MalOpSec -> EDR: The EDR Crusade
Silvio La Porta & Antonio Villani

MalOpSec — The EDR Crusade is an intensive, hands-on training that teaches both the inner workings of modern Windows EDR/AV stacks and the practical techniques attackers use to evade them. The course explains the key detection points an EDR monitors - from kernel hooks, minifilter activity and ETW telemetry to userland API instrumentation and persistence artifacts - and pairs that visibility model with the offensive methods used to reduce or eliminate those detection signals.

Throughout the program participants will reverse real malware patterns, re-implement improved versions of those techniques, and practice robust evasion, persistence and privilege-escalation workflows in controlled lab environments. During the course and for the full-day Warzone CTF on day four, students will have access to REVO, Retooling’s red-team adversary-emulation platform, to design, deploy and test adversary behavior at a professional grade. Each student receives significant source code - including the Pico implant scaffold and the evasion modules implemented during the labs - so they leave with reusable, well-documented artifacts for research and testing.

The CTF runs for an entire day in a dedicated lab environment: each participant gets a mini network containing an EDR instance to analyze and bypass. Student will enumerate EDR hooks, bypass telemetry and protections, deploy modules and persistence, exploit vulnerable binaries and drivers. The CTF may be completed in-class or remotely on the provided lab infrastructure. Two winning teams will be selected (one best Red, one best Blue) and each winning team will receive a ticket to OffensiveCon 2027.

Designed for experienced practitioners (red teamers, blue teamers, malware researchers and security engineers), the course balances theory, live demos and a 50% hands-on lab focus so attendees gain both deep understanding and practical skills to evaluate and harden real-world endpoint defenses.

As part of the course, theory sessions will be followed by exercises where participants will reverse and re-implement specific parts of real malware in order to fully understand the hidden corners of all the techniques involved. The 50% of the course will be dedicated to hands-on labs that will show how to translate the theory principles into practice.

Labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn.

This course is valuable not only for red team operators but also for blue team professionals. Blue team members can gain insights into how their detection systems may be bypassed, helping them enhance their security measures and stay one step ahead of potential threats.

This course equips security professionals with a deep understanding of modern EDRs and their AV systems, enabling them to better simulate advanced threat scenarios, improve their evasion detection skills, and contribute to the overall enhancement of security within enterprise networks.

Key learning objectives

• Be able to recognize, implement and deal with stealthy malware/backdoors evasion techniques and tradecrafts.
• Be able to modify malware components to protect them against reversing efforts.
• Be able to build custom obfuscators and to recognize some pattern left by some obfuscation transforms.
• Learn tradecrafts used by attackers to prevent and effectively impair defensive incident responders from analyzing their tools, payloads, and backdoors.

Who should attend

Developers and Reverse engineers who want to understand tradecrafts from a different point of view, red-team members who want to go beyond using third-party implants, and researchers who want to develop anti-detection techniques of real malware/apt.

Prerequisites

• Programming experience (C, C++, Python, .NET, and PowerShell)
• Be comfortable with assembly language and Debuggers (IDA pro, WinDBG)

Hardware/Software requirements

Laptop Requirements:

• Virtualization capable CPU(s)
• Minimum 8GB of RAM (for running one guest VM)
• Minimum 80 GB free disk space
• Host CPU intel (ARM is not supported)

Software Requirements:

• Host OS Windows 10 64-bit
• Debugging Tools for Windows (Ida Pro, WinDBG). Decompiler recommended
• SysInternals Toolsuite
• Virtualization Software (VMWare, VirtualBox)
• Guest OS Windows 10 64-bit Version 20H2
• System Administrator access required on both host and guest OSs

Module 1

• Give a shout to the Alpaca and Revo
• The reference architecture
• Minifilter drivers
  • Architecture, altitute
  • pre/post operation Callbacks
  • Self-protection
• Kernel to user dll injection
  • APC injection
  • Hooking library
  • Hook detection / Unhooking strategies
  • Show the openedr implementation
  • Look at a couple of proprietary DLL s
• Unhooking the watchers in all the possible ways
  • Restore the original ntdll
  • Patch the hooked ntdll in memory
  • The right ways of using call gates
  • Indirect syscall
• Labs:
  • Unhook
  • Disable self-protection

Module 2

• Using ROP to do good or better bad things…
• Write your ROP injector
• Protected Processes and Protected Process Light
• Internals: Core kernel data structures
• Anti-Malware and ELAM
• Mastering ETW and get the forbidden feed
• Providers, Consumers, Sessions
• User-space provider bypass
• The Threat Intelligence Provider
• Labs:
• Using ROP to minimize the presence in ETW logs
• User-mode ETW providers shutdown

Module 3

• Persistence
• COM/DLL Hijacking
• WMI persistence
• CLR
• Load managed code from unmanaged to extend your arsenal
• Notification callbacks
• Process, Threads, Objects
• Comparison of different implementations
• Privilege Escalation
• Security Mechanisms
• SID, DACL, SACL, Trusted Labels
• Vertical
• Token manipulation
• Integrity Levels
• UAC
• Abuse WinSxS
• Handle stealer
• Horizontal
• Lateral movement
• Kerberos (Tickets)
• DCOM
• Vulnerable Drivers
• Labs
• Vulndriver lab
• LPE and get Admin
• CLR loader

Module 4

• Enumerate the hooked API and find EDR hooking strategy
• Write CLR loader for Pico and enumerate domain resources
• Exploit vulnerable binaries to elevate privileges (user-mode)
• Implement user-level and system-level persistence
• Exploit vulnerable driver to get kernel primitives to tamper the EDR and telemetry
• Last step conquer DC (Lateral movement)