SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Sektor7 Evasion Course Review Blog Feature
Gabriel Rivera

By: Gabriel Rivera

Print/Save as PDF

Sektor7 Evasion Course Review

Penetration Testing

Among the several offerings the Sektor7 Institute has related to evasion, privilege escalation, malware development, and persistence, cyber security professionals of various disciplines, from red team operators to incident responders- can all find something of value in Sektor7 Institute’s RED TEAM Operator: Windows Evasion Course.

I say that because I’ve taken the course myself, and being a Senior Penetration Tester at Schellman, it’s helped my work. Now, I want to help you determine whether it’ll help you in yours too.

In this article, I’ll provide an overview of the Sektor7 RED TEAM Operator: Windows Evasion Course, the provided materials, the course curriculum, and my opinion on the necessary prerequisites for success.

What is the Sektor7 RED TEAM Operator: Windows Evasion Course?

 

Where some other Windows red team courses focus on operations, such as using C2 frameworks and attacks against Active Directory (AD), Sektor7 courses tend to be heavier on coding, with a more granular approach in the material they provide.

This course is no different—in coming to understand modern detection technology, its weak points, and how those blind spots can be leveraged by attackers, you’ll take the perspective of an offensive security developer, rather than an operator.

You’ll also only have a year to achieve that understanding—although you previously received lifetime access to the course upon purchase, now, $239 (as of 11/4/24) gets you 365 days of access to the materials.*

* NOTE: The course does occasionally get discounted, so make sure to check the Sektor7 social media accounts for those announcements.

Sektor7 Evasion Course Breakdown

 

The evasion course is broken down into five (5) sections that include both an introduction and a summary section to bookend the technical material in the other 3 modules in the course. The introduction section provides all the proof of concept (PoC) code in a zip file for each of the 3 technical sections you can compile together. Included is a relevant batch script to simplify that process. In addition, there are addendum sections that have been added throughout the course to supplement some of the concepts of a given section, which may include other code blocks and explanations not already in the zip file of PoC course materials.

You’ll also be provided with a virtual machine (VM) to test the evasions you’ll learn in a controlled environment— it weighs around 18.4GBs and, on my home connection, took around 30 minutes to download. Some other specifics:

  • Antivirus (AV): BitDefender (preloaded)
  • Monitoring Solution: Sysmon (it shares many of the logging and hooking techniques as endpoint detection and response solutions (EDRs) that help emulate an actual environment when testing the PoCs)
  • Operating System: Windows 10 Enterprise Evaluation Version
  • Evasion PoCs are also included in the VM image

Essentials

 

As you move into the second section and first technical module—titled Essentials—you’ll get an overview of modern detection technology and how to obfuscate payloads with a focus on binaries at rest or prior to execution. Takeaways from this module include that regarding:

  • Binary entropy—or file randomness—and its effects on detection, as well as some obfuscation methods and routines that you can incorporate for manipulating the entropy of your payload.
  • Binary image details and how to make payloads look benign by manipulating binary metadata—e.g., adding details like the publisher of the binary, version numbers, and other details to make a binary look more legitimate to an AV product or analyst.
  • PE (Portable Executable) digital signatures, including the potential for evading detections for having signed binaries, as well as step-by-step techniques and tools for self-signing our binaries and their effectiveness against automated controls and sandboxes.

Non-Privileged User Vector

 

The next technical module delves into:

  • API hooking and unhooking
  • Code injection
  • Direct syscalls, and more

As the course explains, AVs often set “hooks” in ntdll.dll “because it’s the last element in the execution chain running in user mode before entering kernel space.” That’s important because it means that—to sidestep these protection methods and their blocking the payload and firing alerts—attackers must either un-hook processes, or go another route and avoid the hooks altogether.

That’s where syscalls come in (which are discussed in-depth in this section).

During malware development for Windows, the Windows API can call upon a particular functionality or another from the kernel. The Windows API abstracts these routines for developers into functions in C/C++ and sometimes it's the only way to access what you need from the operating system itself. However, making a direct syscall allows access to low-level kernel operations without using the Windows API.

The course contains detailed information about how these syscalls are performed—including the Hell’s Gate technique for direct syscall resolution—and even introduces its own novel technique, Halo’s Gate (an evolution of Hell’s Gate).

For those wanting to learn about key aspects of the Windows API—such as the Thread Environment Block (TEB), Process Environment Block (PEB), and the different structures used to dynamically resolve API functions to avoid detection—it's all in this section. The conclusion of this section also includes two assignments, to help you apply the concepts of DLL unhooking and module stomping respectively.

High-Privileged User Vector

 

The final technical module gets into:

  • Blinding event logs
    • Blinding event logs can help disrupt monitoring on a compromised host from the network level on the host to the process level, and the course provides code in C to either suspend the process—“blind” the log—or even kill related threads.
  • Blocking endpoint protection communications
    • The course describes different ways to disrupt endpoint protection communications— such as the ability of Antiviruses and EDR solutions to talk to the network—using things like GUI tools, command line tools, and the COM API.
  • Sysmon attacks
    • The course explains how to determine if Sysmon is running and provides a walkthrough on how to terminate Sysmon without touching the Sysmon configuration.
    • You’re also instructed on an alternative technique—the “Silent Gag”—which prevents Sysmon from logging event tracing for Windows (ETW) events.

 The High Privileged User vector concludes with two assignments. One assignment focuses on using Windows API to extract information related to Windows Sysmon and the second assignment encourages tampering with the registry to observe how these changes affect Sysmon logging.

Summary

 

Within the final section of the course, an evasion decision tree is provided on when we should apply the evasion techniques explored throughout the course, including details such as:

  • Evasion considerations before running a payload (avoiding static signature detections and sandboxes);
  • What to do when your payload runs;
  • Actions after getting high privileges; and
  • Moves to make if you’re unable to gain high privileges but maintain camouflaged to AV and EDR.

Is the Sektor7 Evasion Course for You?

 

Taking all this together, I would rate this material as an intermediate to advanced level course—one that provides in-depth technical training at a relatively low cost (in comparison to other options out there). Should you invest, you’ll come away from the Sektor7 Evasion course with a foundational understanding of:

  • How evasion works in the context of Windows operating systems;
  • How to set up your environment to test your payloads; and
  • The mindset required to create your own bypasses.

Moreover, should you invest, I recommend going in with some understanding of:

  • Windows 10/11 architecture;
  • C / C++; and
  • A working knowledge of PE file structure.

Of course, having read this, you may be leaning against moving forward with this course because it’s not the right thing for your professional development. If that’s the case, make sure you read up on our breakdowns regarding some other options you have:

About Gabriel Rivera

Gabriel Rivera is a Senior Penetration Tester with Schellman based in the Orlando, Florida area. Before joining Schellman in 2023, Gabriel worked as a civilian Red Team operator within the Department of Defense. As a Red Team Operator Gabriel led several penetration tests, supported threat emulation during covert assessments, and developed various tools based on adversary tactics, techniques, and procedures (TTPs) to expand the team's adversarial capabilities. Gabriel has over five years of experience working with various Federal agencies and branches of the military. As a Senior Penetration Tester at Schellman, Gabriel is now focused primarily on offensive security engagements including internal and external network testing, phishing, and web application assessments for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.