Loading Events

« All Events

  • This event has passed.

Offensive Development w/ Greg Hatcher & John Stigerwalt

Event Series Event Series (See All)

October 17 @ 8:30 am 5:00 pm MDT

Course Length: 16 Hours
Format: In-Person and Virtual

Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation.


  • In-Person: $1,095
    Includes In-Person Conference Ticket
  • Virtual: $725
    Includes Virtual Conference Ticket

Greg Hatcher
Greg Hatcher
John Stigerwalt
John Stigerwalt


360 Main Street
Deadwood, SD 57732 United States
(605) 578-1500
View Venue Website

Clicking this button will take you to Cvent to complete your registration.

Course Description

Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.

This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.

Course Syllabus

Day 1: Understanding Modern Defenses

  • Hiding from the Import Address Table (IAT)
  • Dynamically Building Your Strings
  • Defeating string detection via encryption
  • Finding EDR’s DLL
  • Unhooking EDR products
  • .NET and Assembly.Load
  • Obfuscating .NET assemblies and their IOCs
  • AMSI bypass
  • ETW bypass

Day 2: Process Injection & Cobalt Strike

  • Process Injection Variants
  • Malleable C2 Profiles
  • Beacon Object Files
  • Cobalt Strike IOCs
  • Attacking AV/EDR Products
  • Dumping LSASS in 2022
  • Making the final binary to bypass multiple EDR product

Key Takeaways

Learn the IOCs and artifacts of using off-the-shelf tooling. Without understanding the defender’s capabilities, an attacker brings little value to a red team engagement.

Who Should Take This Course

Anybody that is deeply passionate about red teaming and has a strong desire to learn

Audience Skill Level

Anyone! This is an intermediate level course, however, so a background in C programming, Windows Internals, .NET programming, and how AV/EDR products work would be useful.

Student Requirements

Students will be required to have an AWS account, and some background in .Net and modern red team TTPs will be helpful.

What Each Student Should Bring

High-speed Internet connection.

What Students Will Be Provided With

For the duration of the course, students will be given access to a private, fully immersive cloud cyber range hosted in AWS. In addition to receiving course slides, students will receive hands-on training with commercial products, including the Cobalt Strike C2 platform. To keep this course industry-relevant and realistic, students will be developing bypasses for multiple EDR products.

Lab Environment

Students will have access to their own lab environment in AWS that consists of the following:

  • Windows Server 2019 running Sophos Intercept X EDR
  • Ubuntu Cobalt Strike Team Server
  • Windows 10 Development Machine
  • Kali Linux
  • Fully Patched Windows 10 Machine

Course Authors & Instructors

Greg Hatcher
Greg Hatcher

Greg Hatcher‘s time in Army Special Operations and teaching at the NSA gives him a unique background for conducting full-scope offensive cyber operations. He has led penetration tests and red team engagements that include network, cloud, mobile, web app, and API technologies. He has authored and taught courses at DerbyCon and Calvin University. When he’s not hacking the planet, he’s spending time with his family or trail running.

John Stigerwalt
John Stigerwalt

During the last 10 years John Stigerwalt has worked in the following roles: blue team lead, developer, senior penetration tester, and red team lead. Focused mostly on exploit development and offensive cyber operations, he has led red team engagements in highly complex Fortune 500 companies. He has worked hand-in-hand with Microsoft to increase kernel security for the Windows 10 operating system. He has led training at BlackHat and DerbyCon. When not pwning boxes, you can find him harvesting maple syrup or spending time with his family.

360 Main Street
Deadwood, SD 57732 United States
(605) 578-1500
View Venue Website