CyberCode Academy episodes:

• January 09, 2026Course 17 - Computer Network Security Protocols And Techniques | Episode 5: Digital Trust and Integrity: Hash Functions and Certification

  In this lesson, you’ll learn about:
  

  • How data integrity is ensured using cryptographic hash functions
  • How MD5 and SHA-1 generate fixed-length message digests
  • Why encryption alone does not guarantee identity
  • How Certification Authorities (CAs) authenticate identities and prevent impersonation

  Introduction This lesson explains how secure digital communication relies on two critical pillars beyond encryption: integrity verification and identity authentication. It focuses on the role of hash functions in detecting data tampering and the role of Certification Authorities in establishing trust between communicating parties. 1. Data Integrity with Hash Functions Hash functions transform data of any size into a fixed-length output, known as a message digest. Even a one-bit change in the original message results in a completely different hash value. Key Properties of Hash Functions
  

  • Fixed-size output regardless of input size
  • One-way (computationally infeasible to reverse)
  • Highly sensitive to input changes
  • Efficient to compute

  MD5 (Message Digest 5)
  

  • Produces a 128-bit hash value
  • Processes data through multiple internal transformation rounds
  • Designed to make it infeasible to reconstruct the original message from the digest
  • Useful historically for integrity checks, though no longer considered secure against collisions

  SHA-1 (Secure Hash Algorithm 1)
  

  • Produces a 160-bit hash value
  • Standardized by NIST
  • Divides input into 512-bit blocks
  • Each block is processed sequentially
  • The output of one round becomes part of the input to the next
  • More robust than MD5, but now considered cryptographically weak for modern security needs

  Why Hash Functions Matter
  

  • Detect unauthorized changes to data
  • Ensure files and messages arrive unaltered
  • Used in digital signatures, password storage, and integrity verification

  2. Identity Authentication with Certification Authorities (CAs) Encryption protects confidentiality, but it does not prove who sent the message. Without authentication, attackers can impersonate legitimate users. The Problem: Impersonation An attacker can:
  

  • Claim to be someone else
  • Send their own public key while pretending it belongs to a trusted entity
  • Trick the recipient into trusting malicious communication

  The Solution: Certification Authorities Certification Authorities are trusted third parties that verify identities and bind them to cryptographic keys. What a CA Does
  

  • Verifies the identity of an individual or organization
  • Binds that identity to a public key
  • Issues a digital certificate
  • Signs the certificate using the CA’s private key

  How Certificates Are Used
  

  • The recipient verifies the certificate using the CA’s public key
  • The sender’s authentic public key is extracted from the certificate
  • This ensures:
    • The message truly came from the claimed sender
    • The message was not altered in transit

  How Integrity and Authentication Work Together
  

  • Hash functions detect message modification
  • Digital certificates confirm sender identity
  • Combined, they prevent:
    • Tampering
    • Spoofing
    • Man-in-the-Middle attacks

  Key Takeaways
  

  • Hash functions ensure data integrity, not identity
  • MD5 and SHA-1 produce fixed-length digests from variable-length input
  • Encryption alone cannot prevent impersonation
  • Certification Authorities establish trust by binding identities to public keys
  • Secure communication requires integrity + authentication + encryption

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 08, 2026Course 17 - Computer Network Security Protocols And Techniques | Episode 4: Asymmetric Cryptography: RSA, Diffie-Hellman

  In this lesson, you’ll learn about:
  

  • What asymmetric (public key) cryptography is and why it is needed
  • How the RSA algorithm works and where it is used in practice
  • How Diffie-Hellman enables secure key exchange over public networks
  • Why asymmetric cryptography is vulnerable without authentication

  Introduction This lesson provides an in-depth explanation of asymmetric key cryptography, focusing on RSA and Diffie-Hellman. These algorithms solve a fundamental problem in network security: how to communicate securely over an insecure channel, such as the internet, without sharing secrets in advance. Asymmetric Cryptography Overview Asymmetric cryptography uses two mathematically related keys:
  

  • Public key: Shared with everyone
  • Private key: Kept secret by the owner

  What is encrypted with one key can only be decrypted with the other. This model enables secure communication, authentication, and key exchange at scale. 1. RSA (Rivest–Shamir–Adleman) RSA is a general-purpose asymmetric encryption algorithm based on the computational difficulty of factoring very large numbers. Key Generation
  

  • Two large prime numbers are selected: P and Q
  • These are multiplied to produce n = P × Q
  • A public key is created: (n, e)
  • A private key is created: (n, d)
  • Knowing n does not make it feasible to derive d without factoring n

  Encryption and Decryption
  

  • The sender converts the message into a number M
  • Encryption is performed using the public key:
    • C = M^e mod n
  • The receiver decrypts using the private key:
    • M = C^d mod n

  Only the private key holder can reverse the operation. Practical Use of RSA
  

  • RSA operations are slow and computationally expensive
  • It is not used to encrypt large data
  • Instead, RSA is commonly used to:
    • Securely exchange a symmetric session key
    • Authenticate servers and users
  • The exchanged symmetric key is then used with fast algorithms like AES

