SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control
SEC670Offensive Operations
- 6 Days (Instructor-Led)
- 46 Hours (Self-Paced)
Course created by:
Jonathan Reiter
Course created by:Jonathan Reiter
- 46 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 27 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Sharpen elite professional security skills forging stealthy Windows implants, customized shellcode, and command and control frameworks that evade contemporary defenses.
Featured Quote
As someone working in government contracting, I feel like this course has singularly provided me with new skills that I would not have otherwise gained. And - notably - without being remotely boring. Nothing is busy work, none of the material is of the 'check the box' nature - it's all valuable and has real-world application. I think if I could only recommend one SANS course to an aspiring CNO developer, it would be this one.
Course Overview
SEC670 equips cybersecurity professionals to engineer purpose-built offensive tools for Windows environments. The industry faces a critical talent deficit in this specialized domain, as traditional academic institutions fail to address the nuanced requirements for modern tool development. Students engage in intensive hands-on lab experiences, creating custom-compiled programs that navigate contemporary defenses. Hands-on exercises introduce techniques employed by sophisticated threat actors, strengthening students’ expertise in leveraging Windows APIs, process injection, and persistence mechanisms. Through strategic application of C++ programming, analysts develop the capacity to craft tailored implants, manipulate shellcode, and establish covert command channels—skills that fundamentally elevate organizational security posture.
What You'll Learn
- Craft stealthy custom offensive tools for Windows
- Implement advanced capabilities leveraging Win32 APIs
- Leverage Visual Studio project settings to generate shellcode
- Understand EDR user mode hooks and various techniques to restore them
- Customize communication protocols to be compatible with several C2 frameworks
Business Takeaways
- Enhance defense validation through custom tool development
- Reduce security blind spots via custom tools tailored to your organizational needs
- Identify evasion techniques exploited by sophisticated actors
- Strengthen security team capabilities against advanced threats
- Support detection engineering with adversary tradecraft insights
- Validate security controls with authentic attack techniques
- Bridge the technical skills gap in offensive security teams
Meet Your Author
Jonathan Reiter
Certified InstructorJonathan is an officer in the Maryland Air National Guard serving as a cyberspace capabilities developer. With expertise in Windows implant development and kernel research, he brings practical defensive and offensive cybersecurity experience to SANS.
Read more about Jonathan ReiterCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control.
Section 1Windows Tool Development
Section one introduces Windows Internals and programming fundamentals for offensive tool development. Students address key differences between Linux and Windows, Windows data types, calling conventions, and core Windows API programming techniques.
Topics covered
- Offensive Tool Development
- Development Environment Setup
- Windows vs. *Nix Development
- Windows Data Types
- Calling Conventions
Labs
- Detecting Process Injection
- Exploring Windows Boot Sequence
- Building Hello World DLL
- Identifying Calling Conventions
- Understanding SALv2
Section 2Getting to Know your Target
Section two explores programmatic reconnaissance techniques for comprehensive target environment mapping, covering system information gathering, process enumeration, filesystem exploration, and network intelligence collection.
Topics covered
- OS Information Collection
- Service Pack/Patch Tracking
- Process Enumeration
- Software Inventory
- User/Network Mapping
Labs
- OS Information Gathering
- Process Enumeration
- Directory Exploration
- User Information Retrieval
Section 3Operational Actions
Section three focuses on post-access techniques including process injection, PE header parsing, thread manipulation, and privilege escalation methodologies for advanced system interaction.
Topics covered
- PE Format Understanding
- Custom Win32 API Creation
- Thread Internals
- Process Injection Methods
- Privilege Escalation Tools
Labs
- PE Header Parsing
- DLL Injection
- Process Injection Techniques
- Token Stealing
- Service Creation
Section 4Persistence: Die Another Day
Section four explores multiple persistence techniques to maintain system access through reboots and unexpected disruptions using various Windows system mechanisms.
Topics covered
- In-memory Execution
- Binary Patching
- Registry Persistence
- Service Manipulation
- Port Monitors
Labs
- Service-based Persistence
- Port Monitor Persistence
- Image File Execution Persistence
Section 5Enhancing Your Implant: Shellcode, Evasion, and C2
Section five equips students with advanced techniques for shellcode execution, antivirus evasion, and command-and-control communication, enabling sophisticated offensive tool development.
Topics covered
- Shellcode Generation
- AV Bypass Techniques
- Process Hiding
- Hook Manipulation
- Command-and-Control Communication
Labs
- Local/Remote Shellcode Execution
- Process Hiding
- Function Hook Handling
- Payload Injection
Section 6Capture the Flag
Section six is an immersive Capture the Flag challenge requiring students to apply learned skills in complex, real-world scenario simulations, testing custom tool development abilities.
Topics covered
- Target Reconnaissance
- AV Bypass
- Privilege Escalation
- Persistence Mechanisms
- System Hooking
Things You Need To Know
Relevant Job Roles
Red Teamer
Offensive OperationsIn this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
OnDemand Bundle
When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.
SANS Skills Quest by NetWars Core Edition
Add 6 months of hands-on skills practice. Add to your cart when purchasing your course.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by first-name.2536455 last-name.2536455Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by first-name.2536455 last-name.2536455Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by first-name.2536455 last-name.2536455Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Instructed by first-name.2536455 last-name.2536455Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price$8,780 USDEnrollment options - Location & instructor
Orlando, FL, US & Virtual (live)
Instructed by first-name.2536455 last-name.2536455Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by first-name.16598475 last-name.16598475Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Dallas, TX, US & Virtual (live)
Instructed by first-name.2536455 last-name.2536455Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 8 of 9
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources