Course 30 - Practical Malware Development - Beginner Level | Episode 1: C# Offensive Operations: Recon, Persistence, and File Acquisition

In this lesson, you’ll learn about: Defensive perspectives on common red-team techniques1. System Enumeration (Detection & Hardening)

• What attackers typically try to collect:
  • OS version, hostname, IP address
  • Current user and privilege level
• Why it matters:
  • Helps attackers tailor exploits and escalate privileges
• Defensive measures:
  • Monitor unusual process behavior querying system info repeatedly
  • Use Endpoint Detection & Response (EDR) to flag reconnaissance patterns
  • Apply least privilege to limit accessible system details

• Common persistence targets:
  • Startup folders
  • Registry Run keys
  • Scheduled tasks or services
• Why it matters:
  • Allows threats to survive reboots and maintain access
• Defensive measures:
  • Monitor changes to autorun registry keys
  • Use tools like:
    • Windows Event Logs
    • Sysmon (for registry modification tracking)
  • Enforce:
    • Application allowlisting
    • Regular startup audits

• Typical attacker behavior:
  • Receiving commands from external servers
  • Executing instructions dynamically
• Defensive measures:
  • Detect unusual outbound connections (C2 patterns)
  • Inspect traffic for:
    • Beaconing behavior
    • Irregular intervals or unknown domains
  • Use network segmentation and egress filtering

• Why attackers use it:
  • To deliver additional payloads or tools dynamically
• Defensive measures:
  • Restrict outbound traffic to approved domains only
  • Monitor:
    • Unexpected file downloads
    • Execution from temporary directories
  • Use antivirus / EDR to scan downloaded content in real time

• These techniques (enumeration, persistence, remote control) are core attacker behaviors
• Defenders should focus on:
  • Visibility (logs, monitoring, EDR)
  • Restriction (least privilege, network controls)
  • Detection (behavioral analytics, anomaly detection)