  2. Diffie-Hellman Key Exchange Diffie-Hellman is not an encryption algorithm; it is a key exchange protocol. Purpose
  

  • Allows two parties to generate a shared symmetric key
  • No prior secret is required
  • The shared key is never transmitted over the network

  How It Works
  

  • Two public values are agreed upon:
    • A large prime number P
    • A generator G
  • Each party chooses a private value:
    • Alice chooses X
    • Bob chooses Y
  • Public values are exchanged:
    • Alice sends G^X mod P
    • Bob sends G^Y mod P
  • Both compute the same shared secret:
    • G^(XY) mod P

  Even though all exchanged values are public, the shared secret remains secure. Key Properties
  

  • Secure against passive eavesdropping
  • Enables perfect forward secrecy when used correctly
  • Widely used in secure protocols such as TLS

  3. Man-in-the-Middle (MITM) Vulnerability Both RSA and Diffie-Hellman are mathematically secure, but they are vulnerable at the protocol level if identities are not verified. The Attack
  

  • An attacker intercepts the key exchange
  • Establishes one secret key with Alice
  • Establishes a different secret key with Bob
  • Relays messages between both sides while decrypting and re-encrypting them

  Both parties believe they are communicating securely, but the attacker sees everything. The Solution
  

  • Authentication is mandatory
  • Identity verification must occur before or during key exchange
  • Common solutions include:
    • Digital certificates
    • Trusted certificate authorities
    • Signed public keys

  Without authentication, encryption alone does not guarantee security. Key Takeaways
  

  • Asymmetric cryptography solves the secure key distribution problem
  • RSA relies on the difficulty of factoring large numbers
  • RSA is mainly used for key exchange and authentication, not bulk data encryption
  • Diffie-Hellman enables secure key exchange without sharing secrets
  • Both systems are vulnerable to MITM attacks without authentication
  • Secure systems always combine encryption + authentication

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 07, 2026Course 17 - Computer Network Security Protocols And Techniques | Episode 3: Modern Ciphers: Structure, Standards (DES/AES)

  In this lesson, you’ll learn about:
  

  • How modern cryptography differs from classical ciphers
  • The building blocks of bit-oriented encryption
  • How DES, 3DES, and AES work at a high level
  • Why block cipher modes of operation are necessary

  Introduction This lesson provides a structured overview of modern cryptographic techniques, focusing on how today’s encryption systems operate at the bit level, how complex standards like DES and AES are constructed, and how modes of operation securely apply block ciphers to real-world data. Foundational Concepts of Modern Ciphers Modern cryptography is bit-oriented, meaning it works directly on bits rather than characters. This allows encryption of all digital data types, including text, audio, images, and video. Basic Cipher Components Complex modern ciphers are built by combining several simple operations:
  

  • XOR (Exclusive OR) Cipher
    • Performs a bitwise XOR between data and a key
    • Simple but essential for mixing key material with data
  • Rotation Cipher
    • Rotates bits left or right with wraparound
    • Helps spread bit influence across the data
  • Substitution Ciphers (S-Boxes)
    • Replace input bits with output bits using lookup tables
    • Variants include:
      • Equal size substitution (n = m)
      • Expansion (n < m)
      • Compression (n > m)
  • Transposition / Permutation Ciphers (P-Boxes or T-Boxes)
    • Reorder bits based on fixed permutation patterns
    • Can preserve size or perform expansion/reduction
    • Increase diffusion by spreading bit changes

  Round Cipher Structure Most modern block ciphers use a round-based design:
  

  • Encryption is performed over multiple rounds
  • Each round applies substitution, permutation, and XOR
  • Each round uses a different subkey derived from a master key
  • Security increases with the number and complexity of rounds

  Key Encryption Standards Data Encryption Standard (DES)
  

  • Early U.S. encryption standard
  • Operates on 64-bit blocks
  • Uses a 56-bit key (stored as 64 bits)
  • Consists of 16 rounds

  DES Round Function Each round includes:
  

  • Splitting input into two 32-bit halves
  • Expansion P-box: 32 → 48 bits
  • XOR with a 48-bit round key
  • S-boxes: 48 → 32 bits
  • Straight permutation
  • Feistel structure swaps halves each round

  Triple DES (3DES)
  

  • Designed to improve DES security
  • Applies DES three times in an Encrypt–Decrypt–Encrypt sequence
  • Key options:
    • Two-key version: 112-bit security
    • Three-key version: 168-bit security
  • More secure than DES, but slower and largely deprecated

  Advanced Encryption Standard (AES)
  

  • Current global encryption standard
  • Replaced DES and 3DES
  • Operates on 128-bit blocks
  • Supports three key sizes:
    • 128-bit
    • 192-bit
    • 256-bit
  • More rounds are used as key size increases
  • Designed for high security and high performance

