CyberCode Academy episodes:

• January 05, 2026Course 17 - Computer Network Security Protocols And Techniques | Episode 1: Computer Network Security: Foundations, Core Aspects

  In this lesson, you’ll learn about:
  

  • The fundamental goals of computer network security
  • The four core security properties used to protect network communications
  • The classic security model involving Alice, Bob, and Eve
  • Common threat behaviors observed in insecure communication channels

  Introduction This lesson introduces the foundations of computer network security by explaining its core objectives and the main actors involved in secure and insecure communications. To simplify complex security concepts, a widely used abstract model is employed, featuring Alice, Bob, and Eve. This model helps students understand how legitimate communication works, how it can be attacked, and why security mechanisms are necessary. Core Aspects of Network Security Computer network security focuses on protecting information as it is exchanged between interconnected systems. It is built upon four fundamental aspects: 1. Confidentiality Confidentiality ensures that information remains private.
  

  • If a sender encrypts a message, only the intended recipient should be able to decrypt and read it.
  • Unauthorized parties should gain no meaningful information, even if they intercept the data.

  2. Authentication Authentication verifies the identities of communicating parties.
  

  • Both the sender and receiver must confirm who they are communicating with.
  • This prevents attackers from pretending to be trusted users or systems.

  3. Message Integrity (Message Authentication) Message integrity ensures that transmitted data has not been altered.
  

  • The receiver must be able to detect any modification immediately.
  • This protects against tampering, insertion, or deletion of data during transmission.

  4. Access and Availability Availability ensures that network services remain usable.
  

  • Legitimate users must be able to access systems and services when needed.
  • Security mechanisms should protect against disruptions that prevent normal operation.

  The Security Actors: Alice, Bob, and Eve To explain security threats clearly, network security often uses three symbolic characters: Alice and Bob
  

  • Represent legitimate and trusted entities.
  • They may be real users, applications, network devices, or servers.
  • Their goal is to communicate securely and reliably.

  Examples include:
  

  • A user accessing an online banking service
  • Two routers exchanging routing information
  • A client communicating with a web server

  Eve
  

  • Represents the adversary or intruder.
  • Eve is not a specific person, but a model for any malicious entity attempting to interfere with communication.

  Common Attacks Performed by Eve Eve can attempt several types of attacks on the communication channel between Alice and Bob: Interception and Eavesdropping
  

  • Eve listens to the communication to obtain confidential information.
  • This violates confidentiality.

  Message Manipulation
  

  • Eve intercepts messages and modifies their contents.
  • She may delete messages or inject new, fake ones.
  • This breaks message integrity.

  Man-in-the-Middle (Hijacking)
  

  • Eve positions herself between Alice and Bob.
  • All communication passes through Eve without their knowledge.
  • Eve can read, modify, or redirect messages freely.

  Impersonation and Spoofing
  

  • Eve pretends to be Alice when communicating with Bob.
  • Bob believes the messages originate from Alice, even though they do not.
  • This undermines authentication.

  Denial of Service (DoS) Attacks
  

  • Eve overwhelms Bob with excessive requests.
  • Often combined with spoofing techniques.
  • Bob becomes unable to respond to legitimate requests from Alice.
  • This violates availability.

  Key Educational Takeaways
  

  • Network security exists to protect confidentiality, integrity, authentication, and availability
  • Legitimate communication must be protected from interception and manipulation
  • Attackers exploit weaknesses in trust, identity, and visibility
  • The Alice–Bob–Eve model provides a simple but powerful way to analyze security threats
  • Understanding attacker behavior is essential for designing effective defenses

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 04, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 7: The Art of Evasion: Detecting and Bypassing Security with Sysmon

  In this lesson, you’ll learn about:
  

  • The adversarial relationship between red teams and blue teams
  • Core evasion philosophies used during red team engagements
  • How host-based monitoring tools like Sysmon detect attacker behavior
  • Common indicators defenders rely on to identify malicious activity
  • Why understanding detection tools is essential for both attackers and defenders

