Windows Post Exploitation w/ Kyle Avery (16 Hours)

Windows Post Exploitation w/ Kyle Avery

Instructor: Kyle Avery

Includes: Six months of complimentary access to the BHIS Antisyphon Cyber Range, certificate of participation

So you popped a shell, now what?

Windows Post Exploitation focuses on four major components of any adversary simulation or red team exercise: enumeration, persistence, privilege escalation, and lateral movement. Each of these steps will be covered in detail with hands-on labs in a custom Active Directory environment. In addition, students will learn several modern techniques to minimize opportunities for detection.

This course goes beyond teaching popular tactics, techniques, and procedures. Instead, students will learn how to covertly gather and leverage information about a target environment to achieve their objectives efficiently.

A review of each post-ex capability will include discussion on the OPSEC implications and publicly documented detection recommendations. Open-source SIEM rules from Sigma and Elastic will be used as a starting point for avoiding alert generation. No technique is undetectable; the key is understanding an environment’s detection capabilities and choosing the best course of action.


After taking this course, students will have:

  • Insight into modern post-exploitation techniques for Windows environments
  • An enhanced ability to make informed decisions to achieve objectives in a target environment
  • The ability to create new tools that implement specific capabilities from larger projects


  • Red teamers
  • Penetration testers
  • Anyone interested in the thought processes and techniques of adversaries


Beginners will do well in this course if they are self-motivated and willing to ask questions.

Intermediate and experienced students may find that they were not familiar with some techniques or had not considered some OPSEC implications.


Basic programming knowledge and an understanding of core security concepts are all students need in order to follow along with the course material. Students would benefit from penetration testing experience, but it is not required.


  • High-speed Internet connectivity
  • A computer that can run a Windows 10 virtual machine—a minimum of 35 GB storage, 4 GB memory, and 2 vCPUs is recommended for the VM


Students will receive a copy of the slides for the course and a script with instructions to create their own virtual machine.


Kyle Avery has been tinkering with computers for his entire life. Growing up, he and his dad self-hosted game servers and ran their own websites. He formally studied system administration and compliance at university but spent his free time learning offensive security techniques. Kyle’s hobbies include Hack The Box, homelabbing, and catching the latest drama on infosec Twitter. In 2020 he got his dream job at BHIS, working alongside talented professionals to help companies better understand and secure their networks.

  • Cyber Attack Lifecycle Overview
  • Operational Security (OPSEC) Introduction
  • Defender Tools and Log Sources


  • Types of Malware Implants
  • Understanding the Environment
  • Stage-2 Implant Functionality
  • Selecting Sacrificial Processes for Post-Ex Jobs
  • Lab: .Net Obfuscation with ConfuserEx and ThreatCheck
  • PowerShell OPSEC
  • Network Enumeration
  • Lab: Initial Enumeration and Execution Wrappers
  • Building a Stage-1 Implant
  • Lab: Building Stage-1 Implant Enumeration Components
  • Local and Remote File Enumeration


  • Payload Storage
  • Methods of Execution
  • Lab: Creating an LNK Backdoor Tool
  • Introduction to COM
  • Introduction to WMI
  • Lab: DLL Hijacking
  • Domain-Level Persistence
  • OPSEC Considerations for Persistence

Privilege Escalation

  • User Hunting
  • Lab: Modifying and Using SharpHound
  • Local Privilege Escalation Opportunities
  • Credential Gathering
  • Lab: Accessing Saved Browser Credentials
  • Kerberos Abuse
  • Lab: Delegation Abuse
  • Domain Privilege Escalation Opportunities

Lateral Movement

  • On-Endpoint vs. Proxied Execution
  • Lab: Writing a C# WinRS Lateral Movement Tool
  • Lab: Writing a C# DCOM Lateral Movement Tool
  • Lab: Writing a C# WMI Lateral Movement Tool
  • Low Privilege Lateral Movement



Tue, September 21, 2021 9:00 AM – 5:00 PM MT

Wed, September 22, 2021 9:00 AM – 5:00 PM MT

Training Type: Virtual

Event: Deadwood 2021

Register to attend this course virtually in September

Join the Wild West Hackin’ Fest Discord server to stay updated on future training and webcasts: Join Our Server!