Dodging the EDR bullet: A Training on Malware Stealth Tactics - Dimitri Di Cristofaro & Giorgio Bernardinetti - DCSG2026

Name of Training: Dodging the EDR bullet: A Training on Malware Stealth Tactics
Trainer(s): Dimitri Di Cristofaro and Giorgio Bernardinetti
Dates: April 26-27, 2026
Time: TBD
Venue: Marina Bay Sands
Early Bird Cost (GST included): $2,558 USD / equivalent to $3,300 SGD 

Early bird price valid until February 8, 2026.

Short Summary:

"Dodging the EDR bullet" Training is an intensive, hands-on course designed to equip cybersecurity professionals with cutting-edge skills in malware evasion techniques.

The course focuses on cultivating a research-driven mindset, enabling attendees to understand and analyze detection strategies provided by the Windows OS, dig into the internals of EDRs and finally craft their own techniques to evade them effectively.

Course Description:

"Dodging the EDR bullet" Training is an intensive, hands-on course designed to equip cybersecurity professionals with cutting-edge skills in malware evasion techniques. This comprehensive training delves deep into the internals of Windows security components, antivirus systems, and EDRs, guiding participants through the entire malware lifecycle—from initial access to advanced in-memory evasion and kernel-level persistence.

Participants will adopt a systematic approach to memory management and process manipulation, learning how to bypass modern detection mechanisms and develop stealthy malware components. A key focus of the course is cultivating a research-driven mindset, empowering attendees to not just apply predefined techniques, but to analyze Windows OS detection strategies and engineer custom methods to evade them.

The training focuses heavily on userland evasion, providing practical, in-depth techniques for bypassing detection in user-mode. It also features a dedicated module on kernel-level offensive tool development, where participants will explore advanced methods to evade EDR sensors and subvert telemetry collection, gaining a deeper understanding of how to operate in highly monitored environments.

Live demonstrations and hands-on exercises will illustrate key concepts, showing participants how to integrate various techniques to build evasive implants and post-exploitation tools capable of bypassing even the most sophisticated detection systems. 

By adopting this comprehensive approach to memory allocation, execution, and evasion strategies, participants will gain the expertise needed to design and develop malware components that evade detection effectively. By the end of the training, participants will have achieved mastery in malware development, enabling them to craft sophisticated command-and-control (C2) payloads and maintain persistence while remaining undetected.

Course Outline: 

Day 1:

Advanced Windows internals:

• What happens when Windows executes a PE file?
  • Windows internals: TEB/PEB
  • Windows loader structure
• Write your custom PE loader

Background on detection techniques:

• State of the art detection strategies
  • Static/Dynamic, Kernel Callbacks, ETW-Ti, minifilters, AMSI, API hooking, call stack analysis, memory scan, ...

Evasion part 1:

• The goal of "code execution"
  • Memory allocation, Memory writing, Memory execution
  • Local/Remote code execution
• Memory allocation vs EDRs
  • Overview of basic/advanced existing techniques + IoCs
  • Module Overloading + PEB + avoid kernel callbacks

[Exercise: module overloading]

• Memory writing vs EDRs
• Memory execution vs EDRs
  • Overview of basic/advanced existing techniques + IoCs
  • Advanced techniques + implementation in exercises

[Exercise: threadless inject, early cascade]

Day 2:

Evasion part 2:

• Underlying issues: kernel callbacks, call stack analysis, API hooking
  • API unhooking 

[+ exercise]

• • Direct/Indirect syscalls 

[+ exercise]

• • Advanced stack spoofing 

[+ exercise]

• Final user-space demo

[+ exercise]

• • Combine memory allocation, writing and execution + unhooking, syscalls and stack spoofing for a fully-stealth user-space PoC

Kernel evasion & persistence:

• Kernel space evasion & persistence
• Kernel drivers vs DSE
• Bring your own Driver
  • How to disable DSE with Administrator privileges

[ + exercise + environment configuration ]

• • Disable DSE with VBS enabled - HVCI/KDP
  • Install your own driver
    • Agent Killer - PPL tampering

[ + exercise ]

• • • Kernel callbacks tampering

[ + exercise ]

• • • ETW-Ti tampering
    • Write your own rootkit for C2 & Evasion

Difficulty Level:

Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Suggested Prerequisites:

General prerequisites:

• Previous knowledge of Windows internals is required (processes, threads, virtual memory, ...)
• C/C++ knowledge. It is required to have knowledge on direct memory manipulation (e.g. pointers, casting, endianess, etc...).
• Basic x86 ASM knowledge.
• Familiarity with debuggers is preferred.
• 1 year of experience in malware development or analysis is preferred.

Suggested material:

• Life Of Binaries course: https://opensecuritytraining.info/LifeOfBinaries.html
• Hello Assembly!: https://www.youtube.com/watch?v=el5V__08k_4
• Windows Internals Crash Course: https://www.youtube.com/watch?v=I_nJltUokE0
• Simple Function Hooking: https://www.youtube.com/watch?v=TxBGBz7FRyk
• Hooking Functions in a different process: https://www.youtube.com/watch?v=7vKaet7hHeY
• Injecting DLL with Shellcode: https://www.youtube.com/watch?v=SmFi1cj6gMg
• DLL Injection with CreateRemoteThread: https://www.youtube.com/watch?v=0jX9UoXYLa4
• DLL Injection with QueueUserAPC: https://www.youtube.com/watch?v=RBCR9Gvp5BM
• Introduction to ETW: https://www.youtube.com/watch?v=-i_xAF7JqyA
• Drivers And Devices (part 1): https://www.youtube.com/watch?v=sSZ8jnpUCi0
• Drivers And Devices (part 2): https://www.youtube.com/watch?v=6_FU3zdPCmc

What Students Should Bring:

Laptop with virtualization software compatible with .ova (e.g. VMWare workstation, VirtualBox). It is recommended to use VMWare.

Minimum requirements:

• CPU cores: 4 (8 recommended)
• RAM: 16 GB (32 GB recommended)
• Disk: 500 GB (1 TB recommended)

Please note that M* ARM Mac processors are not supported. We are going to delve into x86 assembly, so please make sure to have an x86 laptop.

What the Trainer Will Provide:

During the training, students will be provided with:

• A Virtual Machine with the development environment configured
• Templates for exercises
• Exercises solutions
• Existing open-source tools used for the training

Trainer(s) Bio:

Dimitri "GlenX" Di Cristofaro is a senior security consultant and researcher at SECFORCE LTD where he performs Red Teams on a daily basis.

The main focus of his research activities is about Red Teaming and in particular on identifying new ways of attacking operating systems and looking for cutting edge techniques to increase stealthiness in strictly monitored environments.

He enjoys malware writing and offensive tools development as well as producing electronic music in his free time.

Giorgio "gbyolo" Bernardinetti is lead researcher at the System Securitiy division of CNIT. 

His research activities are geared towards Red Teaming support activities, in particular design and development of advanced evasion techniques in strictly monitored environments, with emphasis on (but not limited to) the Windows OS, both in user-space and kernel-space. 

He has been a speaker for DEFCON32 Workshops and Red Team Village HacktivityCon 2021. 

Registration Terms and Conditions: 

Trainings are refundable before March 27, 2026, minus a non-refundable processing fee of $250.

Between March 27, 2026 and April 21, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after April 21, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.