  Overview This lesson explores the cybersecurity “cat and mouse game” between red teamers and blue teamers. It focuses on how attackers attempt to remain stealthy, while defenders deploy monitoring tools to detect abnormal behavior. The episode moves from evasion theory to a conceptual examination of Sysmon, a widely used Windows system monitoring utility, demonstrating how detection works—and how sophisticated attackers attempt to bypass it during authorized security assessments. The goal is not exploitation, but understanding limitations, detection gaps, and defensive improvements. 1. The Red Team Mindset: Evasion and Blending In A red teamer’s objective during an engagement is not chaos, but persistence without detection. Once detected, access is often lost, limiting the value of the assessment. Environmental Awareness Effective operators must understand:
  

  • What security controls are present
  • How those controls collect data
  • What behaviors are considered “normal” in the environment

  Evasion decisions are based on this awareness, not randomness. Primary Evasion Strategies 1. Disabling Defenses
  

  • A direct but noisy approach
  • Immediately disrupts security visibility
  • Often triggers alerts and manual investigation

  Risk: While effective short-term, it almost guarantees defender awareness. 2. Blending In
  

  • Mimicking legitimate user or system behavior
  • Using common protocols and expected execution patterns
  • Aligning malicious activity with typical system workflows

  Strength: Reduces behavioral anomalies that monitoring tools flag. 3. Targeting Unwatched Areas
  

  • Identifying security blind spots
  • Leveraging exclusions or limited logging scopes
  • Operating where visibility is weakest

  Reality: No monitoring solution observes everything equally. 2. The Blue Team Perspective: Detection with Sysmon What Sysmon Does Sysmon is a host-based monitoring tool that provides deep visibility into system activity, including:
  

  • Process creation events
  • Parent-child process relationships
  • Network connections
  • Registry modifications

  It does not block attacks—it records evidence. Common Indicators Defenders Look For During the demonstration, Sysmon reveals attacker behavior through patterns such as:
  

  • Unusual executables placed in sensitive system directories
  • Randomized file names that do not match known software
  • Suspicious process chains, where core system processes launch unexpected children
  • Outbound network activity from processes that normally should not communicate externally

  Detection relies less on a single event and more on correlation. 3. Counter-Evasion: Understanding the Limits of Monitoring Advanced red teamers study defensive tools not to destroy them, but to understand their coverage. Why This Matters Security tools:
  

  • Operate based on configuration
  • Have exclusions for performance and noise reduction
  • Can be misconfigured or incomplete

  By understanding what is logged versus what is ignored, operators can predict detection likelihood. Key Defensive Lesson Even when a monitoring tool appears active:
  

  • Logging may be incomplete
  • Visibility may be conditional
  • Drivers and data sources may be disabled independently

  This reinforces why defenders must:
  

  • Verify data integrity
  • Monitor monitoring tools themselves
  • Avoid assuming visibility equals coverage

  4. The Real Battle: Creativity and Understanding Neither red teams nor blue teams rely solely on tools.
  

  • Red teams rely on understanding system behavior
  • Blue teams rely on pattern recognition and context
  • Tools amplify skill—but do not replace it

  The effectiveness of both sides depends on:
  

  • Knowledge of operating systems
  • Awareness of tooling limitations
  • The ability to think beyond default assumptions

  Educational Analogy: Understanding Evasion Imagine a red teamer as a burglar testing a secured building:
  

  • Disabling defenses is cutting the power—effective, but instantly suspicious
  • Blending in is wearing staff clothing and acting normal
  • Using blind spots is entering where cameras don’t fully cover

  Security failures aren’t always due to broken locks—but to unwatched angles. Key Ethical Takeaways
  

  • Evasion techniques exist to test detection, not to evade accountability
  • Monitoring tools are powerful but not omniscient
  • Detection is about behavior, not signatures alone
  • Understanding attacker evasion improves defensive design
  • Ethical training focuses on awareness, validation, and improvement

