homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Cyber Aces
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Courses >
  3. SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control
Beta

SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control

    46 CPEs

    SEC670 prepares you to create custom-compiled programs specifically for Windows and introduces students to techniques that real nation-state malware authors are currently using. You will learn the essential building blocks for developing custom offensive tools through required programming, APIs used, and mitigations for techniques covering privilege escalation, persistence, and collection.

    Course Authors:
     Jonathan  Reiter
    Jonathan Reiter
    Certified Instructor Candidate
    What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor Statement

    What You Will Learn

    Learning how to develop custom-compiled tools for Windows is a skillset that is not being taught by universities or other academic organizations and, as a result, the cybersecurity industry has a severe skills deficit that is limiting the overall capability of red team operations. Defense contractors and industries looking to hire Windows tools developers are facing a severe shortage of talent and are unable to further hone their defenses.

    SEC670: Red Team Operations - Developing Custom Tools for Windows is the first course of its kind, giving students hands-on lab experience creating custom-compiled programs specifically for Windows using the C/C++ programming languages. Students will learn the internal workings of existing offensive tools that offer capabilities such as privilege escalation, persistence, and collection by creating their own tools using Windows APIs. Windows defenses have become more robust, and cloud-connected AV solutions are making it more challenging to operate under the radar. In response, this course introduces students to techniques that real nation-state malware authors are currently implementing in their implants.

    The course starts with an introduction to developing Windows Computer Network Operations (CNO) tools. You will explore current offensive and defensive tools like Moneta and PE-Sieve that are designed to detect malicious actions. Students will then quickly ramp up to creating their first compiled program. Students will move through the course learning how to obtain target information, what operational actions (such as injection and privilege escalation) can be carried out using this information, and how to take advantage and maintain system access through persistence. You will also learn how to take shellcode, encrypted or otherwise, and execute it in a process using the C programming language and leveraging compiler tricks. Finally, students will learn how to evade AV solutions by bypassing their function-hooking engine, patching key functions like AmsiScanBuffer and code caves. The course will even discuss scenarios where going after low-hanging fruit is preferred to dropping more complicated and sensitive implant capabilities.

    SEC670 culminates with an immersive Capture-the-Flag event that will challenge students like no other event ever has. Students must leverage the tools and capabilities they have built during the week to solve complex challenges like getting information from a remote process memory. By the end of the course, students will have built a lightweight Windows implant that can enumerate the Windows Registry, files, folders, network connections, users, and processes; bypass UAC and AV products; escalate privileges; persist across reboots; inject into other processes; and hide from users and other tools.

    What You Will Learn

    • New calling conventions and data types specific to Windows
    • How Windows processes, threads, and services work internally
    • How to abuse Windows APIs to inject shellcode into other processes without detection
    • How to create a hidden, persistent service
    • How to hide from user-mode tools like Task Manager
    • How to create and execute shellcode without detection
    • How to bypass user-land hooks and implement your own
    • How to control your implant from your C2

    After completing this course, you will be able to

    • Create custom compiled Windows implants
    • Collect target information
    • Hide processes from user mode tools
    • Hook and unhook functions for AV bypasses
    • Generate and execute custom shellcode
    • Escalate privileges from medium integrity levels to high (NT AUTHORITY\SYSTEM)
    • Persist across reboots
    • Beacon out to configured C2 infrastructure

    Syllabus (46 CPEs)

    • Overview

      The course begins by introducing students to Windows Internals, starting with a high-level overview and gradually diving deeper into some of the core mechanisms that make the Operating System tick. We will discuss key differences between offensive and defensive tools as well as the need for them. Equipped with a solid understanding of Windows programming, students can choose to create offensive or defensive tools for Windows. However, the course will only focus on creating offensive cyber capabilities using the C/C++ programming languages. Key differences between Linux and Windows are important and help to ease the transition from Linux to Windows. The C programming language has core data types, but Windows introduces its own data types, which are presented in this course section. Students will be introduced to calling conventions and how Windows brought its own into the programming arena. At the end of the section, we will present the Windows Application Programming Interface (API) more formally by having students use key Windows APIs in a lab to bring it all together.

