About The Training

This intensive three-day course teaches defenders and red-teamers the offensive tradecraft needed to understand, simulate, and harden against modern initial-access operations. Delivered as one day on advanced malware concepts followed by, two days focused on phishing and deception infrastructure the program balances conceptual foundations, detection-focused analysis, and isolated lab demonstrations - providing operational playbooks or reproducible attack code.

Participants will learn why sophisticated adversaries choose particular vectors, how those vectors interact with enterprise telemetry. The curriculum emphasizes observable artifacts, defense evasion, and safe, reproducible lab demonstrations that illuminate attacker intent and defender signals.

Intermediate ;Advanced

Session 1 — "Opening: Landscape & Goals"

• Welcome, scope and objectives for the day
• Legal & ethical ground rules;lab setup overview
• High-level threat framing: why advanced execution and deployment techniques matter to red teams and research

Session 1 — "Windows Internals Run-Through"

• Conceptual walkthrough of Windows Internals to build a small base for advanced malware concepts

Session 2 — "Shellcode Execution Techniques: Concepts & Demonstration"

• Conceptual walkthrough of two execution primitives:
• Early Bird / APC-style concepts — what the primitive accomplishes and why it’s used (high level)
• Fiber / SysFiber-style concepts — architectural rationale and attacker objectives (high level)
• Comparative discussion: tradeoffs, typical attacker goals, and observable behavior at a systems-architecture level
• Live Demo: staged isolated-lab visualization showing *behavioral effect* (with exploit code, step-by-step). Focus: runtime state changes and timeline visualization.

Session 3 — "Mark of the Web (MOTW): Theory & Archive Handling"

• What MOTW is and how Windows/clients interpret file origin metadata (history and purpose)
• Why origin metadata matters for classification and handling of delivered content (conceptual risks)
• Discussion of archives (password-protected containers) as an operational consideration — high-level implications for inspection pipelines and analyst workflow
• Demo (overview):  demo showing how an archive is presented to a system and how origin MOTW is not preserved/propagated in a sanitized lab.

Session 4 — "ClickOnce: Deployment Mechanism & Abuse Surface"

• ClickOnce explained: intended use cases, manifest model, publisher metadata — conceptual anatomy
• How to evaluate vulnerable a ClickOnce artifact at a high level (what to look for in manifests and metadata)
• How to backdoor a legitimate ClickOnce to achieve initial access
• Hosting considerations (legitimate deployment practices and operational hygiene)
• Walkthrough: review of a vulnerable ClickOnce manifest and discussion of red-flags in a demonstration environment — no modification/backdooring instructions provided.

Session 5 — "BYOVD: Showcase Demo“

• Introduction to the concept (what BYOVD-style tooling aims to demonstrate at a conceptual level)
• Main Event — Live Demo (isolated lab): BYOVD attack on real-world EDR to showcase attack surface. The demo is intended to illustrate system effects and telemetry/artifacts no operational instructions or reproducible code will be shown.
• Short debrief: key observations from the demo and audience Q&A about the attack surface

Closing Remarks & Resources

• Summary of key conceptual takeaways
• Curated list of further reading (papers, official docs, academic resources) — non-actionable references only
• Final Q&A and conference housekeeping

Day 2: Foundation to Infrastructure Mastery

Session 1: "Digital Deception Foundations"

• Phishing evolution landscape
• Attack methodology overview
• Modern threat actor techniques
• Workshop objectives and lab setup

Session 2: "Domain Hunting & Reputation Engineering"

• Strategic domain acquisition techniques
• Look-alike domain generation methods
• Domain categorization and reputation building
• Live Demo: Domain purchasing and DNS configuration
• Expired domain hunting strategies

Session 3: "Evilginx Foundations & IOC Elimination"

• Evilginx architecture deep-dive
• Reverse proxy mechanics explained
• Hands-on: Basic installation and setup
• IOC removal techniques and source code modifications

Session 4: "Infrastructure Hardening & Evasion Mastery"

• Evilginx infrastructure deployment
• Cloudflare integration and HTML obfuscation
• Traffic filtering and bot detection
• Workshop: Complete infrastructure setup with evasion layers
• SSL certificate automation and management

Session 5: "Microsoft Fortress Analysis & Bypass Techniques"

• Microsoft anti-phishing mechanisms dissection
• Office 365 security circumvention techniques
• Live Analysis: Microsoft login flow with Burp Suite
• Authentication flow mapping and weakness identification
   

Day 3: Advanced Techniques to APT Arsenal

Session 6: "Custom Phishlet Engineering & Anti-Detection"

• Advanced phishlet creation methodology
• Custom rule development and filter implementation
• Hands-on: Building Microsoft 365 phishlet from scratch
• JavaScript injection and DOM manipulation
• Session token extraction techniques

Session 7: "Granular Control & Advanced Phishlet Features"

• Sub-filter mastery and content modification
• Force POST implementation and credential capture
• Multi-step authentication handling
• Workshop: Enhanced phishlet with advanced evasion features
• Cookie manipulation and session hijacking optimization

Session 8: "Frameless BITB & Integration Mastery"

• Deceptive site error bypass methods
• Browser-in-the-Browser evolution analysis
• Frameless BITB implementation techniques
• Live Demo: BITB setup and testing
• Workshop: Evilginx + Frameless BITB integration

Session 9: "APT Arsenal Showcase & Traffic Analysis"

• APT Toolkit Deep Dive:
• DadSec PhaaS platform analysis
• Tycoon 2FA latest capabilities
• Rockstar 2FA evolution
• Live Demonstrations: Toolkit functionality and features
• Burp Suite Analysis: Traffic pattern examination and IOC identification
• Advanced evasion techniques comparison
• Q&A and Wrap-up

1) Laptop
2) Domain - Can get for free from Github student
3) Cloudflare Account - Free Tier
4) VPS Machine - AWS/Azure Free Tier (Student Account)
5) Visual Studio 2019
6) VirtualBox/VM Ware - Windows VM provided by trainers

(Trainers will share Training Materials (customized VM) & Lab Setup Details 10 days prior to the training date.)

1) Participant to have watched Payatu EDR Evasion webinar - https://youtu.be/CY1DHmQoxtM?si=4t8JdIXrReFS-QO8

2) Some experience in C Programming

• Red Team Operators — emulation, TTP refinement, and realistic engagement planning.
• Adversary Emulation / Purple Teamers — build realistic scenarios and improve detection by replaying attacker behaviors.
• Penetration Testers (Senior/Advanced) — expand delivery and persistence techniques knowledge beyond standard phishing.
• OpSec & Infrastructure Engineers for Offensive Ops — domain/reputation management, hosting, and resilience for safe lab infrastructure.
• Tool Developers / Exploit Engineers — conceptual malware execution primitives and integration with delivery pipelines (conceptual, non-reproducible).

• Live, hands-on demos of phishing and deception infrastructure (isolated labs) focusing on operator tradeoffs.
• Practical insights to build resilient offensive infrastructure (domain/reputation, hosting, certificate automation) with strong operational security.
• Deep, detection-aware analysis of execution primitives and runtime artifacts so you can craft realistic, telemetry-rich engagements.
• Deliverables and templates (sanitized samples, phishlet structure, checklists) to immediately improve red-team campaign realism and measurement.

• Windows VM for malware development - with the appropriate source code
• Evilginx source - IOC Removed, feature rich
• Frameless BITB Source Code

• N Day or 0 Day of any commercial / open-source software
• Request to create any custom bypasses / evasion software
• Theoretical content