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 03, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 6: Windows Persistence Strategies: Registry, Scheduled Tasks, Services, WMI

  In this lesson, you’ll learn about:
  

  • The purpose of persistence in red team operations
  • Common local Windows persistence mechanisms and how they function
  • Event-driven persistence using WMI
  • The difference between host-level and domain-level persistence
  • Why Kerberos Golden Tickets represent a critical enterprise risk

  Overview This lesson provides a comprehensive technical explanation of Windows persistence strategies, focusing on how attackers maintain long-term access after an initial compromise. Persistence is a post-exploitation objective that ensures access survives:
  

  • System reboots
  • User logouts
  • Password changes
  • Partial remediation efforts

  All techniques discussed are framed within authorized red team engagements, defensive awareness training, and detection engineering contexts. 1. Local System Persistence Techniques Local persistence mechanisms ensure continued execution of malicious code on a single compromised host. 1.1 Registry Run Keys Concept Windows supports registry keys that automatically launch applications when users log in. How It Works
  

  • A startup entry is added to a global registry location
  • The payload executes whenever any user logs in
  • The method survives reboots and user changes

  Why It’s Effective
  

  • Simple and reliable
  • Commonly abused by malware
  • Often overlooked during basic incident response

  Defensive Insight Security teams should monitor:
  

  • Startup registry locations
  • Unsigned or unusual binaries referenced by run keys

  1.2 Scheduled Tasks Concept Scheduled Tasks allow programs to execute automatically based on time or system conditions. How It Works
  

  • A background task is created to run repeatedly
  • Execution can be time-based or event-based
  • The task operates independently of user interaction

  Why It’s Effective
  

  • Blends in with legitimate administrative activity
  • Can execute frequently to re-establish access
  • Flexible timing and execution context

  Defensive Insight Blue teams should audit:
  

  • Newly created or modified tasks
  • Tasks executing from unusual directories

  1.3 Windows Services (SCM) Concept Windows services start automatically when the system boots and typically run with elevated privileges. How It Works
  

  • A service is configured to launch at startup
  • Execution occurs before user login
  • Often runs with SYSTEM-level permissions

  Why It’s Effective
  

  • Highly persistent
  • Very powerful privilege context
  • Survives reboots consistently

  Defensive Insight Detection should focus on:
  

  • New or modified services
  • Services running unsigned or unexpected executables

  1.4 WMI Event Subscriptions (Advanced Persistence) Concept Windows Management Instrumentation (WMI) supports event-driven automation, which can be abused for stealthy persistence. Architecture WMI persistence consists of three logical components:
  

  1. Event Filter – Watches for a specific system condition
  2. Consumer – Defines the action to perform
  3. Binding – Connects the event to the action

  Why It’s Effective
  

  • No visible startup entries
  • No scheduled tasks or services
  • Triggers only when specific events occur

  Defensive Insight This is one of the hardest techniques to detect. Monitoring requires:
  

  • WMI repository inspection
  • Event subscription auditing
  • Behavioral correlation

  2. Domain-Level Persistence: Golden Tickets Concept Golden Tickets exploit Kerberos authentication to provide permanent domain-wide access. How It Works (High-Level)
  

  • The Kerberos service account secret is compromised
  • A forged authentication ticket is created
  • The ticket grants Domain Admin privileges to any chosen identity

  Why This Is Critical
  

  • Access persists even if:
    • Passwords are reset
    • Accounts are disabled
    • Administrators are removed
  • The attacker can generate new valid credentials at will

  Impact This technique effectively gives an attacker:
  

  • Unlimited access to the domain
  • Full control over users, systems, and policies
  • A near-undetectable persistence mechanism if not monitored

  Defensive Insight Mitigation requires:
  

  • Rotating Kerberos service secrets
  • Monitoring authentication anomalies
  • Implementing strong domain hygiene and detection tooling

