Windows Evasion Course
Course Overview
Welcome to the Windows Evasion Course! This self-paced course is designed to give you hands-on expertise in bypassing modern Windows security controls, equipping you with the tools and techniques used in advanced adversary simulation and red teaming.
Whether you're a red team operator, security researcher, or aspiring penetration tester, this course provides practical knowledge for evading defensive solutions like Microsoft Defender, AMSI, and EDRs in real-world environments. The course covers topics such as:
- Core Windows internals: processes, threads, and the Win32 API. AMSI bypass and emulation techniques.
- PowerShell and .NET payload obfuscation.
- Microsoft Defender evasion strategies.
- Endpoint Detection and Response (EDR) fundamentals.
- API hooking and Event Tracing for Windows (ETW) evasion.
- Executing stealthy payloads and performing low-noise operations like DCSync.
- Real-world labs using Elastic EDR to simulate and evade detection.
Combining in-depth technical training with hands-on labs, this course ensures you build a strong foundation in Windows Evasion, preparing you for more advanced red team engagements and adversary emulation work.
Prerequisites
- A basic understanding of Windows and Linux operating systems.
- Familiarity with Active Directory, penetration testing, and core security concepts.
- Experience using the command line and PowerShell
Course Curriculum
Windows Evasion Course
68 Learning Materials
Module 1: Introduction
Introduction
Course Agenda
About Windows Evasion Bootcamp
Module 2: Lab Setup
Introduction
Lab Machines
Setting up the Development Environment
Setting up Windows Test Machine and Networking
Lab Resources
Module 3: AVs and EDRs
Fundamentals
Windows Defender
Anti Malware Scanning Interface
Module 4: Programming Basics
Programming Primers
Win32 API
Processes and Threads
Kill Another Process
Kill Notepad.exe
Emulating AMSI – Associated Win32 API Calls and linking amsi.lib
Emulating AMSI – Writing Code
Emulating AMSI – Testing and Debugging
Emulating AMSI – EICAR
Module 5: PowerShell and Dotnet
Dotnet
PowerShell
Constrained Language Mode
AppLocker
LOLBas and MSBuild
dnSpy
Fileless Execution
Module 6: Payload Obfuscation
Introduction
Yara
Overcoming Yara
Invisibility Cloak
ConfuserEx
Invoke-Obfuscation
Pipelines
Module 7: Bypassing Windows Defender
OverView
Checking Progress
SafetyKatz
Cloud Delivered Protection and In-Memory Execution
Invoke-Mimikatz
Module 8: Endpoint Detection and Response
Introduction
API Hooking - Theory
API Hooking – Assembly Primer
API Hooking Practical – Understanding the Code
API Hooking Practical – Debugging (x86)
API Hooking Practical – Assignments
Event Tracing for Windows
ETW Bypass
Module 9: Setting up EDR Labs
Elastic Defend
Sophos
Module 10: How is EDR Evasion Carried out?
How is EDR Evasion Carried out?
Module 11: Playing around with Elastic EDR
Refining Old Methodology (Dotnet Assemblies)
Exploring Elastic Rules
Trying to masquerade lsass and Bifurcating Attacks.
Further Improvements – Powershell and Dotnet.
DCSync Refresher
DCSync as a Domain Admin
DCSync – New Computer Account
DCSync – Memory Forensics on the DC
DCSync – Calculating and using Hashes
OPSec Safety
Golden Ticket Attack
White Noise
Module 12: Wrapping Up
How is EDR Evasion carried out ?
Firewall Rules
Keeping up with the Defenders
CWEP Exam
Module 13: Course Resources
Windows Evasion Course PPT
Lab Resources
Training Instructor
Siddharth Johri
Security Consultant
Siddharth Johri is a cybersecurity professional skilled in Network Pentesting, AD Security, and Red Teaming, with a focus on uncovering vulnerabilities while evading detection and defenses.
Key Takeaways
2. Development of home lab to practice evasion techniques in a safe environment.
3. Private Discord community for support, discussion, and networking with peers and instructors.
4. One attempt at the Certified Windows Evasion Practitioner Exam (CWEP) included.
5. Develop stealthy execution strategies for evading modern endpoint detection solutions.
Get Certified (CWEP)
Master the fundamentals of evading modern Windows defenses with the Certified Windows Evasion Practitioner (CWEP) certification - a self-paced, hands-on program designed to build your foundation in stealth tactics and bypass techniques. You’ll learn core concepts like Win32 API usage and AMSI emulation before progressing to PowerShell and .NET obfuscation, Defender evasion, and stealth payload execution. The course also covers endpoint defense mechanisms, including EDR internals, API hooking, and ETW evasion. Through practical labs using Elastic EDR, you’ll gain real-world experience performing low-noise operations like DCSync and blending activity into live environments. Earning the CWEP certification proves your ability to bypass modern security controls and prepares you for advanced adversary simulation and red teaming roles.
FAQs
While prior Malware Development experience will be advantageous, this course does not require a malware development pre-requisite. However, basic knowledge about cybersecurity and attacking Windows and Active Directory Infrastructure is assumed.
You will gain hands-on experience with Elastic EDR, PowerShell, .NET, AMSI, and Windows APIs. Labs are designed to simulate real-world environments and use open-source EDR tools for detection and evasion.
All participants will have access to course materials and recorded sessions for lifetime.
Yes, participants who pass the exam will receive a CWEP certificate, validating their newfound skills in Windows evasion techniques and red teaming.
Ready to Master the Art of Pentesting?
Affordable Price
Unlock your potential with affordable upskilling! Our unbeatable course prices are your chance to level up without breaking the bank.
Lifetime Access
Acquire lifetime access to our resources when you buy our courses. Gain knowledge today and unlock a lifetime of learning.
Certificate of Completion
Upon completing our course, you'll receive a certificate of completion to showcase your new skills. Add it to your resume or LinkedIn profile.
Hands-On Experience
Get hands-on experience with real-world scenarios and challenges, giving you practical skills that you can apply immediately in your career.
Expert Instructors
Learn from industry experts with years of experience in pentesting, who are passionate about sharing their knowledge and helping you succeed.
Flexible Learning
Whether you're a beginner or an experienced professional, our courses are designed to meet you where you are and help you reach your goals.
Get in Touch
Have a question, need assistance, or want to collaborate? We’re here to help!
Whether you're looking for cutting-edge cybersecurity solutions or expert training or want to learn more about our services, contact us today.
By clicking on Continue, I accept the Terms & Conditions,
Privacy Policy & Refund Policy