Giorgio Bernardinetti - Dodging the EDR Bullet: A Training on Malware Stealth Tactics - DCTLV2025
Name of Training: Dodging the EDR Bullet: A Training on Malware Stealth Tactics
Trainer(s): Giorgio Bernardinetti and Dimitri Di Cristofaro
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,200
Course Description:
"Dodging the EDR bullet" Training is an intensive, hands-on course designed to equip cybersecurity professionals with cutting-edge skills in malware evasion techniques. Dive deep into Windows security components, antivirus systems, and EDRs while mastering the full malware lifecycle—from initial access to advanced in-memory evasion and kernel-level persistence. Through a systematic approach to memory management and process manipulation, participants will learn how to bypass modern detection strategies and build stealthy malware components. The course focuses on cultivating a research-driven mindset, enabling attendees to understand and analyze detection strategies provided by the Windows OS and then craft their own techniques to evade them.
By the end of the training, participants will have gained a solid foundation in malware analysis and development, enabling them to craft sophisticated command-and-control (C2) payloads and maintain persistence while remaining undetected.
** All students are expected to sign an NDA with the trainer to avoid unauthorized sharing of training materials **
Course Outline:
DAY 1:
Advanced Windows internals:
-
What happens when Windows executes a PE file?
-
Windows internals: TEB/PEB
-
Windows loader structure
-
Write your custom PE loader
Background on detection techniques:
-
State of the art detection strategies
-
Static/Dynamic, Kernel Callbacks, ETW-Ti, minifilters, AMSI, API hooking, call stack analysis, memory scan
Evasion part 1:
-
The goal of "code execution"
-
Memory allocation, Memory writing, Memory execution
-
Local/Remote code execution
-
Memory allocation vs EDRs
-
Overview of basic/advanced existing techniques + IoCs
-
Module Overloading + PEB + avoid kernel callbacks
-
Exercise: module overloading
-
Memory writing vs EDRs
-
Memory execution vs EDRs
-
Overview of basic/advanced existing techniques + IoCs
-
Advanced techniques + implementation in exercises
-
Exercise: threadless inject
DAY 2:
Evasion part 2:
-
Underlying issues: kernel callbacks, call stack analysis, API hooking
-
API unhooking
-
+ exercise
-
Direct/Indirect syscalls
-
+ exercise
-
Advanced stack spoofing
-
+ exercise
-
Final user-space demo
-
+ exercise
-
Combine memory allocation, writing and execution + unhooking, syscalls and stack spoofing for a fully-stealth user-space PoC
Kernel evasion & persistence:
-
Kernel space evasion & persistence
-
Kernel drivers vs DSE
-
Bring your own Driver
-
How to disable DSE with Administrator privileges
-
+ exercise + environment configuration
-
Disable DSE with VBS enabled
-
Install your own driver
-
Agent Killer - PPL tampering
-
+ exercise
-
Kernel callbacks tampering
-
+ exercise
-
ETW-Ti tampering
-
Write your own rootkit for C2 & Evasion
Difficulty Level:
Intermediate/Advanced
Students requirements:
-
Previous knowledge of Windows internals is required (processes, threads, virtual memory, ...)
-
C/C++ knowledge. It is required to have knowledge on direct memory manipulation (e.g. pointers, casting, endianess, etc...).
-
Basic x86 ASM knowledge
-
Familiarity with debuggers is preferred
-
1/2 years of experience in malware development or analysis is preferred
Suggested Prerequisites:
-
Life Of Binaries course: https://opensecuritytraining.info/LifeOfBinaries.html
-
Hello Assembly!: https://www.youtube.com/watch?v=el5V__08k_4
-
Windows Internals Crash Course: https://www.youtube.com/watch?v=I_nJltUokE0
-
Simple Function Hooking: https://www.youtube.com/watch?v=TxBGBz7FRyk
-
Hooking Functions in a different process: https://www.youtube.com/watch?v=7vKaet7hHeY
-
Injecting DLL with Shellcode: https://www.youtube.com/watch?v=SmFi1cj6gMg
-
DLL Injection with CreateRemoteThread: https://www.youtube.com/watch?v=0jX9UoXYLa4
-
DLL Injection with QueueUserAPC: https://www.youtube.com/watch?v=RBCR9Gvp5BM
-
Introduction to ETW: https://www.youtube.com/watch?v=-i_xAF7JqyA
-
Drivers And Devices (part 1): https://www.youtube.com/watch?v=sSZ8jnpUCi0
-
Drivers And Devices (part 2): https://www.youtube.com/watch?v=6_FU3zdPCmc
What Students Should Bring:
Laptop with virtualization software compatible with .ova (e.g. VMWare workstation, VirtualBox). It is recommended to use VMWare.
Minimum requirements:
-
CPU cores: 4 (8 recommended)
-
RAM: 16 GB (32 GB recommended)
-
Disk: 500 GB (1 TB recommended)
Please note that M* ARM Mac processors are not supported. We are going to delve into x86 assembly, so please make sure to have an x86 laptop.
During the training, students will be provided with:
-
A Virtual Machine with the development environment configured
-
Templates for exercises
-
Existing open-source tools used for the training
Trainer(s) Bio:
Giorgio "gbyolo" Bernardinetti is lead researcher at the System Security division of CNIT. His research activities are geared towards Red Teaming support activities, in particular design and development of advanced evasion techniques in strictly monitored environments, with emphasis on (but not limited to) the Windows OS, both in user-space and kernel-space. He has been a speaker for DEFCON32 Workshops and Red Team Village HacktivityCon 2021.
Dimitri "GlenX" Di Cristofaro is a security consultant and researcher at SECFORCE LTD where he performs Red Teams on a daily basis. The main focus of his research activities is about Red Teaming and in particular on identifying new ways of attacking operating systems and looking for cutting edge techniques to increase stealthiness in strictly monitored environments. He enjoys malware writing and offensive tools development as well as producing electronic music in his free time.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]