  Host vs Domain Persistence ComparisonPersistence TypeScopeRisk LevelRegistry / TasksSingle HostMediumServicesSingle HostHighWMI SubscriptionsSingle HostHigh (Stealthy)Golden TicketsEntire DomainCritical
  
  Why Persistence Matters in Red Teaming Persistence is not about destruction—it’s about testing resilience. Professional red teams use persistence to:
  

  • Measure detection and response maturity
  • Test cleanup effectiveness
  • Identify gaps in monitoring
  • Improve blue team readiness

  Every persistence mechanism must also include a clean removal path. Conceptual Analogy Think of persistence as hiding spare access keys:
  

  • Registry & Services → A key hidden where you check every day
  • Scheduled Tasks → A door that unlocks automatically on a timer
  • WMI Subscriptions → A smart sensor that opens the door only under specific conditions
  • Golden Tickets → Access to the locksmith’s master system that can mint new keys on demand

  Some keys affect one door. Others open the entire city. Key Educational Takeaways
  

  • Persistence is a post-exploitation objective, not an exploit
  • Simpler methods are more common, advanced methods are stealthier
  • Domain-level persistence is exponentially more dangerous
  • Detection is possible—but requires deep visibility
  • Ethical red team operations prioritize documentation and cleanup

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 02, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 5: Windows Lateral Movement: Manual Execution via WMIC, Scheduled Tasks

  In this lesson, you’ll learn about:
  

  • The purpose of manual lateral movement in red team operations
  • Why native Windows utilities are critical for stealth and reliability
  • Three core lateral movement methodologies used in authorized engagements
  • Privilege context differences between execution methods
  • How these techniques relate to common automated tools

  Overview This lesson delivers a technical deep dive into manual lateral movement within Windows domain environments. Lateral movement refers to the ability to pivot from one compromised system to another after obtaining elevated credentials—most commonly domain administrative access. Rather than relying on automated frameworks, this episode emphasizes manual techniques using native Windows functionality, which are:
  

  • Less noisy
  • More flexible
  • Harder to detect when used responsibly in controlled testing

  All techniques discussed assume explicit authorization, proper scoping, and a professional red team context. 1. Lateral Movement Using WMIC Concept WMIC (Windows Management Instrumentation Command) allows administrators to remotely interact with systems using the Windows Management Infrastructure. Methodology
  

  • The attacker targets a remote host by explicitly specifying it
  • Remote interaction is used to:
    • Validate access
    • Confirm file placement
    • Trigger execution of an existing payload

  Key Characteristics
  

  • Requires administrative privileges on the target
  • Execution occurs under the credential context of the initiating user
  • Commonly used for:
    • Quick pivots
    • Testing administrative access
    • Lightweight remote execution

  Operational Insight This method is simple and effective but does not automatically grant SYSTEM-level access. The resulting execution inherits the privileges of the domain admin account used. 2. Lateral Movement Using Scheduled Tasks Concept Windows Scheduled Tasks provide a powerful mechanism to execute actions on remote systems at defined times or conditions. Methodology
  

  • A payload is staged on the target system
  • A task is created remotely with:
    • A one-time execution
    • Immediate triggering behavior
    • Execution configured under a high-privilege account

  Key Characteristics
  

  • Can execute under NT AUTHORITY\SYSTEM
  • Allows privilege escalation beyond domain admin
  • The “run once” approach prevents repeated execution

  Operational Insight This technique is widely used in red team engagements because it:
  

  • Mimics legitimate administrative behavior
  • Blends into system management activity
  • Provides strong control over execution timing

  3. Lateral Movement Using Service Control Manager (SCM) Concept The Service Control Manager manages Windows services, which inherently run with elevated privileges. Methodology
  

  • A specially designed service-compatible executable is required
  • The payload is registered as a new service on the target
  • Starting the service triggers execution automatically

  Key Characteristics
  

  • Executes as SYSTEM by default
  • Explains the mechanics behind tools like PsExec
  • Requires careful payload preparation due to service constraints