  Modes of Operation for Block Ciphers Block ciphers encrypt fixed-size blocks, but real data streams require modes of operation to handle multiple blocks securely. 1. Electronic Code Book (ECB)
  

  • Each block encrypted independently
  • Identical plaintext blocks → identical ciphertext blocks
  • Leaks patterns and is insecure
  • Not recommended for real-world use

  2. Cipher Block Chaining (CBC)
  

  • Each plaintext block is XORed with the previous ciphertext
  • Eliminates repeated ciphertext patterns
  • Requires an Initialization Vector (IV)
  • Suffers from error propagation across blocks

  3. Cipher Feedback (CFB)
  

  • Converts block cipher into a stream-like cipher
  • Supports encrypting smaller data units (R bits)
  • Uses a shift register with feedback from ciphertext
  • Error propagation affects subsequent blocks

  4. Output Feedback (OFB)
  

  • Similar to CFB but feeds back encrypted output instead of ciphertext
  • Encryption stream is independent of ciphertext
  • No error propagation
  • Requires careful IV synchronization

  Initialization Vector (IV)
  

  • Required for CBC, CFB, and OFB modes
  • Ensures uniqueness of the first encryption block
  • Must be agreed upon by sender and receiver
  • Prevents pattern reuse across messages

  Key Takeaways
  

  • Modern encryption operates at the bit level
  • Strong ciphers are built from simple operations combined over many rounds
  • DES introduced round-based block encryption but is no longer secure
  • 3DES improved security but is inefficient
  • AES is the modern standard due to strength and performance
  • Modes of operation are essential for securely encrypting large or streaming data
  • ECB is insecure, while CBC, CFB, and OFB address pattern leakage in different ways

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 06, 2026Course 17 - Computer Network Security Protocols And Techniques | Episode 2: Traditional Ciphers: Substitution and Transposition Methods

  In this lesson, you’ll learn about:
  

  • What traditional (classical) ciphers are and why they were used
  • The two main categories of traditional encryption techniques
  • How substitution ciphers hide information
  • How transposition ciphers obscure messages by rearranging characters

  Introduction This lesson introduces traditional ciphers, also known as classical encryption algorithms. These methods were developed long before modern digital communication and cryptography. They protect information by substituting characters or reordering them, making the original message unreadable to unintended recipients. Although insecure by modern standards, traditional ciphers are important for understanding the foundations of cryptography and how encryption concepts evolved. Main Categories of Traditional Ciphers Traditional ciphers are generally divided into two primary categories: 1. Substitution Ciphers Substitution ciphers work by replacing one character or symbol with another according to a defined rule or key. Monoalphabetic Ciphers
  

  • Each plaintext character is always replaced by the same ciphertext character.
  • The substitution does not change based on the character’s position.
  • Example:
    • A → D
    • 3 → 7
  • This creates a one-to-one mapping between plaintext and ciphertext characters.

  Caesar Cipher (Shift Cipher)
  

  • One of the simplest and most well-known monoalphabetic ciphers.
  • Commonly uses only uppercase alphabetic characters.
  • Encryption shifts each character forward by a fixed number (the key).
    • Example: with a key of 5
      • A → F
  • When the shift passes Z, it wraps around to the beginning of the alphabet.
  • Decryption reverses the process by shifting characters backward using the same key.

  Polyalphabetic Ciphers
  

  • The substitution depends on the character’s position in the message.
  • A single plaintext character may be replaced by different ciphertext characters at different positions.
  • This creates a one-to-many relationship, making patterns harder to detect.
  • Typically implemented by:
    • Dividing plaintext into groups
    • Applying a sequence of keys cyclically across the characters

  2. Transposition Ciphers Transposition ciphers do not replace characters.
  Instead, they rearrange (permute) the existing characters according to a key. Key Characteristics
  

  • The original characters remain unchanged
  • Only their positions are altered
  • The encryption process typically involves:
    • Removing spaces from the plaintext
    • Dividing the message into blocks based on a key
    • Reordering characters within each block
    • Adding padding characters if a block is incomplete

  Decryption
  

  • The receiver uses the same key
  • The permutation process is reversed
  • The original plaintext is reconstructed

  Key Takeaways
  

  • Traditional ciphers are the foundation of modern cryptography
  • Substitution ciphers hide messages by replacing characters
  • Transposition ciphers hide messages by rearranging characters
  • Monoalphabetic ciphers are simple but vulnerable to analysis
  • Polyalphabetic ciphers improve security by reducing patterns
  • Understanding classical ciphers helps explain why modern encryption is necessary

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 05, 2026Course 17 - Computer Network Security Protocols And Techniques | Episode 1: Computer Network Security: Foundations, Core Aspects

  In this lesson, you’ll learn about:
  

  • The fundamental goals of computer network security
  • The four core security properties used to protect network communications
  • The classic security model involving Alice, Bob, and Eve
  • Common threat behaviors observed in insecure communication channels

  Introduction This lesson introduces the foundations of computer network security by explaining its core objectives and the main actors involved in secure and insecure communications. To simplify complex security concepts, a widely used abstract model is employed, featuring Alice, Bob, and Eve. This model helps students understand how legitimate communication works, how it can be attacked, and why security mechanisms are necessary. Core Aspects of Network Security Computer network security focuses on protecting information as it is exchanged between interconnected systems. It is built upon four fundamental aspects: 1. Confidentiality Confidentiality ensures that information remains private.
  

