Kevin Clark & Rey Bango - Windows Payload Development: EDR Evasion and Initial Access Tradecraft - DCTLV2025

Name of Training: Windows Payload Development: EDR Evasion and Initial Access Tradecraft
Trainer(s): Kevin Clark & Rey “Privesc” Bango
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,000

Course Description: 

This training is a hands-on, immersive course designed to teach participants the art of crafting evasive Windows payloads while navigating and bypassing modern Endpoint Detection and Response (EDR) systems. Through a blend of theory and practical exercises, attendees will gain a deep understanding of payload development, focusing on techniques that enhance stealth, modularity, and effectiveness in offensive operations.

Key topics include payload formats, memory-resident execution, process injection, and advanced evasion strategies. Participants will explore the use of living off the land binaries (LOLBins), design modular implants with secure communication, and develop packers to obfuscate payloads and evade detection. By the end of the course, students will possess the knowledge and skills to craft realistic initial access vectors and deploy sophisticated payloads capable of evading modern defensive controls.

Students Will Be Provided With: 

• Lifetime Access to Course Material, plus 1-month Lab Access

• Exclusive Course Swag

• Certificate of Completion

Course Outline: 

• Payload Basics

• Payload types

• Capability payloads

• C2 payloads

• Payload formats

• EXE

• DLL

• Shellcode

• DotNET (managed)

• Defensive Controls

• EDR and telemetry

• Static signatures

• ETW and AMSI

• API Hooks

• AI/ML classifications

• Behavioral

• Blue Team analysts and hunt methods

• Static signature checks

• Network data

• Outbound connections (beacons)

• Internal connections (operations)

• Sandboxes

• Decompilers

• Intro to memory resident payloads

• Process Injection

• Local

• Remote

• Memory management

• Memory allocation

• Memory copying

• Memory permissions

• Memory execution

• Other useful Win32 APIs

• Implant design

• Communication

• Synchronous vs asynchronous

• Packet structure

• Transports

• Encryption

• C2 modularity (reflective loading)

• Shellcode

• DLLs

• BOFs

• DotNET assemblies

• LOLBins

• Application Whitelisting Concepts

• Network IoCs

• Windows binaries

• PowerShell

• JScript

• Gadget2JScript

• Office macros

• MSBuild

• RegAsm, RegSvcs, InstallUtil

• AppDomain hijacking

• 3rd party binaries

• Python

• Java

• Packer design

• What is a packer?

• Reflective loaders (again)

• Compression

• Encryption

• Environmental keying

• Entropy

• Original file name

• Compile timestamps

• Code signing

• Session prepping (bypasses)

• Input and Output types

Difficulty Level:

Intermediate

Required Experience or Skills:

• Basic understanding of Windows fundamentals.

• Basic programming knowledge.

• Willingness to learn advanced concepts in a fast-paced environment.

Suggested Prerequisites:

1. Microsoft Documentation on Win32 APIs

1. Focus on memory management APIs (e.g., VirtualAlloc, WriteProcessMemory, VirtualProtect).

2. Win32 API Basics

2. Windows Sysinternals Suite

1. Tools like Process Monitor and Process Explorer to observe process injection and payload behavior.

2. Sysinternals

3. Experience with tools like Visual Studio or MinGW installed for compiling simple payloads.

What Students Should Bring: 

• Laptop with 8GB of RAM

• Modern Web Browser (Chrome, Firefox, etc.)

Trainer(s) Bio:

Kevin Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security, with a diverse background in software development, penetration testing, and offensive security operations. Kevin specializes in initial access techniques and Active Directory exploitation. He has contributed to open-source projects such as PowerShell Empire and developed custom security toolkits, including Badrats and Ek47. A skilled trainer and speaker, Kevin has delivered talks and conducted training sessions all over the country at cybersecurity conferences, including Black Hat and DEF CON, and authors a cybersecurity blog at https://henpeebin.com/kevin/blog. 

Rey "Privesc" Bango is a Principal Cloud Advocate at Microsoft and a Security Consultant specializing in red teaming at BC Security. At Microsoft, he focuses on empowering organizations to leverage transformative technologies such as Artificial Intelligence and Machine Learning, prioritizing trust, security, and responsible use. He is an experienced trainer and speaker, presenting and teaching at cybersecurity conferences, including Black Hat and DEF CON. His work continues to bridge the gap between cutting-edge technological advancements and the critical need for secure, ethical implementation in today's world.

Registration Terms and Conditions: 

Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after July 8, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.