  Operational Insight Because services are tightly integrated with Windows internals, this method is:
  

  • Extremely powerful
  • Highly privileged
  • More detectable if not carefully managed

  Professional red teamers use this method sparingly and responsibly. Privilege Context ComparisonMethodPrivilege LevelKey Use CaseWMICDomain AdminFast pivot, low complexityScheduled TasksSYSTEMPrivilege escalation, persistenceSCMSYSTEMService-based execution, tool emulation
  
  Why Manual Lateral Movement Matters Automated tools abstract these techniques, but defenders detect tools—not concepts. Understanding manual execution:
  

  • Improves adaptability
  • Enables stealthier operations
  • Allows red teamers to troubleshoot automated failures
  • Strengthens blue team detection engineering

  Conceptual Analogy Imagine having the master key to a secured facility:
  

  • WMIC is like using the internal intercom to instruct a specific room to start a task
  • Scheduled Tasks is like setting a high-priority automated instruction that executes instantly
  • SCM is like installing new maintenance equipment that always runs with full facility authority

  Each method achieves access—but with different levels of control and visibility. Key Educational Takeaways
  

  • Lateral movement depends on credentials, not exploits
  • Native Windows tools are powerful and flexible
  • Privilege context matters more than execution success
  • Manual techniques explain how automated tools work
  • Professional engagements require precision, restraint, and cleanup

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 01, 2026Course 16 - Red Team Ethical Hacking Beginner Course | Episode 4: Windows Post-Exploitation: Remote File Management and System Control

  In this lesson, you’ll learn about:
  

  • The role of post-exploitation in red team operations
  • Why redundancy is critical for operational reliability
  • Multiple ethical techniques for file handling, execution, and process control
  • Methods for controlled system impact and disruption
  • The importance of cleanup and reversibility in professional engagements

  Overview This lesson provides a technical demonstration of post-exploitation techniques used by red team professionals after initial access has been achieved. The focus is not on gaining access, but on maintaining control, executing actions reliably, and manipulating system behavior in a controlled and reversible manner. A central theme of this episode is redundancy. Professional red teamers must know multiple ways to perform the same task, ensuring mission success even if certain tools, permissions, or frameworks are unavailable. All techniques are presented in an ethical, authorized testing context, aligned with real-world red team operations and the MITRE ATT&CK framework. 1. File Transfer and Management Post-exploitation frequently requires moving tools, logs, or evidence between systems. Automated File Handling
  

  • Command and Control (C2) frameworks often provide built-in file operations such as:
    • Uploading payloads
    • Downloading collected data
    • Copying files across directories or systems

  These features simplify operations but should never be relied on exclusively. Manual File Transfer (Fallback Method)
  

  • When automated tools are unavailable, red teamers can rely on:
    • Temporary SMB shares hosted on their own system
    • Native Windows file copy functionality

  This approach reinforces the principle of tool independence, ensuring operations can continue using built-in system capabilities. 2. Local and Remote Process Termination Managing running processes is essential for:
  

  • Removing artifacts
  • Releasing locked files
  • Stopping unstable or suspicious processes
  • Cleaning up after execution

  Process Identification
  

  • Enumerating running processes to identify:
    • Process names
    • Associated Process IDs (PIDs)
    • Execution context

  Termination Techniques
  

  • Local process termination using native Windows utilities
  • Remote process termination against authorized targets
  • Alternative approaches using Windows management interfaces

  Redundancy ensures that if one method fails, another can be used to achieve the same goal. 3. Execution Methods Execution techniques allow red teamers to:
  

  • Launch payloads
  • Run administrative actions
  • Establish persistence
  • Test detection and response mechanisms

  Service-Based Execution
  

  • Creating and starting services remotely
  • Services often execute with elevated privileges
  • Commonly used to test privilege escalation and detection logic