  • If a sender encrypts a message, only the intended recipient should be able to decrypt and read it.
  • Unauthorized parties should gain no meaningful information, even if they intercept the data.

  2. Authentication Authentication verifies the identities of communicating parties.
  

  • Both the sender and receiver must confirm who they are communicating with.
  • This prevents attackers from pretending to be trusted users or systems.

  3. Message Integrity (Message Authentication) Message integrity ensures that transmitted data has not been altered.
  

  • The receiver must be able to detect any modification immediately.
  • This protects against tampering, insertion, or deletion of data during transmission.

  4. Access and Availability Availability ensures that network services remain usable.
  

  • Legitimate users must be able to access systems and services when needed.
  • Security mechanisms should protect against disruptions that prevent normal operation.

  The Security Actors: Alice, Bob, and Eve To explain security threats clearly, network security often uses three symbolic characters: Alice and Bob
  

  • Represent legitimate and trusted entities.
  • They may be real users, applications, network devices, or servers.
  • Their goal is to communicate securely and reliably.

  Examples include:
  

  • A user accessing an online banking service
  • Two routers exchanging routing information
  • A client communicating with a web server

  Eve
  

  • Represents the adversary or intruder.
  • Eve is not a specific person, but a model for any malicious entity attempting to interfere with communication.

  Common Attacks Performed by Eve Eve can attempt several types of attacks on the communication channel between Alice and Bob: Interception and Eavesdropping
  

  • Eve listens to the communication to obtain confidential information.
  • This violates confidentiality.

  Message Manipulation
  

  • Eve intercepts messages and modifies their contents.
  • She may delete messages or inject new, fake ones.
  • This breaks message integrity.

  Man-in-the-Middle (Hijacking)
  

  • Eve positions herself between Alice and Bob.
  • All communication passes through Eve without their knowledge.
  • Eve can read, modify, or redirect messages freely.

  Impersonation and Spoofing
  

  • Eve pretends to be Alice when communicating with Bob.
  • Bob believes the messages originate from Alice, even though they do not.
  • This undermines authentication.

  Denial of Service (DoS) Attacks
  

  • Eve overwhelms Bob with excessive requests.
  • Often combined with spoofing techniques.
  • Bob becomes unable to respond to legitimate requests from Alice.
  • This violates availability.

  Key Educational Takeaways
  

  • Network security exists to protect confidentiality, integrity, authentication, and availability
  • Legitimate communication must be protected from interception and manipulation
  • Attackers exploit weaknesses in trust, identity, and visibility
  • The Alice–Bob–Eve model provides a simple but powerful way to analyze security threats
  • Understanding attacker behavior is essential for designing effective defenses

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 04, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 7: The Art of Evasion: Detecting and Bypassing Security with Sysmon

  In this lesson, you’ll learn about:
  

  • The adversarial relationship between red teams and blue teams
  • Core evasion philosophies used during red team engagements
  • How host-based monitoring tools like Sysmon detect attacker behavior
  • Common indicators defenders rely on to identify malicious activity
  • Why understanding detection tools is essential for both attackers and defenders

  Overview This lesson explores the cybersecurity “cat and mouse game” between red teamers and blue teamers. It focuses on how attackers attempt to remain stealthy, while defenders deploy monitoring tools to detect abnormal behavior. The episode moves from evasion theory to a conceptual examination of Sysmon, a widely used Windows system monitoring utility, demonstrating how detection works—and how sophisticated attackers attempt to bypass it during authorized security assessments. The goal is not exploitation, but understanding limitations, detection gaps, and defensive improvements. 1. The Red Team Mindset: Evasion and Blending In A red teamer’s objective during an engagement is not chaos, but persistence without detection. Once detected, access is often lost, limiting the value of the assessment. Environmental Awareness Effective operators must understand:
  

  • What security controls are present
  • How those controls collect data
  • What behaviors are considered “normal” in the environment

  Evasion decisions are based on this awareness, not randomness. Primary Evasion Strategies 1. Disabling Defenses
  

  • A direct but noisy approach
  • Immediately disrupts security visibility
  • Often triggers alerts and manual investigation

  Risk: While effective short-term, it almost guarantees defender awareness. 2. Blending In
  

  • Mimicking legitimate user or system behavior
  • Using common protocols and expected execution patterns
  • Aligning malicious activity with typical system workflows

  Strength: Reduces behavioral anomalies that monitoring tools flag. 3. Targeting Unwatched Areas
  

  • Identifying security blind spots
  • Leveraging exclusions or limited logging scopes
  • Operating where visibility is weakest

