Greg Hatcher - Offensive Development Practitioner Certification (On-Site) by White Knight Labs - DCTLV2025

Name of Training: Offensive Development Practitioner Certification (On-Site) by White Knight Labs
Trainer(s): Greg Hatcher 
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2200

Course Description: 

Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code. 

This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.

Imagine, you are a novice red teamer and you have been tasked with leading a 16-week full-scope red team engagement against a highly mature Fortune 50 company. No, Metapsloit and Mimikatz are not going to work. Do you take your ball and go home? Nope, it's time to build a lab and see what is going to bypass their tech stack.

Do you phish from the external? Maybe an illicit consent grant in Azure? What loader do I use? Is process injection even going to be necessary?  Stop being lost in the offensive cyber sauce; get informed and get to work. WKL's flagship course, Offensive Development, is meant to prepare red teamers and blue teamers for the present day cyberwar. These are not last year's TTPs, WKL will be teaching hyper-current tools and techniques that are being used in current red team operations. 

The Offensive Development course is not focused on theory, students will be given a Terraform script that spins up their own isolated AWS lab environment that has several fully patched Windows virtual machines that have various EDR products installed and a fully licensed version of the Cobalt Strike C2 framework.

The pace of finding new offensive cyber techniques that bypass modern detection moves slightly faster than the defense can handle. This course will help red teamers and blue teamers understand the current state of the red/blue war and where the community is heading next, the kernel.

Your lab environment is yours to keep continuing honing your skills. Although the EDR and Cobalt Strike licenses will expire, and the Earth may turn to dust, your AWS lab environment will live forever.  

Although the OD course comes with Cobalt Strike, students are free to install whichever C2 framework they're most comfortable with. Students will receive an additional Ubuntu workstation in their lab environment to install whatever additional tooling they feel is necessary.

Course Outline: 

Day 1 

• PE File Format for Shellcode Storage  

• Windows API Primer  

• Introduction to Process Injection and Loaders  

• Process Injection

  • CRT Injection  

  • Early Bird  

  • Process Hollowing  

  • MockingJay

• Calling Windows APIs with Direct and Indirect System Calls

• New API Primitives and ROP for Clean Call Stacks

• Encrypting Windows API Calls via XOR

• Cobalt Strike C2 Deep Dive (Malleable C2 Profiles and BOFs)

• Hiding Imports via Dynamic Resolution / PEB Walk

• Defeating Sandbox Detection

• Advanced Process Injection Techniques

  • Caro-Kann (ETW callback evasion in user mode)

  • TP_TIMER Insertion (Injecting via thread pool timer queues)

  • Module Stomping (Hiding malicious content in loaded modules)

• Return Address Patching & Stack Spoofing

  • Synthetic Frames to conceal malicious call stacks

Day 2

• DLL Proxying for Persistence  

• DInvoke and AMSI Bypass  

• ClickOnce for Initial Access  

• AppDomain Injection for EDR Bypass  

• Writing Your Custom Reflective Loader  

• Introduction to Windows Kernel  

• Lab: Configuring Kernel Debugging  

• EDR Kernel Telemetry Sources  

  • Callbacks & Object Notifications  

  • Event Tracing for Windows (ETW)  

  • File System Minifilters  

  • Network Filters

• Analyzing Kernel Telemetry

• Attacking Kernel-Level Telemetry

• Weaponizing Vulnerable Drivers

• Interacting with & Exploiting Vulnerable Drivers 

• Blinding EDR Telemetry with Vulnerable Drivers

• Final Challenge

After taking this course, students should expect to have the following:

• A much deeper understanding of Windows internals and how to use Windows APIs to achieve their malware development goals

• A framework for understanding and evading EDR's trigger points during static and dynamic analysis

• The hands-on skills needed to craft EDR bypasses using hyper-current techniques like ClickOnce, and using clean call stacks

Difficulty Level:

Intermediate/Advanced  – a background in basic security, programming and Windows Internals would be useful.

Suggested Prerequisites: 

N/A

What Students Should Bring: 

Students must have an active AWS admin account with programmatic access.

Students must have Terraform installed on their workstation (a laptop with an additional monitor if possible).

Trainer(s) Bio:

Greg Hatcher served seven years as a green beret in the United States Army’s 5th Special Forces Group. During that time, Greg went on multiple combat deployments, working on small teams in austere locations to serve America’s best interests. After Greg transitioned from the military in 2017, he devoted himself to developing a deep understanding of networking and then pivoted quickly to offensive cyber security. He has taught at the NSA and led red teams while contracting for CISA. He has led training at Wild West Hackin’ Fest and virtually on the AntiSyphon platform. Greg has spoken at GrrCON and is an active member of the West Michigan Technology Council. He enjoys spending time with his family, lifting heavy things, and running long distances.

Jake Mayhew is an experienced cybersecurity professional with a particular emphasis on offensive security, especially internal & assumed breach penetration tests. In addition to several years in consulting performing penetration tests & offensive security engagements for clients in a wide range of industries, he has also served on internal red teams and currently leads the red team at UPMC.

Registration Terms and Conditions: 

Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after July 8, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.