Windows Security Developer Bootcamp


Introduction

The Windows Security Developer Training program addresses the skills gap between the undergraduate computer science curriculum and the developer requirements in the information security industry. It is ideally suited for the pool of fresh hires who must ramp up quickly and become productive as a computer network operations (CNO) developer.

This is a comprehensive training program comprising of 10 live instructor-led security-focused courses that provide a jump-start into the world of offensive and defensive security software development for the Windows platform. Topics in the training courses have been chosen based on their applicability to security, malware, rootkits, red teaming, and blue teaming.

These courses are not about running tools such as Metasploit, CobaltStrike, PowerShell Empire, etc., instead, they provide a deeper understanding of how things work under the hood through extensive hands-on labs preparing students to develop offensive and defensive tools on their own.

Unique Features

Designed for maximum engagement. Training courses are a mix of theory, instructor-led demos, code walk-throughs, lab exercises, and students are challenged further by daily homework assignments.

Hands-on labs focus. With at least 50% of class time dedicated to hands-on labs, students get to apply everything they have learned.

Taught by practitioners in the field. The same designated instructor will be teaching the entire training program ensuring continuity and minimizing overlap. The course material is created by the same instructor who delivers the training.

Security-focused training. All training courses focus on security aspects. They have been created specifically for information security practitioners.

Latest technology. All hands-on lab exercises are performed on the latest version of Windows 10 64-bit and Visual Studio. Course content is updated at least once a year to reflect platform changes.

Prerequisites

Students are expected to have a computer science background.

Knowledge of C/C++ programming and a good understanding of concepts such as pointers, structures, unions, bit-fields, arrays, linked lists, etc.

Basic understanding of operating system constructs such as process, thread, virtual memory, file system, inter-process communication, and synchronization.

Course List

CourseDescription
Windows BasicsStudents get a board based security focused overview of the Windows platform. The key goals are to help students understand Windows OS concepts, Windows features, Windows components, and learn to use the tools that are available to dig into the OS.
Windows Reversing and DebuggingStudents learn reverse engineering using WinDBG. Emphasis is placed on figuring out high-level language constructs by examining x64 assembler. Students learn how to reverse engineer Windows internal components through static and dynamic analysis. Most of the concepts taught in this course are also applicable to reverse-engineering malware and rootkits.
Windows Internal ArchitectureStudents learn about the behind the scenes functionality of Windows pertaining to user mode i.e. applications and services. Learning about Windows user mode components often requires digging into the kernel where the bulk of the OS functionality is implemented. Students use WinDBG as a user mode and kernel mode debugger to peer into components and data structures of the system.
Windows System Software DevelopmentStudents apply their knowledge of C/C++ to code, build, test and debug Windows 64-bit console applications. Students learn about Visual Studio, Windows SDK, Win32 APIs, MSDN documentation, common Win32 coding patterns, and debugging Win32 API failures. The focus of this course is around offensive security-related tasks as opposed to building GUI applications on Windows. After completing this course, students should feel comfortable performing user mode security-related coding tasks on Windows.
Windows Malware TechniquesStudents learn how to perform post-exploitation tasks on Windows and implement user mode implants. Students learn about techniques used in key execution stages of PE file-based implants along with the forensic artifacts and noisiness of the techniques. Students use dynamic malware analysis tools such as Process Monitor, Process Explorer, SysMon, Autoruns, etc. to observe the run-time behavior of the implants they build.
Windows Red-Team TechniquesStudents learn post-exploitation techniques used by modern fileless malware at every stage of its execution - initial access, system enumeration, persistence, privilege escalation, defense evasion etc. Students implement various techniques in PowerShell and observe their noisiness level in Windows event and SysMon logs, and learn how to bypass them.
Windows Kernel InternalsStudents learn about the behind the scenes functionality of Windows pertaining to kernel mode. Students learn about kernel components, data structures, algorithms, usage of WinDBG as a kernel mode debugger, kernel debugger extension commands, interpreting the output of these commands and correlating that to the state and health of the system.
Windows Kernel Software Driver DevelopmentStudents get a jump-start into Windows kernel mode software development. Students learn about the kernel development environment, kernel programming model, kernel APIs, coding conventions, best practices, common pitfalls and analyzing crashes (BSODs).
Windows Kernel Filter Driver DevelopmentStudents learn about intercepting various system level activities by implementing filter drivers. These same filtering mechanisms are also used by AV and EDR products, so students also learn about the visibility these products have into the system and their limitations. Upon completion of this course, students will be able to implement kernel drivers to intercept, modify and veto critical systemwide operations.
Windows Kernel Rootkit TechniquesStudents learn how to abuse kernel APIs and leverage undocumented features to subvert the kernel. Students learn how to bypass kernel security mitigations, exploit third-party kernel drivers, and minimize the forensic footprint of the kernel rootkits they develop. Students also use publicly available debugger extensions and anti-rootkit tools to understand the forensic footprint of these techniques.

Logistics

All courses are live instructor-led and can be offered onsite or online.

Each course is about 20 hours of instruction and hands-on labs. The total instruction time for all 10 courses is around 200 hours.

The entire Bootcamp is delivered over 5 weeks. Courses can be delivered back to back or with a few weeks gap in between depending on student's schedule, holidays, and instructor availability

The daily schedule for online deliveries is flexible. We will do what works best for the students.

We strongly recommend restricting the class size to 15-students so that each student can be given individual attention.

The same set of students must go through the entire program to maintain learning continuity.

The course schedule for the 5-week program is as follows:

WeekCourses
1Windows Basics, Reversing and Debugging
2Windows Internals and System Software Development
3Windows Malware and Red-Team Techniques
4Kernel Internals and Software Driver Development
5Kernel Filter Driver Development and Rootkit Techniques