  Reality: No monitoring solution observes everything equally. 2. The Blue Team Perspective: Detection with Sysmon What Sysmon Does Sysmon is a host-based monitoring tool that provides deep visibility into system activity, including:
  

  • Process creation events
  • Parent-child process relationships
  • Network connections
  • Registry modifications

  It does not block attacks—it records evidence. Common Indicators Defenders Look For During the demonstration, Sysmon reveals attacker behavior through patterns such as:
  

  • Unusual executables placed in sensitive system directories
  • Randomized file names that do not match known software
  • Suspicious process chains, where core system processes launch unexpected children
  • Outbound network activity from processes that normally should not communicate externally

  Detection relies less on a single event and more on correlation. 3. Counter-Evasion: Understanding the Limits of Monitoring Advanced red teamers study defensive tools not to destroy them, but to understand their coverage. Why This Matters Security tools:
  

  • Operate based on configuration
  • Have exclusions for performance and noise reduction
  • Can be misconfigured or incomplete

  By understanding what is logged versus what is ignored, operators can predict detection likelihood. Key Defensive Lesson Even when a monitoring tool appears active:
  

  • Logging may be incomplete
  • Visibility may be conditional
  • Drivers and data sources may be disabled independently

  This reinforces why defenders must:
  

  • Verify data integrity
  • Monitor monitoring tools themselves
  • Avoid assuming visibility equals coverage

  4. The Real Battle: Creativity and Understanding Neither red teams nor blue teams rely solely on tools.
  

  • Red teams rely on understanding system behavior
  • Blue teams rely on pattern recognition and context
  • Tools amplify skill—but do not replace it

  The effectiveness of both sides depends on:
  

  • Knowledge of operating systems
  • Awareness of tooling limitations
  • The ability to think beyond default assumptions

  Educational Analogy: Understanding Evasion Imagine a red teamer as a burglar testing a secured building:
  

  • Disabling defenses is cutting the power—effective, but instantly suspicious
  • Blending in is wearing staff clothing and acting normal
  • Using blind spots is entering where cameras don’t fully cover

  Security failures aren’t always due to broken locks—but to unwatched angles. Key Ethical Takeaways
  

  • Evasion techniques exist to test detection, not to evade accountability
  • Monitoring tools are powerful but not omniscient
  • Detection is about behavior, not signatures alone
  • Understanding attacker evasion improves defensive design
  • Ethical training focuses on awareness, validation, and improvement

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 03, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 6: Windows Persistence Strategies: Registry, Scheduled Tasks, Services, WMI

  In this lesson, you’ll learn about:
  

  • The purpose of persistence in red team operations
  • Common local Windows persistence mechanisms and how they function
  • Event-driven persistence using WMI
  • The difference between host-level and domain-level persistence
  • Why Kerberos Golden Tickets represent a critical enterprise risk

  Overview This lesson provides a comprehensive technical explanation of Windows persistence strategies, focusing on how attackers maintain long-term access after an initial compromise. Persistence is a post-exploitation objective that ensures access survives:
  

  • System reboots
  • User logouts
  • Password changes
  • Partial remediation efforts

  All techniques discussed are framed within authorized red team engagements, defensive awareness training, and detection engineering contexts. 1. Local System Persistence Techniques Local persistence mechanisms ensure continued execution of malicious code on a single compromised host. 1.1 Registry Run Keys Concept Windows supports registry keys that automatically launch applications when users log in. How It Works
  

  • A startup entry is added to a global registry location
  • The payload executes whenever any user logs in
  • The method survives reboots and user changes

  Why It’s Effective
  

  • Simple and reliable
  • Commonly abused by malware
  • Often overlooked during basic incident response

  Defensive Insight Security teams should monitor:
  

  • Startup registry locations
  • Unsigned or unusual binaries referenced by run keys

  1.2 Scheduled Tasks Concept Scheduled Tasks allow programs to execute automatically based on time or system conditions. How It Works
  

  • A background task is created to run repeatedly
  • Execution can be time-based or event-based
  • The task operates independently of user interaction

  Why It’s Effective
  

  • Blends in with legitimate administrative activity
  • Can execute frequently to re-establish access
  • Flexible timing and execution context

  Defensive Insight Blue teams should audit:
  

  • Newly created or modified tasks
  • Tasks executing from unusual directories

  1.3 Windows Services (SCM) Concept Windows services start automatically when the system boots and typically run with elevated privileges. How It Works
  

  • A service is configured to launch at startup
  • Execution occurs before user login
  • Often runs with SYSTEM-level permissions

  Why It’s Effective
  

  • Highly persistent
  • Very powerful privilege context
  • Survives reboots consistently

  Defensive Insight Detection should focus on:
  

  • New or modified services
  • Services running unsigned or unexpected executables

  1.4 WMI Event Subscriptions (Advanced Persistence) Concept Windows Management Instrumentation (WMI) supports event-driven automation, which can be abused for stealthy persistence. Architecture WMI persistence consists of three logical components:
  

