HITBLab: Tradecraft Development: Growing Implants in Memory – Live Edition [HITB2021SIN]



1 days

Delivery Method




Seats Available



1 days

Delivery Method





DATE: 26 August 2021

TIME: 20:00 to 22:00 SGT/GMT+8


Threat actors build their tradecraft for each campaign, they need to select the right tactics, techniques. Most of the time they use open source or commercial, but publicly available tools. They even re-purpose or pack existing malware acquired from other threat actors. The reason behind of this decision is tool development takes time, and if the known/current tools already work well, they don’t need upgrades either. However, the adversary simulation specialists need to operate in safer environments, therefore, they’re not allowed to use malicious tradecraft or unknown tools in general.

Tradecraft development is an essential skill for an adversary simulation specialist as it needs custom C2 protocols, implants, safer but realistic Mitre Att&ck TTPs, and finally cutting-edge evasions for the modern security controls including EDRs and Cyber Analytics. In this workshop, we’ll walk through reasons and ways of Tradecraft development, talk about where to start, and to go, finding example source codes, walking through the source code of existing C2s, implants, and draft tools. We’ll also discuss about weaponization techniques such as offensive pipelines, modern evasions techniques and tool integrations. During the exercises, we’ll prefer C# for programming, but you can replicate what you learn in various languages after this workshop (e.g. Python, Go, Rust).

During the workshop, the participants will be able to develop their own implants, C2s, evasions and more using examples and active tools such as Petaq Purple Team C2 and Malware, TA505+ Adversary Simulation Pack and Tehsat Malware Traffic Generator.


  • Introduction to Tradecraft Development

    · Adversaries and Various Tradecraft Examples · Basics for Microsoft .Net Framework and C# · Writing sample codes, compiling it and getting familiar with Visual Studio · Non-traditional ways to compile or execute .NET Framework code · Merging and repurposing the existing PoC implementations

  • Building a C2 and Implant

    · Building Various Communication Protocols and Services · Building the Implant and Integrating to C2 · Implementing Essential Features to Operate · Building Mitre Att&ck Examples and Automation

  • Implementing WinAPI, Evasions and Unmanage Code Executions

    · P/Invoke and WinAPI · Shellcode/DLL Injection Techniques · Anti-Virus and EDR Evasions · ETW Bypasses · D/Invoke, Syscalls and Beyond

Why You Should Take This Course

Red Team members and Penetration Testers would get the benefits of developing new offensive capabilities and learning cutting-edge techniques. Through the techniques learned in this workshop, participants can develop their own custom implementations for the exercises to safely operate in an engagement.

Blue and Purple team members, such as Security Operations, Threat Hunting, Threat Intelligence and Incident Response team members, would also learn these new techniques and their associated IOCs. During the workshop, the defence techniques and their weaknesses will be discussed through demonstrations. It also gives the participants an opportunity of implementing Mitre Att&ck tests safely with automation through custom tool development.

Who Should Attend


Key Learning Objectives

  • Prerequisite Knowledge

    • The participants should have a brief understanding of the adversary simulation concepts.
    • In addition, essential programming skills would make the exercises easier for the participants. Without programming skills, it’s still possible to learn new techniques with understanding/watching the demonstrations and exercises, but not advised.

    Hardware / Software Requirements

    To participate with the exercises, it’s suggested to bring a laptop running a Windows 10 operating system (or a Virtual Machine) with .NET Framework 4+ and Visual Studio Community Edition installed.

    Your Instructor

    No data was found