This is my review of the RED TEAM Operator: Windows Persistence Course offered by SEKTOR7 Institute. Full disclosure: as an affiliate, I make money with qualifying purchases.
At the time of this writing, RED TEAM Operator: Windows Persistence is my favorite course offering by SEKTOR7 Instutute. At my day job, I am a member of a blue team. The bulk of my work is remediating hosts which have been infected by malware and hunting for persistence left by malicious actors. This course goes over 27 different persistence techniques, some of which I had never seen before. I was able to use this new information to improve my hunting and remediation procedures.
The code presented is mostly in C, and is simple and well documented. Most of the outlined techniques can be implemented in other languages fairly easily. These examples do the bare minimum to demonstrate that the technique works, so if you want them to actually do something useful you will have to expand on them yourself.
I was able to complete this class in about a week, watching a little bit of it after work each day. The course ends with four assignments to solidify your knowledge of the material.
What You Will Receive
Like the other courses by SEKTOR7, this course comes with:
- A virtual machine with all the required tools required to complete the lessons.
- A zip containing source code and examples of each persistence method.
- Roughly 3 hours of video instruction.
I feel that the source code alone saved me enough time to justify purchasing this course. I could have found examples of all of these techniques online if I knew what to look for, but this would have taken me much longer to track down and research.
What is Covered?
The course is divided into two sections, Low Privilege, and Admin Level Privilege techniques.
Low Privilege Persistence
This section covers techniques that do not require Admin or SYSTEM level privileges such as startup items, modifying shortcuts, screen savers, PowerShell profiles, DLL and COM hijacks, etc.
Admin Level Persistence
If you achieve Administrator/SYSTEM on a system, you have many more options. This section covers some tricks you can do with scheduled tasks, services, Image File Execution Options techniques, Application Shimming, WMI, AppCert DLLs, AppInit DLLs, NetSh helpers, Time Providers, LSA, and more.
There are four assignments at the end of the course. I was able to complete these in a couple of weekends. These assignments did not cover everything in the course, and I wish there were
- Find a COM hijackable DLL within the course’s VM and leverage it.
- Add missing functions to a hijacked DLL.
- WMI Event persistence.
- Recreating DarkPulsar persistence.