  1. Event Filter – Watches for a specific system condition
  2. Consumer – Defines the action to perform
  3. Binding – Connects the event to the action

  Why It’s Effective
  

  • No visible startup entries
  • No scheduled tasks or services
  • Triggers only when specific events occur

  Defensive Insight This is one of the hardest techniques to detect. Monitoring requires:
  

  • WMI repository inspection
  • Event subscription auditing
  • Behavioral correlation

  2. Domain-Level Persistence: Golden Tickets Concept Golden Tickets exploit Kerberos authentication to provide permanent domain-wide access. How It Works (High-Level)
  

  • The Kerberos service account secret is compromised
  • A forged authentication ticket is created
  • The ticket grants Domain Admin privileges to any chosen identity

  Why This Is Critical
  

  • Access persists even if:
    • Passwords are reset
    • Accounts are disabled
    • Administrators are removed
  • The attacker can generate new valid credentials at will

  Impact This technique effectively gives an attacker:
  

  • Unlimited access to the domain
  • Full control over users, systems, and policies
  • A near-undetectable persistence mechanism if not monitored

  Defensive Insight Mitigation requires:
  

  • Rotating Kerberos service secrets
  • Monitoring authentication anomalies
  • Implementing strong domain hygiene and detection tooling

  Host vs Domain Persistence ComparisonPersistence TypeScopeRisk LevelRegistry / TasksSingle HostMediumServicesSingle HostHighWMI SubscriptionsSingle HostHigh (Stealthy)Golden TicketsEntire DomainCritical
  
  Why Persistence Matters in Red Teaming Persistence is not about destruction—it’s about testing resilience. Professional red teams use persistence to:
  

  • Measure detection and response maturity
  • Test cleanup effectiveness
  • Identify gaps in monitoring
  • Improve blue team readiness

  Every persistence mechanism must also include a clean removal path. Conceptual Analogy Think of persistence as hiding spare access keys:
  

  • Registry & Services → A key hidden where you check every day
  • Scheduled Tasks → A door that unlocks automatically on a timer
  • WMI Subscriptions → A smart sensor that opens the door only under specific conditions
  • Golden Tickets → Access to the locksmith’s master system that can mint new keys on demand

  Some keys affect one door. Others open the entire city. Key Educational Takeaways
  

  • Persistence is a post-exploitation objective, not an exploit
  • Simpler methods are more common, advanced methods are stealthier
  • Domain-level persistence is exponentially more dangerous
  • Detection is possible—but requires deep visibility
  • Ethical red team operations prioritize documentation and cleanup

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 02, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 5: Windows Lateral Movement: Manual Execution via WMIC, Scheduled Tasks

  In this lesson, you’ll learn about:
  

  • The purpose of manual lateral movement in red team operations
  • Why native Windows utilities are critical for stealth and reliability
  • Three core lateral movement methodologies used in authorized engagements
  • Privilege context differences between execution methods
  • How these techniques relate to common automated tools

  Overview This lesson delivers a technical deep dive into manual lateral movement within Windows domain environments. Lateral movement refers to the ability to pivot from one compromised system to another after obtaining elevated credentials—most commonly domain administrative access. Rather than relying on automated frameworks, this episode emphasizes manual techniques using native Windows functionality, which are:
  

  • Less noisy
  • More flexible
  • Harder to detect when used responsibly in controlled testing

  All techniques discussed assume explicit authorization, proper scoping, and a professional red team context. 1. Lateral Movement Using WMIC Concept WMIC (Windows Management Instrumentation Command) allows administrators to remotely interact with systems using the Windows Management Infrastructure. Methodology
  

  • The attacker targets a remote host by explicitly specifying it
  • Remote interaction is used to:
    • Validate access
    • Confirm file placement
    • Trigger execution of an existing payload

  Key Characteristics
  

  • Requires administrative privileges on the target
  • Execution occurs under the credential context of the initiating user
  • Commonly used for:
    • Quick pivots
    • Testing administrative access
    • Lightweight remote execution

  Operational Insight This method is simple and effective but does not automatically grant SYSTEM-level access. The resulting execution inherits the privileges of the domain admin account used. 2. Lateral Movement Using Scheduled Tasks Concept Windows Scheduled Tasks provide a powerful mechanism to execute actions on remote systems at defined times or conditions. Methodology
  

  • A payload is staged on the target system
  • A task is created remotely with:
    • A one-time execution
    • Immediate triggering behavior
    • Execution configured under a high-privilege account

  Key Characteristics
  

  • Can execute under NT AUTHORITY\SYSTEM
  • Allows privilege escalation beyond domain admin
  • The “run once” approach prevents repeated execution

  Operational Insight This technique is widely used in red team engagements because it:
  

  • Mimics legitimate administrative behavior
  • Blends into system management activity
  • Provides strong control over execution timing

  3. Lateral Movement Using Service Control Manager (SCM) Concept The Service Control Manager manages Windows services, which inherently run with elevated privileges. Methodology
  

  • A specially designed service-compatible executable is required
  • The payload is registered as a new service on the target
  • Starting the service triggers execution automatically

  Key Characteristics
  

  • Executes as SYSTEM by default
  • Explains the mechanics behind tools like PsExec
  • Requires careful payload preparation due to service constraints

  Operational Insight Because services are tightly integrated with Windows internals, this method is:
  

  • Extremely powerful
  • Highly privileged
  • More detectable if not carefully managed

  Professional red teamers use this method sparingly and responsibly. Privilege Context ComparisonMethodPrivilege LevelKey Use CaseWMICDomain AdminFast pivot, low complexityScheduled TasksSYSTEMPrivilege escalation, persistenceSCMSYSTEMService-based execution, tool emulation
  
  Why Manual Lateral Movement Matters Automated tools abstract these techniques, but defenders detect tools—not concepts. Understanding manual execution:
  

  • Improves adaptability
  • Enables stealthier operations
  • Allows red teamers to troubleshoot automated failures
  • Strengthens blue team detection engineering

  Conceptual Analogy Imagine having the master key to a secured facility:
  

  • WMIC is like using the internal intercom to instruct a specific room to start a task
  • Scheduled Tasks is like setting a high-priority automated instruction that executes instantly
  • SCM is like installing new maintenance equipment that always runs with full facility authority

  Each method achieves access—but with different levels of control and visibility. Key Educational Takeaways
  

  • Lateral movement depends on credentials, not exploits
  • Native Windows tools are powerful and flexible
  • Privilege context matters more than execution success
  • Manual techniques explain how automated tools work
  • Professional engagements require precision, restraint, and cleanup

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 01, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 4: Windows Post-Exploitation: Remote File Management and System Control

  In this lesson, you’ll learn about:
  

  • The role of post-exploitation in red team operations
  • Why redundancy is critical for operational reliability
  • Multiple ethical techniques for file handling, execution, and process control
  • Methods for controlled system impact and disruption
  • The importance of cleanup and reversibility in professional engagements

  Overview This lesson provides a technical demonstration of post-exploitation techniques used by red team professionals after initial access has been achieved. The focus is not on gaining access, but on maintaining control, executing actions reliably, and manipulating system behavior in a controlled and reversible manner. A central theme of this episode is redundancy. Professional red teamers must know multiple ways to perform the same task, ensuring mission success even if certain tools, permissions, or frameworks are unavailable. All techniques are presented in an ethical, authorized testing context, aligned with real-world red team operations and the MITRE ATT&CK framework. 1. File Transfer and Management Post-exploitation frequently requires moving tools, logs, or evidence between systems. Automated File Handling
  

  • Command and Control (C2) frameworks often provide built-in file operations such as:
    • Uploading payloads
    • Downloading collected data
    • Copying files across directories or systems

  These features simplify operations but should never be relied on exclusively. Manual File Transfer (Fallback Method)
  

  • When automated tools are unavailable, red teamers can rely on:
    • Temporary SMB shares hosted on their own system
    • Native Windows file copy functionality

  This approach reinforces the principle of tool independence, ensuring operations can continue using built-in system capabilities. 2. Local and Remote Process Termination Managing running processes is essential for:
  

  • Removing artifacts
  • Releasing locked files
  • Stopping unstable or suspicious processes
  • Cleaning up after execution

  Process Identification
  

  • Enumerating running processes to identify:
    • Process names
    • Associated Process IDs (PIDs)
    • Execution context

  Termination Techniques
  

  • Local process termination using native Windows utilities
  • Remote process termination against authorized targets
  • Alternative approaches using Windows management interfaces

  Redundancy ensures that if one method fails, another can be used to achieve the same goal. 3. Execution Methods Execution techniques allow red teamers to:
  

  • Launch payloads
  • Run administrative actions
  • Establish persistence
  • Test detection and response mechanisms

  Service-Based Execution
  

  • Creating and starting services remotely
  • Services often execute with elevated privileges
  • Commonly used to test privilege escalation and detection logic

  Scheduled Task Execution
  

  • Creating tasks that:
    • Run immediately
    • Execute on startup
    • Trigger at defined intervals
  • Often used for:
    • Persistence testing
    • Delayed execution scenarios

  Remote Process Creation
  

  • Leveraging system management interfaces to:
    • Execute files silently
    • Avoid interactive sessions
    • Test endpoint monitoring visibility

  4. System Impact: Shutdown, Reboot, and Logoff This section aligns closely with MITRE ATT&CK – Impact techniques, demonstrating how system availability can be influenced during authorized engagements. Standard System Control
  

  • Rebooting systems
  • Shutting down machines
  • Logging users off locally or remotely

  These actions are used to:
  

  • Test incident response workflows
  • Observe detection mechanisms
  • Evaluate business continuity controls

  Advanced Automation
  

  • Scripted actions to:
    • Force logoffs
    • Trigger shutdowns
    • Execute repeated system events

  Such techniques demonstrate how attackers could disrupt availability—but in red teaming, they are used only in controlled, pre-approved scenarios. Professional Responsibility and Cleanup A critical takeaway emphasized throughout this lesson is responsibility.
  

