Giorgio Bernardinetti - Dodging the EDR bullet: A Training on Malware Stealth Tactics - DCTLV2025

Name of Training: Dodging the EDR Bullet: A Training on Malware Stealth Tactics
Trainer(s): Giorgio Bernardinetti and Dimitri Di Cristofaro 
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,200

Course Description:

"Dodging the EDR bullet" Training is an intensive, hands-on course designed to equip cybersecurity professionals with cutting-edge skills in malware evasion techniques. Dive deep into Windows security components, antivirus systems, and EDRs while mastering the full malware lifecycle—from initial access to advanced in-memory evasion and kernel-level persistence. Through a systematic approach to memory management and process manipulation, participants will learn how to bypass modern detection strategies and build stealthy malware components. The course focuses on cultivating a research-driven mindset, enabling attendees to understand and analyze detection strategies provided by the Windows OS and then craft their own techniques to evade them.

By the end of the training, participants will have gained a solid foundation in malware analysis and development, enabling them to craft sophisticated command-and-control (C2) payloads and maintain persistence while remaining undetected.

** All students are expected to sign an NDA with the trainer to avoid unauthorized sharing of training materials **

Course Outline: 

DAY 1:

Advanced Windows internals:

• What happens when Windows executes a PE file?

• Windows internals: TEB/PEB

• Windows loader structure

• Write your custom PE loader

Background on detection techniques:

• State of the art detection strategies

• Static/Dynamic, Kernel Callbacks, ETW-Ti, minifilters, AMSI, API hooking, call stack analysis, memory scan

Evasion part 1:

• The goal of "code execution"

• Memory allocation, Memory writing, Memory execution

• Local/Remote code execution

• Memory allocation vs EDRs

• Overview of basic/advanced existing techniques + IoCs

• Module Overloading + PEB + avoid kernel callbacks

• Exercise: module overloading

• Memory writing vs EDRs

• Memory execution vs EDRs

• Overview of basic/advanced existing techniques + IoCs

• Advanced techniques + implementation in exercises

• Exercise: threadless inject

DAY 2: 

Evasion part 2:

• Underlying issues: kernel callbacks, call stack analysis, API hooking

• API unhooking 

• + exercise

• Direct/Indirect syscalls 

• + exercise

• Advanced stack spoofing 

• + exercise

• Final user-space demo 

• + exercise

• Combine memory allocation, writing and execution + unhooking, syscalls and stack spoofing for a fully-stealth user-space PoC

Kernel evasion & persistence:

• Kernel space evasion & persistence

• Kernel drivers vs DSE

• Bring your own Driver

• How to disable DSE with Administrator privileges

• + exercise + environment configuration

• Disable DSE with VBS enabled

• Install your own driver

• Agent Killer - PPL tampering

• + exercise

• Kernel callbacks tampering

• + exercise 

• ETW-Ti tampering

• Write your own rootkit for C2 & Evasion

Difficulty Level:

Intermediate/Advanced

Students requirements:

• Previous knowledge of Windows internals is required (processes, threads, virtual memory, ...)

• C/C++ knowledge. It is required to have knowledge on direct memory manipulation (e.g. pointers, casting, endianess, etc...).

• Basic x86 ASM knowledge

• Familiarity with debuggers is preferred

• 1/2 years of experience in malware development or analysis is preferred

Suggested Prerequisites:

• Life Of Binaries course: https://opensecuritytraining.info/LifeOfBinaries.html 

• Hello Assembly!: https://www.youtube.com/watch?v=el5V__08k_4 

• Windows Internals Crash Course: https://www.youtube.com/watch?v=I_nJltUokE0 

• Simple Function Hooking: https://www.youtube.com/watch?v=TxBGBz7FRyk 

• Hooking Functions in a different process: https://www.youtube.com/watch?v=7vKaet7hHeY 

• Injecting DLL with Shellcode: https://www.youtube.com/watch?v=SmFi1cj6gMg 

• DLL Injection with CreateRemoteThread: https://www.youtube.com/watch?v=0jX9UoXYLa4 

• DLL Injection with QueueUserAPC: https://www.youtube.com/watch?v=RBCR9Gvp5BM 

• Introduction to ETW: https://www.youtube.com/watch?v=-i_xAF7JqyA 

• Drivers And Devices (part 1): https://www.youtube.com/watch?v=sSZ8jnpUCi0 

• Drivers And Devices (part 2): https://www.youtube.com/watch?v=6_FU3zdPCmc 

What Students Should Bring: 

Laptop with virtualization software compatible with .ova (e.g. VMWare workstation, VirtualBox). It is recommended to use VMWare.

Minimum requirements:

• CPU cores: 4 (8 recommended)

• RAM: 16 GB (32 GB recommended)

• Disk: 500 GB (1 TB recommended)

Please note that M* ARM Mac processors are not supported. We are going to delve into x86 assembly, so please make sure to have an x86 laptop.

During the training, students will be provided with:

• A Virtual Machine with the development environment configured

• Templates for exercises

• Existing open-source tools used for the training

Trainer(s) Bio:

Giorgio "gbyolo" Bernardinetti is lead researcher at the System Security division of CNIT. His research activities are geared towards Red Teaming support activities, in particular design and development of advanced evasion techniques in strictly monitored environments, with emphasis on (but not limited to) the Windows OS, both in user-space and kernel-space. He has been a speaker for DEFCON32 Workshops and Red Team Village HacktivityCon 2021. 

Dimitri "GlenX" Di Cristofaro is a security consultant and researcher at SECFORCE LTD where he performs Red Teams on a daily basis. The main focus of his research activities is about Red Teaming and in particular on identifying new ways of attacking operating systems and looking for cutting edge techniques to increase stealthiness in strictly monitored environments. He enjoys malware writing and offensive tools development as well as producing electronic music in his free time.

Registration Terms and Conditions: 

Trainings are refundable before July 8, 2025, the processing fee is $250.

Trainings are non-refundable after July 8, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.