REVIEW: RED TEAM Operator: Windows Evasion Course by SEKTOR7 Institute

This is my review of the RED TEAM Operator: Windows Evasion Course offered by SEKTOR7 InstituteAs an affiliate, I make money with qualifying purchases.

RED TEAM Operator: Windows Evasion is an intermediate/advanced course that outlines several techniques which can be used to subvert security software (EDR, AntiVirus, Logging, …) on Windows systems.

I was really excited when this course was announced because I work with EDR software a lot at work. Learning about how my tools may be broken is something I have a vested interest in.

Overall I enjoyed this course. It exposes you to the basics of defense evasion on Windows systems, but by no means was this a comprehensive course on the subject. This is not a knock on the course’s quality. Evasion is a deep subject. A comprehensive course would be rather large.

You will acquire a basic understanding of how malicious software evades detection. After I finished this course, I feel that I have a better understanding of evasion and a solid foundation of knowledge to build off of.

I would recommend this course to anyone with a desire to learn the basics of evading defensive software on Windows systems who already possesses intermediate to advanced programming abilities. If you do not like programming, or are very new to programming, you will probably have a hard time understanding the content.

The provided code examples are written in C and interface with the Windows API.

Prerequisite Knowledge

This course’s author recommends having the following prerequisite knowledge prior to attempting this course:

  • Recommended: taking Malware Development Essentials and Malware Development Intermediate courses. These can be skipped if you are already comfortable with most of the topics outlined in these course’s descriptions.
  • C/C++ programming knowledge, specifically on Windows operating systems. You don’t have to be a master.

As I worked through the course, I made bookmarks of all of the supplemental material I read. I made this word map based on the tags I used for each bookmark. I feel that if you are familiar with most of these topics, you should be able to follow along without any major setbacks:

win32 antivirus minifilter threads ppid spoofing codesigning pentesting sandbox execute-assembly carbonblack etw clispoofing COM EDR hooking unhooking sysmon hashing shellcode hunting authenticode debugger .NET C# fltmc msatp handles amsi WMI threathunting nativeapi hexeditor malware services eventlogs registry syscalls processes

Hardware Requirements

  • 4 GB of RAM
  • 30 GB of free disk space
  • VirtualBox 6.0+

What’s Included

  • A 18.4GB Windows virtual machine with all of the tools required to follow along with this course pre-installed
  • A zip file containing example code
  • ~3.5 hours of on-demand video content
  • 4 assignments

The Good

This course is unique. I don’t know of any other generally available courses that cover the same material. If you know of any, I would love to see them.

I feel that the cost of $239 was reasonable. I have attended workshops which costed more and did not cover as much.

The material was interesting and easy for me to follow along with.

The speaker spoke clearly and succinctly. I was able to understand the audio clearly at 1.75x speed.

I didn’t feel that any of the lessons were too short or unnecessarily long.

The assignments were relevant. I felt that they were not overly simple or too hard.

The code examples were well-written.

Contacting Customer Support was very fast and easy (automated for my particular issue).

The Bad

The videos are streaming only. I assume this is to prevent piracy and provide a richer experience, but I appreciate being able to view videos or listen to audio offline.

I had to contact support due to an issue with the code example zip file being corrupted. There were instructions on the download page to email them if you were affected. Within about a minute of emailing support, I received an automated email with a download link. This issue will almost certainly be fixed by the time you take this course, but it was slightly annoying.

The code examples had minor issues with whitespace and a couple of typos. This wasn’t a huge deal, but all the trailing whitespace really stood out in my editor.

Resources

I bookmarked all of the sites I visited while taking this course on my Pinboard account with the tag of “rtoevasion”. Here they are in alphabetical order:

