PEN-300 – Advanced Evasion Techniques and Breaching Defenses

Evasion Techniques and Breaching Defenses: General Course Information

• About the PEN-300 Course
• Provided Material
• Overall Strategies for Approaching the Course
• About the PEN-300 VPN Labs
• About the OSEP Exam

Operating System and Programming Theory

• Programming Theory
• Operating System and Programming Theory
• Client-Side Code Execution with Office

Client-Side Code Execution with Office

• Will You Be My Dropper
• Phishing with Microsoft Office
• Keeping Up Appearances
• Executing Shellcode in Word Memory
• PowerShell Shellcode Runner
• Keep That PowerShell in Memory
• Talking to the Proxy

Client-Side Code Execution with Windows Script Host

• Creating a Basic Dropper in JScript
• JScript and C#
• In-memory PowerShell Revisited

Process Injection and Migration

• Finding a Home for Our Shellcode
• DLL Injection
• Reflective DLL Injection
• Process Hollowing

Introduction to Antivirus Evasion

• Antivirus Software Overview
• Simulating the Target Environment
• Locating Signatures in Files
• Bypassing Antivirus with Metasploit
• Bypassing Antivirus with C#
• Messing with Our Behavior
• Office Please Bypass Antivirus
• Hiding PowerShell Inside VBA

Advanced Antivirus Evasion

• Intel Architecture and Windows 10
• Antimalware Scan Interface
• Bypassing AMSI With Reflection in PowerShell
• Wrecking AMSI in PowerShell
• UAC Bypass vs Microsoft Defender
• Bypassing AMSI in JScript

Application Whitelisting

• Application Whitelisting Theory and Setup
• Basic Bypasses
• Bypassing AppLocker with PowerShell
• Bypassing AppLocker with C#
• Bypassing AppLocker with JScript

Bypassing Network Filters

• DNS Filters
• Web Proxies
• IDS and IPS Sensors
• Full Packet Capture Devices
• HTTPS Inspection
• Domain Fronting
• DNS Tunneling

Linux Post-Exploitation

• User Configuration Files
• Bypassing AV
• Shared Libraries

Kiosk Breakouts

• Kiosk Enumeration
• Command Execution
• Post-Exploitation
• Privilege Escalation
• Windows Kiosk Breakout Techniques

Windows Credentials

• Local Windows Credentials
• Access Tokens
• 3 Kerberos and Domain Credentials
• Processing Credentials Offline

Windows Lateral Movement

• Remote Desktop Protocol
• Fileless Lateral Movement

Linux Lateral Movement

• Lateral Movement with SSH
• DevOps
• Kerberos on Linux

Microsoft SQL Attacks

• MS SQL in Active Directory
• MS SQL Escalation
• Linked SQL Servers

Active Directory Exploitation

• AD Object Security Permissions
• Kerberos Delegation
• Active Directory Forest Theory
• Burning Down the Forest
• Going Beyond the Forest
• Compromising an Additional Forest

Combining the Pieces

• Enumeration and Shell
• Attacking Delegation
• Owning the Domain

The Labs

• Real Life Simulations
• Wrapping Up