      Exercises
      • Detecting Process Injection with PE-Sieve
      • Exploring the Windows Boot Sequence with Process Monitor
      • Building a Hello World DLL
      • Identifying Calling Conventions
      • Understanding and Using SALv2
      • Exploring the Windows API to Create Objects
      Topics
      • Developing Offensive Tools
      • Developing Defensive Tools
      • Setting up Your Development Environment
      • Similarities and Difference with *Nix Dev
      • Windows Data Types
      • Call Me Maybe
      • SAL Annotations
      • Windows API
    • Overview

      This course section introduces students to the art of on-target reconnaissance. One of the first actions red team operators might take after gaining initial access is to conduct in-depth enumeration, or recon, against the target. This step is often overlooked, since it can take a while to perform and it is not as glamorous as using a 0-day to exploit something. However, it is vital to know what type of environment you are on and what you can do next. Students will learn how to programmatically survey the lay of the land using a detailed approach, then prepare a final product to obtain information about the operating system version build, patches, and processes, installed applications, the filesystem, users and groups, the network, services, tasks, the registry, and more.

      Exercises
      • Obtaining Operating System Information
      • Exploring Various Methods to Enumerate Running Processes
      • Implementing Directory Enumeration Methods
      Topics
      • Gathering Operating System Information
      • Service Packs/Hotfixes/Patches
      • Process Enumeration
      • Installed Software
      • Directory Walks
      • User Information
      • Services and Tasks
      • Network Information
      • Registry Information
    • Overview

      This course section focuses on actions that can be taken after initial access. Red team operators typically leverage process injection to execute desired actions. This section will teach students how to programmatically implement those capabilities, starting with a deep dive into the format of the Portable Executable (PE) header. Students will learn how to parse important sections of the PE header, which is a valuable skill that will allow them to create their own version of Windows APIs such as GetProcAddress. After mastering the PE format, we will look at the internals of Threads, their structure, and how they are created. The section will also explore how Asynchronous Procedure Calls can be queued to a Thread to aid in process injection. We will cover several process injection methods, including the classic DLL injection where we force a Thread to load our malicious DLL in a target process. Another action is to escalate privileges to enable an operator to be more effective on target, so students will programmatically create privilege escalation modules for their implant and test them out on their target system.

      Exercises
      • Parsing the PE Header
      • Classic DLL Injection
      • Process Injection via Asynchronous Procedure Calls
      • Hijacking Thread Execution
      • Stealing Tokens
      • Creating Services
      Topics
      • Understanding the PE Format
      • Creating Custom Equivalents to Win32 APIs
      • Exploring Thread Internals
      • Exploring Process Injection Methods
      • Programmatically Interacting with Remote Processes
      • Creating Custom Tools for Privilege Escalation
    • Overview

      This course section focuses exclusively on various methods to achieve persistence by surviving reboots. Gaining initial access is a great place to start, but steps must be taken to maintain that access in the event something unforeseen happens like a loss of power, unscheduled reboots, the initial access process dying, etc. Typically, operators will use persistence methods baked into existing tools or frameworks, but those tools had to have been developed at some point. During bootcamp challenges in this course section, students will programmatically implement persistence tools and then test the compiled products against their Windows 10 Test VM to see if access is maintained after a reboot.

      Exercises
      • Using Services for Persistence
      • Using Port Monitors for Persistence
      • Using Image File Execution Options for Persistence
      Topics
      • In-memory Execution
      • Dropping to Disk
      • Binary Patching
      • Registry Keys
      • Services Revisited for Persistence
      • Port Monitors
      • Image File Execution Options
    • Overview

      This course section will cover more advanced techniques that developers must master to be successful. One great feature for implants is the ability to execute position-independent shellcode. The shellcode can come from existing tools like msfvenom, donut, or shellter, or it can be hand-crafted using the C programming language. Students will explore in detail how to execute shellcode locally in their own process as well as remotely across process address space boundaries. Since shellcode can be caught quickly unless it is obfuscated or encrypted, students will learn how to decrypt shellcode right before execution. Another implant capability is evading AV products. Evasion can be done via several methods, but this course section will focus on unhooking functions, restoring system calls, and implementing our own hooks. Executing shellcode and lowering AV detection rates are great, but they can be useless if there is no method of collecting information from the target machine. Students will explore how implants can send back information to an operator for offline analysis and accept tasking for what to do next.