  • Every disruptive action must have:
    • A clear purpose
    • An approved scope
    • A documented rollback plan
  • Red teamers must always:
    • Remove persistence mechanisms
    • Restore system stability
    • Leave the environment as they found it

  Failure to clean up can cause real harm, which is unacceptable in professional security testing. Conceptual Analogy Think of post-exploitation as using the remote control of a smart building:
  

  • File transfer is like moving furniture between rooms
  • Killing a process is like turning off an appliance that’s in the way
  • Scheduled tasks are like programming lights or alarms
  • Reboots are equivalent to cutting power to test backup systems

  The goal is observation and validation, not destruction. Key Educational Takeaways
  

  • Post-exploitation is about control, not chaos
  • Redundancy ensures operational resilience
  • Native system tools are as important as advanced frameworks
  • Disruption must always be reversible
  • Cleanup is a professional obligation, not an option

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 31, 2025Course 16 - Red Team Ethical Hacking Beginner Course | Episode 3: Essential Windows Domain and Host Enumeration

  In this lesson, you’ll learn about:
  

  • The purpose and importance of network enumeration in red teaming
  • Windows Domain Enumeration techniques for situational awareness
  • Host Enumeration methods for analyzing a specific target system
  • How user sessions, services, and processes influence attack paths
  • Why continuous enumeration is critical in dynamic enterprise networks

  Overview This lesson provides a comprehensive guide to essential red team enumeration techniques used to gather intelligence within a Windows enterprise environment. Enumeration is a critical phase of any red team operation, as it allows security professionals to understand the structure, users, systems, and behavior of a network without relying on exploits. The lesson is divided into two main areas:
  

  1. Domain Enumeration – gathering network-wide intelligence
  2. Host Enumeration – collecting detailed information from a specific system

  Domain Enumeration Domain enumeration focuses on identifying high-level Active Directory information that helps red teamers understand how the environment is structured and where valuable targets exist. Identifying Domain Information
  

  • Discovering the current domain name (e.g., fun.com)
  • Identifying the Domain Controller (DC) and its IP address
  • Confirming domain role ownership and authentication authority

  Domain Policy and Infrastructure
  

  • Retrieving domain policies to understand:
    • Password requirements
    • Lockout thresholds
    • Security enforcement levels
  • Enumerating domain-joined computer hostnames

  User Session Enumeration One of the most critical objectives of domain enumeration is identifying logged-in users, since credentials and tokens may reside in memory. Techniques demonstrated include:
  

  • Listing users logged into all domain computers
  • Identifying privileged accounts logged into sensitive systems (e.g., administrators on the domain controller)
  • Detecting regular users logged into workstations
  • Narrowing enumeration to a specific target host to identify active sessions

  This information is highly time-sensitive, as logged-in users can change frequently. Host Enumeration Host enumeration focuses on gathering deep, system-level intelligence from a specific target machine once access has been obtained. Basic System Information
  

  • Hostname
  • Operating system version (e.g., Windows 10 Enterprise)
  • System architecture (x64 / x86)
  • Domain membership
  • Installed hotfixes and patch levels

  Current User Intelligence
  

  • Logged-in username
  • User Security Identifier (SID)
    • Important for advanced techniques such as ticket-based attacks
  • Group memberships
  • Assigned user privileges

  Local Privilege Analysis
  

  • Enumerating members of the local administrators group
  • Identifying misconfigurations or excessive privileges

  Service and Process Enumeration Understanding what is running on a system reveals potential attack surfaces and persistence opportunities. Services
  

  • Listing running services
  • Identifying startup services
  • Analyzing service state and startup mode
  • Detecting services running with elevated privileges

  Ports and Processes
  

  • Enumerating open and listening ports
  • Identifying processes bound to specific ports
  • Mapping processes to:
    • Process IDs
    • Executable names
    • Full file system paths

  This helps determine whether a service is custom, outdated, or potentially vulnerable. Application and File System Enumeration Installed Applications
  

  • Listing installed software (e.g., packet analyzers like Wireshark)
  • Identifying tools that may indicate:
    • Developer systems
    • Admin workstations
    • Security monitoring presence

  File System Analysis
  

  • Recursively searching the file system for files containing specific text
  • Locating files by name (e.g., flags or configuration files)
  • Identifying hidden files and directories

  These techniques help uncover credentials, scripts, backups, or sensitive data. Why Enumeration Is Critical
  

  • Network environments are dynamic
  • Logged-in users change constantly
  • Services may restart or move
  • New systems may appear or disappear

  Because of this, enumeration is not a one-time activity—it must be continuous throughout a red team operation. Key Educational Takeaways
  

  • Enumeration builds context, not exploits
  • Logged-in users often matter more than vulnerabilities
  • Privileges and services define real attack paths
  • Native system tools provide powerful visibility
  • Effective red teaming depends on accurate, up-to-date intelligence

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---