Evasion Lab (CETP)

(Pre-Launch) Certified Evasion Techniques Professional (CETP)

In recent years, Endpoint countermeasures have improved rapid in their detection and response capabilities. It now takes a lot of investment by red teams to develop tradecraft and techniques that can reliably evade or bypass these countermeasures.

The Evasion lab (Certified Evasion Techniques Professional) is designed to equip information security professionals with the expertise needed to bypass defenses in modern enterprise environments. This course delves deep into the techniques and methodologies used to bypass endpoint countermeasures like EDRs. You will gain a comprehensive understanding of Windows internals, including the distinction between user-mode and kernel-mode components, also you will gain a comprehensive understanding of EDRs internals, and how telemetries are collected.

Throughout the course, you will learn about Windows Internals, reversing EDRs, bypassing Microsoft Defender for Endpoint (MDE), Elastic EDR, Sysmon weaponizing kernel exploits for defense evasion and bypassing security controls like Protected Processes (PP), Process Protection Light (PPL), Digital Signature Enforcement (DSE), Attack Surface Reduction (ASR) rules and incapacitating Event Tracing for Windows (ETW) telemetry and a lot more .

The Evasion Lab is ideal for security practitioners, red teamers and malware developers who want to gain an edge in their assessments. With detailed lab exercises and video walkthroughs, the course offers a unique opportunity to experiment with writing custom rootkits, exploiting kernel vulnerabilities and blinding endpoint countermeasures. This course is not just about learning new techniques; it’s about understanding the inner workings of defensive technologies so that you can outsmart them in any scenario.

What's Included

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Access to a lab environment (One/Two/Three months) with updated Server 2022 machines. Lab can be accessed using a web browser or VPN.
A ready to use student VM in the cloud that has all the tools pre-installed.
Life time access to all the learning material (including course updates).
14+ hours of video course
Course slides.
Lab manual.
Walk-through videos.
One Certification Exam attempt for Certified Evasion Techniques Professional (CETP) certification.
Support on email and Discord.

What will you Learn?

The Evasion Lab enables you to:

Learn to bypass EDRs like Microsoft Defender for Endpoint (MDE) and ElasticEDR.
Dive into Windows Internals & Understand the user-mode and kernel-mode components.
Reverse-engineer EDR solutions to understand their telemetry collection.
Weaponizing Kernel Exploits to evade defenses.
Writing rootkits for evasion purposes.

Hunting vulnerable Drivers for EDR Killing.
Bypassing Static detection with obfuscators and code virtualization.
Bypassing multiple Security controls like : PP/PPL, DSE, ASR, UAC and more.
Bypassing Network restrictions.
Preventing EDR's alerts reporting.
Gain insights into disabling or blinding Sysmon.

Prerequisites for the course

Ability to use command line tools.
Understanding of Windows API is a plus but will be covered in the class.
Basic programming knowledge in C and Python is a plus but relevant code will be covered in the class.

Purchase On-Demand Lab (Access to be sent from Feb 2025)

BLACK FRIDAY DEALS

- Flat 20% OFF on All Courses and Bootcamps in Q1 & Q2 2025
- 25% OFF when you purchase more than one course
- No coupon code required
- Offer Valid From 25th October To 3rd December 2024

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$449

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$649

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$849

Terms of Purchase and Use:

You can start your lab access anytime within 90 days (180 days in case you have purchased the lab on Diwali / Black Friday sale) of purchase
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Saad : Security Researcher at Altered Security

Saad works as a Security Researcher at Altered Security with a focus on EDR evasion, APT emulation, Ransomware emulation and initial access development. With an extensive six-year background in red team development, Saad has been actively contributing to the community in recent years through red team open-source projects, sharing his knowledge and expertise to enhance collective security efforts.

Saad has been a speaker at various conferences, universities, and local meetups, where he shares insights on malware development and cybersecurity. He has also provided private training sessions on malware development, helping others in the field to build their skills and knowledge.

Purchase On-Demand Lab (Access to be sent from Feb 2025)

BLACK FRIDAY DEALS

- Flat 20% OFF on All Courses and Bootcamps in Q1 & Q2 2025
- 25% OFF when you purchase more than one course
- No coupon code required
- Offer Valid From 25th October To 3rd December 2024

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$449

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$649

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$849

Terms of Purchase and Use:

You can start your lab access anytime within 90 days (180 days in case you have purchased the lab on Diwali / Black Friday sale) of purchase
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

The Certified Evasion Techniques Professional (CETP)

The Certified Evasion Techniques Professional (CETP), is a hands-on certification designed to test your ability to bypass the latest security defenses and endpoint countermeasures in a controlled, fully patched Windows Server 2022 environment. The certification requires you to solve practical challenges that involve evading detection from top EDR solutions like Microsoft Defender for Endpoint (MDE), Sysmon and Elastic EDR. You'll need to demonstrate your expertise in Windows internals, EDR evasion techniques, and kernel exploitation. Certification candidates are given a 24-hour window to complete the hands-on exam, applying skills learned in the course to tackle the exam lab.