      Exercises
      • Executing Shellcode in Local and Remote Processes
      • Hiding Processes from Users
      • Dealing with Function Hooks
      • Patching Functions to Execute Malicious Payloads
      Topics
      • Shellcode Generation and Execution
      • Hiding Processes
      • Doppelganging
      • Unhooking Hooks
      • Code Caves
      • AV Product Bypasses
      • Calling Home
      • Writing Shellcode in C
    • Overview

      This Capture the Flag event involves solving an array of hands-on challenges that mimic real-world events. Students play the role of senior developers as part of a nation-state team to create cyber capabilities to leverage against their targets. The challenges will require students to apply everything that they learned during the week. However, that foundation of skills will be just the starting point. Since not every target will be the same, students will have to take their initial access to a target and then expand on that access using only tools that have been custom developed for that specific target.

      Topics
      • Target Survey and Recon
      • AV Bypass
      • Privilege Escalation
      • Persistence
      • Hooking
      • Code Injection

    Prerequisites

    It is strongly recommended that students have experience with developing programs in C/C++ for either Linux or Windows platforms. Additionally, students should have C/C++ experience programming loops, conditional statements, and switch statements, creating functions and function pointers, and using pointers, linked lists, and type casting.

    Courses that lead into SEC670:

    • SEC560: Network Penetration Testing and Ethical Hacking
    • SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
    • SEC760: Advanced Exploit Development for Penetration Testers

    SEC670 gives alumni of these courses a more in-depth look at how the tools used in them operate. It also shows students how to make their own tools and add missing features that other compiled tools might not have. As an example, in SEC660, there is a brief mention of tampering with Windows AMSI and AMSI bypasses. SEC670 will take you behind the scenes where students will create their own, fully customized AMSI bypass.

    Laptop Requirements

    Important! Bring your own system configured according to these instructions!

    A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

    It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

    • 64-bit Intel i5/i7 2.0+ GHz processor
    • Enabled "Intel-VT"
    • USB 3.0 Type-A Port
    • 32 GB RAM (16 GB min)
    • 80-100 GB Free Hard Drive Space (An external drive with 100 GB free space is recommended.)
    • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
    • A wired network connection
    • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
    • Have an account with local admin privileges
    • Ability to disable your enterprise VPN client temporarily for some exercises
    • Ability to disable your anti-virus tools temporarily for some exercises

    Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

    SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

    Author Statement

    Penetration testers, red team operators (RTO), exploit developers, and those in the Intel Community (IC) have all used amazing tools and frameworks to get their jobs done. These amazing tools have one thing in common: they were developed by an effective team or by one dedicated individual. The developers are the enablers of operations, and without them we would not be where we are today. Creating offensive tools is a broad task and can have many areas of focus. One particularly important area is building implants or agents that are dropped on a victim computer to establish that shell with an operator. This course will focus on building implants for Windows targets using the C/C++ programming languages. The course is heavy on labs and hands-on development, giving you ample time to fully grasp how Windows does things differently than other operating systems. By the end of the week, you should have a fully functioning Windows implant that you can continue to tweak well beyond the course. - Jonathan Reiter

    No scheduled events for this course.

    Who Should Attend SEC670?

    • Red Team Operators
    • Exploit Developers
    • Penetration Testers
    • Linux CNO Developers
    • Windows Developers
    • AV/EDR Developers
    See prerequisites

    Related Programs

    DoDD 8140
    DoDD 8140 (0)
    See how this and other SANS Courses and GIAC Certifications align with the Department of Defense Directive 8140.
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    • © 2023 SANS™ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn