Windows Post-Exploitation/Malware Forward Engineering

Instructors: Sean Dillon & Zachary Harding

Pre-Requisites: Programming knowledge, one or all of the following: x86/x64, Python, JavaScript, PowerShell, Ruby, C

Pentesting knowledge: Basic Windows post-exploitation

Abstract:Windows post-exploitation is the penetrating step of every penetration test if you're on a Windows network. You're obviously swimming in shells (it's Windows after all), but you aren't in full control yet. Your best account is Network Service and you want Enterprise Admin.

Elevating privileges, either through bypassing UAC or finding local exploits, stealing tokens, pivoting to other systems, scanning the local network, dumping credentials. There are few open source tools available, such as PowerShell Empire, Koadic C3, and Metasploit's Meterpreter. We will go through the low-level code that makes it all work.

The training will explore shellcode, COM, WMI, Windows API, and .NET, and how these open source tools bring it all together. You will walk away with the knowledge to write your own plugins for these systems, as well as your own custom malware. An in-depth understanding of antivirus detection and evasion will be included. This workshop is a focus on the code, not just the tactics.

Required Materials: Bring favorite OS and code editor, Windows VMs, WiFi.