Greg Hatcher - Offensive Development Practitioner Certification (On-Site) by White Knight Labs - DCTLV2025
Name of Training: Offensive Development Practitioner Certification (On-Site) by White Knight Labs
Trainer(s): Greg Hatcher
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2200
Course Description:
Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.
This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.
Imagine, you are a novice red teamer and you have been tasked with leading a 16-week full-scope red team engagement against a highly mature Fortune 50 company. No, Metapsloit and Mimikatz are not going to work. Do you take your ball and go home? Nope, it's time to build a lab and see what is going to bypass their tech stack.
Do you phish from the external? Maybe an illicit consent grant in Azure? What loader do I use? Is process injection even going to be necessary? Stop being lost in the offensive cyber sauce; get informed and get to work. WKL's flagship course, Offensive Development, is meant to prepare red teamers and blue teamers for the present day cyberwar. These are not last year's TTPs, WKL will be teaching hyper-current tools and techniques that are being used in current red team operations.
The Offensive Development course is not focused on theory, students will be given a Terraform script that spins up their own isolated AWS lab environment that has several fully patched Windows virtual machines that have various EDR products installed and a fully licensed version of the Cobalt Strike C2 framework.
The pace of finding new offensive cyber techniques that bypass modern detection moves slightly faster than the defense can handle. This course will help red teamers and blue teamers understand the current state of the red/blue war and where the community is heading next, the kernel.
Your lab environment is yours to keep continuing honing your skills. Although the EDR and Cobalt Strike licenses will expire, and the Earth may turn to dust, your AWS lab environment will live forever.
Although the OD course comes with Cobalt Strike, students are free to install whichever C2 framework they're most comfortable with. Students will receive an additional Ubuntu workstation in their lab environment to install whatever additional tooling they feel is necessary.
Course Outline:
Day 1
-
PE File Format for Shellcode Storage
-
Windows API Primer
-
Introduction to Process Injection and Loaders
-
Process Injection
-
CRT Injection
-
Early Bird
-
Process Hollowing
-
MockingJay
-
-
Calling Windows APIs with Direct and Indirect System Calls
-
New API Primitives and ROP for Clean Call Stacks
-
Encrypting Windows API Calls via XOR
-
Cobalt Strike C2 Deep Dive (Malleable C2 Profiles and BOFs)
-
Hiding Imports via Dynamic Resolution / PEB Walk
-
Defeating Sandbox Detection
-
Advanced Process Injection Techniques
-
Caro-Kann (ETW callback evasion in user mode)
-
TP_TIMER Insertion (Injecting via thread pool timer queues)
-
Module Stomping (Hiding malicious content in loaded modules)
-
-
Return Address Patching & Stack Spoofing
-
Synthetic Frames to conceal malicious call stacks
-
Day 2
-
DLL Proxying for Persistence
-
DInvoke and AMSI Bypass
-
ClickOnce for Initial Access
-
AppDomain Injection for EDR Bypass
-
Writing Your Custom Reflective Loader
-
Introduction to Windows Kernel
-
Lab: Configuring Kernel Debugging
-
EDR Kernel Telemetry Sources
-
Callbacks & Object Notifications
-
Event Tracing for Windows (ETW)
-
File System Minifilters
-
Network Filters
-
-
Analyzing Kernel Telemetry
-
Attacking Kernel-Level Telemetry
-
Weaponizing Vulnerable Drivers
-
Interacting with & Exploiting Vulnerable Drivers
-
Blinding EDR Telemetry with Vulnerable Drivers
-
Final Challenge
After taking this course, students should expect to have the following:
-
A much deeper understanding of Windows internals and how to use Windows APIs to achieve their malware development goals
-
A framework for understanding and evading EDR's trigger points during static and dynamic analysis
-
The hands-on skills needed to craft EDR bypasses using hyper-current techniques like ClickOnce, and using clean call stacks
Difficulty Level:
Intermediate/Advanced – a background in basic security, programming and Windows Internals would be useful.
Suggested Prerequisites:
N/A
What Students Should Bring:
Students must have an active AWS admin account with programmatic access.
Students must have Terraform installed on their workstation (a laptop with an additional monitor if possible).
Trainer(s) Bio:
Greg Hatcher served seven years as a green beret in the United States Army’s 5th Special Forces Group. During that time, Greg went on multiple combat deployments, working on small teams in austere locations to serve America’s best interests. After Greg transitioned from the military in 2017, he devoted himself to developing a deep understanding of networking and then pivoted quickly to offensive cyber security. He has taught at the NSA and led red teams while contracting for CISA. He has led training at Wild West Hackin’ Fest and virtually on the AntiSyphon platform. Greg has spoken at GrrCON and is an active member of the West Michigan Technology Council. He enjoys spending time with his family, lifting heavy things, and running long distances.
Jake Mayhew is an experienced cybersecurity professional with a particular emphasis on offensive security, especially internal & assumed breach penetration tests. In addition to several years in consulting performing penetration tests & offensive security engagements for clients in a wide range of industries, he has also served on internal red teams and currently leads the red team at UPMC.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]