http://jackson-t.ca/edr-reversing-evading-01.html
http://jacquelin.potier.free.fr/HeliumHexEditor/
https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
https://blog.f-secure.com/cowspot-real-time-module-stomping-detection/
https://blog.f-secure.com/detecting-parent-pid-spoofing/
https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
https://blog.sektor7.net/#!res/2021/halosgate.md
https://blog.sektor7.net/#!res/2021/perunsfart.md
https://blog.unauthorizedaccess.nl/2019/10/12/bypass-mcafee-with-mcafee.html
https://blog.xpnsec.com/hiding-your-dotnet-etw/
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
https://breakdev.org/defeating-antivirus-real-time-protection-from-the-inside/
https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clrcreateinstance-function
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman
https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cocreateinstance
https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-coinitializesecurity
https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cosetproxyblanket
https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filterfindfirst
https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filterfindnext
https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filterunload
https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-closehandle
https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapalloc
https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapfree
https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-createipforwardentry
https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getipforwardtable
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory
https://docs.microsoft.com/en-us/windows/win32/api/mstask/nn-mstask-itaskscheduler
https://docs.microsoft.com/en-us/windows/win32/api/netfw/nn-netfw-inetfwrule
https://docs.microsoft.com/en-us/windows/win32/api/objbase/nf-objbase-coinitialize
https://docs.microsoft.com/en-us/windows/win32/api/oleauto/nf-oleauto-sysallocstring
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-flushinstructioncache
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-initializeprocthreadattributelist
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-resumethread
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminatethread
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute
https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges
https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot
https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-thread32first
https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemclassobject
https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemservices
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfilemappinga
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupprivilegevaluea
https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-reggetvaluea
https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa
https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagera
https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea
https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryservicestatus
https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumchildwindows
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumthreadwindows
https://docs.microsoft.com/en-us/windows/win32/api/wow64apiset/nf-wow64apiset-iswow64process
https://docs.microsoft.com/en-us/windows/win32/devnotes/etweventwrite
https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing
https://docs.microsoft.com/en-us/windows/win32/menurc/resource-compiler
https://docs.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource
https://docs.microsoft.com/en-us/windows/win32/procthread/creating-processes
https://docs.microsoft.com/en-us/windows/win32/seccrypto/makecert
https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool
https://docs.microsoft.com/is-is/windows/win32/api/mstask/nn-mstask-itask
https://en.wikipedia.org/wiki/Entropy_(information_theory)
https://en.wikipedia.org/wiki/Native_API
https://evasions.checkpoint.com/
https://gist.github.com/OsandaMalith/3315bc640ff51227ab067052bc20a445
https://github.com/am0nsec/HellsGate
https://github.com/countercept/ModuleStomping
https://github.com/countercept/ppid-spoofing
https://github.com/LloydLabs/wsb-detect
https://github.com/NVISOsecurity/blogposts/tree/master/examples-commandlinespoof
https://github.com/outflanknl/TamperETW
https://github.com/Rafiot/HackedTeamCerts
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://github.com/slaeryan/DetectCobaltStomp
https://medium.com/@fsx30/hooking-heavens-gate-a-wow64-hooking-technique-5235e1aeed73
https://offensivedefence.co.uk/posts/module-stomping/
https://osandamalith.com/2019/09/22/unloading-the-sysmon-minifilter-driver/
https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
https://shells.systems/defeat-bitdefender-total-security-using-windows-api-unhooking-to-perform-process-injection/
https://specterops.io/assets/resources/Subverting_Sysmon.pdf
https://ss64.com/nt/fltmc.html
https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/
https://theartincode.stanis.me/008-djb2/
https://web.archive.org/web/20190304050125/https://d4stiny.github.io/Reading-Physical-Memory-using-Carbon-Black/
https://williamknowles.io/living-dangerously-with-module-stomping-leveraging-code-coverage-analysis-for-injecting-into-legitimately-loaded-dlls/
https://www.av-comparatives.org/list-of-consumer-av-vendors-pc/
https://www.av-comparatives.org/list-of-enterprise-av-vendors-pc/
https://www.bitdefender.com/
https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection
https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time
https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/
https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/
https://www.pinvoke.net/default.aspx/advapi32.lookupprivilegevalue
https://www.pinvoke.net/index.aspx
https://www.youtube.com/watch?v=85H4RvPGIX4
https://www.youtube.com/watch?v=dfMuzAZRGm4
https://www.youtube.com/watch?v=l8nkXCOYQC4
https://x64dbg.com/#start
http://undocumented.ntinternals.net/
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FToken%2FNtAdjustGroupsToken.html
http://www.angusj.com/resourcehacker/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s