  Scheduled Task Execution
  

  • Creating tasks that:
    • Run immediately
    • Execute on startup
    • Trigger at defined intervals
  • Often used for:
    • Persistence testing
    • Delayed execution scenarios

  Remote Process Creation
  

  • Leveraging system management interfaces to:
    • Execute files silently
    • Avoid interactive sessions
    • Test endpoint monitoring visibility

  4. System Impact: Shutdown, Reboot, and Logoff This section aligns closely with MITRE ATT&CK – Impact techniques, demonstrating how system availability can be influenced during authorized engagements. Standard System Control
  

  • Rebooting systems
  • Shutting down machines
  • Logging users off locally or remotely

  These actions are used to:
  

  • Test incident response workflows
  • Observe detection mechanisms
  • Evaluate business continuity controls

  Advanced Automation
  

  • Scripted actions to:
    • Force logoffs
    • Trigger shutdowns
    • Execute repeated system events

  Such techniques demonstrate how attackers could disrupt availability—but in red teaming, they are used only in controlled, pre-approved scenarios. Professional Responsibility and Cleanup A critical takeaway emphasized throughout this lesson is responsibility.
  

  • Every disruptive action must have:
    • A clear purpose
    • An approved scope
    • A documented rollback plan
  • Red teamers must always:
    • Remove persistence mechanisms
    • Restore system stability
    • Leave the environment as they found it

  Failure to clean up can cause real harm, which is unacceptable in professional security testing. Conceptual Analogy Think of post-exploitation as using the remote control of a smart building:
  

  • File transfer is like moving furniture between rooms
  • Killing a process is like turning off an appliance that’s in the way
  • Scheduled tasks are like programming lights or alarms
  • Reboots are equivalent to cutting power to test backup systems

  The goal is observation and validation, not destruction. Key Educational Takeaways
  

  • Post-exploitation is about control, not chaos
  • Redundancy ensures operational resilience
  • Native system tools are as important as advanced frameworks
  • Disruption must always be reversible
  • Cleanup is a professional obligation, not an option

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 31, 2025Course 16 - Red Team Ethical Hacking Beginner Course | Episode 3: Essential Windows Domain and Host Enumeration

  In this lesson, you’ll learn about:
  

  • The purpose and importance of network enumeration in red teaming
  • Windows Domain Enumeration techniques for situational awareness
  • Host Enumeration methods for analyzing a specific target system
  • How user sessions, services, and processes influence attack paths
  • Why continuous enumeration is critical in dynamic enterprise networks

  Overview This lesson provides a comprehensive guide to essential red team enumeration techniques used to gather intelligence within a Windows enterprise environment. Enumeration is a critical phase of any red team operation, as it allows security professionals to understand the structure, users, systems, and behavior of a network without relying on exploits. The lesson is divided into two main areas:
  

  1. Domain Enumeration – gathering network-wide intelligence
  2. Host Enumeration – collecting detailed information from a specific system

  Domain Enumeration Domain enumeration focuses on identifying high-level Active Directory information that helps red teamers understand how the environment is structured and where valuable targets exist. Identifying Domain Information
  

  • Discovering the current domain name (e.g., fun.com)
  • Identifying the Domain Controller (DC) and its IP address
  • Confirming domain role ownership and authentication authority

  Domain Policy and Infrastructure
  

  • Retrieving domain policies to understand:
    • Password requirements
    • Lockout thresholds
    • Security enforcement levels
  • Enumerating domain-joined computer hostnames

  User Session Enumeration One of the most critical objectives of domain enumeration is identifying logged-in users, since credentials and tokens may reside in memory. Techniques demonstrated include:
  

  • Listing users logged into all domain computers
  • Identifying privileged accounts logged into sensitive systems (e.g., administrators on the domain controller)
  • Detecting regular users logged into workstations
  • Narrowing enumeration to a specific target host to identify active sessions

  This information is highly time-sensitive, as logged-in users can change frequently. Host Enumeration Host enumeration focuses on gathering deep, system-level intelligence from a specific target machine once access has been obtained. Basic System Information
  

