Note
Most of the certification deals with the operation of the windows kernel. it is therefore necessary to have high-integrity access in order to load a driver and communicate with it. Privilege escalation isn’t part of the course, the main goal is to bypass security controls.
Why you should take the CETP ?
In the ever-evolving landscape of cybersecurity, the need for practical skills in bypassing sophisticated security measures like Endpoint Detection and Response (EDR), antivirus (AV), and other security controls has never been greater. The Certified Evasion Techniques Professional (CETP) stands out as a valuable training pathway for professionals seeking to deepen their expertise in evasion techniques, kernel development, and driver reversing.
The CETP course offers participants comprehensive, hands-on experience with real-world security scenarios, equipping them to handle the dynamic nature of cybersecurity threats. Compared to similar offerings such as Maldev Academy, CETP distinguishes itself by diving significantly deeper into the intricacies of Windows architecture and kernel-level operations. Its extensive and meticulously crafted lab environment simulates realistic enterprise-level security configurations, providing an added depth of technical proficiency and enabling learners to practice sophisticated attack and defense strategies.
What is the certification about ?
The CETP course dives deeply into various critical security areas, particularly emphasizing the Windows operating system’s internals and evasion tactics based most of the time on BYOVD attacks. Key topics include :
-
Windows Internals: Participants explore essential Windows components like processes, threads, tokens, virtual memory, and PE file structures, gaining in-depth knowledge about the intricacies of Windows architecture.
-
Kernel Development: The course emphasizes kernel-level evasion methods, teaching students to manipulate kernel data structures such as
_EPROCESS, bypass protections like LSASS Credential Guard, or PPL, and effectively use tools likeWinDbgfor kernel debugging. -
Static Detection Bypass: Techniques such as Obfuscation LLVM (OLLVM), local process hollowing, and CLR loading with AMSI patching are covered in depth, preparing learners to evade static malware analysis tools effectively.
-
Advanced Evasion Methods: Participants are introduced to tactics such as attacking kernel callbacks, blocking EDR network telemetry, bypassing Attack Surface Reduction (ASR) rules, and employing anti-analysis techniques.
Throughout the course, students are provided with a wide array of resources including detailed slides, comprehensive lab manuals, walk-through videos, and diagrams. Tools and scripts used throughout the labs are available, ensuring that participants can replicate and experiment independently.
Exam
The exam is a comprehensive 48-hour hands-on penetration testing experience with an additional hour to compensate for initial lab setup time. The environment consists of five target servers distributed across a domain with varying configurations and applications, accessed through a provided VM via RDP. The primary objective is to achieve OS command execution on all target servers while evading defensive measures including EDR solutions operating in block mode, with success indicated when tools and attacks are no longer blocked.
Additionally, candidates must retrieve a final flag from the domain controller located at a specific file path. The assessment requires submitting a high-quality detailed report within 48 hours of lab expiry, ideally allocating 24 hours for hands-on work and 12 hours for documentation. The report must include comprehensive walkthroughs with screenshots, detailed explanations of evasion techniques, tool usage justifications, and demonstrate both methodology and attacker mindset, with higher scores given to reports citing open-source resources and research. Here is a useful project to help you write the whole report quickly:
No automated tools are pre-installed on the exam VM, requiring candidates to upload only necessary tools via RDP, and the environment includes monitoring mechanisms to detect unfair means, with violations resulting in disqualification and a six-month cooldown period.
The assessment targeted a simulated enterprise environment consisting of multiple Windows servers with varying security configurations, ranging from systems with robust protections to those with critical security gaps. The primary objective was to achieve operating system command execution across all target hosts while evading endpoint detection and response (EDR) solutions and other defensive measures.
Methodology and Attack Chain
I encountered an hardened Windows environment. The infrastructure featured an active Endpoint Detection and Response (EDR) solution operating in block mode, an Anti-Malware with real-time protection, and Virtualization-Based Security (VBS) with Hypervisor-Protected Code Integrity (HVCI) enabled on several systems. Critical processes were safeguarded by Protected Process Light (PPL) mechanisms, while Windows Defender Application Control (WDAC) enforced strict code integrity policies. The environment also implemented Driver Signature Enforcement (DSE) and featured Local Security Authority Subsystem Service (LSASS) protection through RunAsPPL configurations. This modern security stack represented the current state-of-the-art in Windows enterprise hardening, making the successful compromise particularly significant as it demonstrates vulnerabilities that persist even in well-configured, contemporary environments with multiple overlapping security controls.
My approach combined enumeration, files looting, exploitation, and post-exploitation activities. Initial enumeration involved comprehensive discovery of active security processes and system protections using both custom and publicly available tools. I discovered varying security postures across different hosts, with some implementing advanced protections while others had critical gaps in their defensive architecture.
My core exploitation technique centered around kernel-level attack methodologies that leveraged legitimate but vulnerable components to bypass security mechanisms. By exploiting these trusted components, I gained elevated kernel privileges necessary to disable endpoint protections and extract sensitive credentials from protected processes.
Real world considerations
Real-world applicability is a significant strength of the CETP training, particularly because security tools, controls, and operating systems are continuously evolving. The course explicitly acknowledges that while it includes projects compatible with Windows 10, compatibility across other builds of Windows 10 or Windows 11 isn’t guaranteed. Exploit development demands careful consideration of a machine’s specific build number due to varying kernel offsets and structures, an essential detail underscored by resources like the Vergilius Kernel database :
The real value of this course lies in its strategic preparation, enabling participants to grasp how different security components interact within Windows. Equipped with this understanding, professionals can adapt their approach for any OS version, efficiently modifying and tailoring existing codebases. This adaptability ensures compatibility with diverse target systems, providing the capability to install, customize, or bypass defenses as necessary. By strategically selecting and integrating concepts from the course, learners are better prepared to navigate and succeed in the fast-paced, high-stakes world of cybersecurity evasion and defense.
The evasion series is directly inspired from Saad’s work on CETP content, thank you again.