A Certified Evasion Techniques Professional (CETP) has the skills to understand, analyze, and exploit the intricacies of Windows and EDR internals, using reverse-engineering tools like IDA Pro and WinDbg. They can successfully write and deploy custom rootkits, and exploit vulnerable drivers to evade defenses.
In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Certificate Benefits

A CETP certificate holder has demonstrated a deep understanding of Windows internals and the techniques required to bypass advanced detection mechanisms. They are equipped to reverse-engineer EDR solutions, identify and exploit vulnerabilities in order to weaponize them for evasion purposes. A certificate holder can deploy custom rootkits, bypass static and dynamic detections, ensuring their activities remain undetected in high-security environments.

I. Windows Internals

Understand User-mode and Kernel-mode presentation of a process.
Understand PE structure.
Understand User-mode and Kernel-mode Separation and Execution flow using IDA Pro and WinDbg.

II. EDR Internals

Reversing EDR's Internals using IDA Pro and WinDbg.
Understand how EDR's Telemetries are collected.

III. Static Detection Bypass

Using Obfuscators & Code Virtualization to protect your code against static detection, analyzing, reverse-engineering.

IV. Introduction to Windows Kernel Programming

Understand how a process can communicate with driver from userland.
Create your own User-mode code that send and receives data from kernel driver.

V. Road to Kernel

Reversing R/W kernel primitive Vulnerable driver and exploit it to Load unsigned code to kernel using IDA Pro.
Learn methodology to hunt for Leaked Certificate.
Learn how to leverage outdated Certificate to sign your rootkit.

VI. EDR Killing

Learn methodology to hunt for signed Killer driver.
Reversing multiple Killer drivers using IDA Pro.
Learn how to exploit Killer drivers to kill EDR's processes.
Writing your own Killer rootkits.

VII. Attack on EDR's Kernel Callbacks

Understanding & Reversing Kernel Callbacks using WinDbg and IDA Pro.
Understanding what telemetries Kernel Callbacks is collecting and for what purpose is used.
Writing your own user-mode code and kernel driver toolkit to enumerate and remove kernel callbacks.
Exploiting R/W kernel primitive vulnerable driver to enumerate and remove kernel callbacks.

VIII. Attack on ETW

Understanding & Reversing ETW Internals.
Disabling ETW Providers

IX. PP & PPL Bypass

Understanding & Reversing Process Protection Level using WinDbg.
Exploiting R/W kernel primitive vulnerable driver to manage process's Protection Level.
Writing your own user-mode code and kernel driver toolkit to manage process's protection level.
Dumping LSA protected LSASS.

X. Extra Offensive Rootkit Techniques

Hide Processes/Drivers from analysts and user-mode processes.
Hide Kernel functions from the Import Address Table.
Learn efficient dynamic kernel offsets resolving

XI. C2 Traffic Tunneling

Write your own Data Exfiltration tool that hide Malicious Traffic inside multiple trusted APIs like Slack.

XII. Block EDR's Traffic

Discover & code multiple ways to prevent EDR's processes from sending alerts to SOC's management consoles.

XIII. ASR rules Bypass

Reversing ASR rules and bypassing them.

XIV. Attack on Sysmon

Understanding & Reversing Sysmon.
Discover & Code multiple ways to blind Sysmon.

XV. UAC Bypass

Discover multiple ways to bypass Windows User Account Control.

XVI. Anti-Analysis

Discover & Code multiple Anti-Debugging/Anti-Disassembling/Anti-Virtualization/Anti-Sandbox/Anti-Code Injection techniques.

azure ad purchse

BLACK FRIDAY DEALS

- Flat 20% OFF on All Courses and Bootcamps in Q1 & Q2 2025 - 25% OFF when you purchase more than one course - No coupon code required - Offer Valid From 25th October To 3rd December 2024

30 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$449

60 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$649

90 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$849

Terms of Purchase and Use:

You can start your lab access anytime within 90 days (180 days in case you have purchased the lab on Diwali / Black Friday sale) of purchase

One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each

Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security

The above lab is a shared environment and certain pre-specified machines will be off-limits

If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

- Flat 20% OFF on All Courses and Bootcamps in Q1 & Q2 2025
- 25% OFF when you purchase more than one course
- No coupon code required
- Offer Valid From 25th October To 3rd December 2024

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT