully functioning Windows implant that you can continue to tweak well beyond the course."

- Jonathan Reiter

Register for SEC670

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.