  • Hostname
  • Operating system version (e.g., Windows 10 Enterprise)
  • System architecture (x64 / x86)
  • Domain membership
  • Installed hotfixes and patch levels

  Current User Intelligence
  

  • Logged-in username
  • User Security Identifier (SID)
    • Important for advanced techniques such as ticket-based attacks
  • Group memberships
  • Assigned user privileges

  Local Privilege Analysis
  

  • Enumerating members of the local administrators group
  • Identifying misconfigurations or excessive privileges

  Service and Process Enumeration Understanding what is running on a system reveals potential attack surfaces and persistence opportunities. Services
  

  • Listing running services
  • Identifying startup services
  • Analyzing service state and startup mode
  • Detecting services running with elevated privileges

  Ports and Processes
  

  • Enumerating open and listening ports
  • Identifying processes bound to specific ports
  • Mapping processes to:
    • Process IDs
    • Executable names
    • Full file system paths

  This helps determine whether a service is custom, outdated, or potentially vulnerable. Application and File System Enumeration Installed Applications
  

  • Listing installed software (e.g., packet analyzers like Wireshark)
  • Identifying tools that may indicate:
    • Developer systems
    • Admin workstations
    • Security monitoring presence

  File System Analysis
  

  • Recursively searching the file system for files containing specific text
  • Locating files by name (e.g., flags or configuration files)
  • Identifying hidden files and directories

  These techniques help uncover credentials, scripts, backups, or sensitive data. Why Enumeration Is Critical
  

  • Network environments are dynamic
  • Logged-in users change constantly
  • Services may restart or move
  • New systems may appear or disappear

  Because of this, enumeration is not a one-time activity—it must be continuous throughout a red team operation. Key Educational Takeaways
  

  • Enumeration builds context, not exploits
  • Logged-in users often matter more than vulnerabilities
  • Privileges and services define real attack paths
  • Native system tools provide powerful visibility
  • Effective red teaming depends on accurate, up-to-date intelligence

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 30, 2025Course 16 - Red Team Ethical Hacking Beginner Course | Episode 2: Essential Command Line Administration: Linux, Windows, Account Management

  In this lesson, you’ll learn about:
  

  • Essential Linux command-line administration basics
  • Core Windows command-line networking and system commands
  • How to navigate, inspect, and manage files on both platforms
  • Practical Windows domain user and group management
  • Why command-line proficiency is critical for security professionals

  Overview This lesson provides a foundational overview of essential command-line administration techniques used in both Linux and Windows environments. These skills are fundamental for cybersecurity professionals, system administrators, and red team members, as many security operations rely on native command-line utilities rather than graphical interfaces. The lesson concludes with Windows domain account management, an important topic for understanding enterprise environments. Linux Administration Commands The first segment introduces commonly used Linux commands within Kali Linux, focusing on basic system interaction and networking awareness. File System and Directory Management
  

  • Navigating directories using cd
  • Listing directory contents using ls
  • Creating directories using mkdir
  • Creating files and writing content using echo
  • Viewing file contents using cat
  • Removing files using rm
  • Recursively listing directory contents using ls -r

  Networking and Interface Management
  

  • Viewing network interface information using:
    • ifconfig
    • ip a (modern replacement)
  • Viewing routing information using:
    • ip r
    • netstat -rn
  • Restarting networking services using:
    • service networking restart
  • Manually disabling and enabling interfaces using:
    • ifconfig eth0 down
    • ifconfig eth0 up

  Help and Documentation
  

  • Using the --help flag to view command options
  • Using the man command to read full manual pages and understand command parameters

  This section emphasizes learning how to explore command capabilities independently, a critical skill in real-world environments. Windows Administration Commands The second segment focuses on Windows command-line administration, helping students become comfortable working with Windows systems without relying on graphical tools. System and Network Information
  

  • hostname – displays the computer name
  • ping – checks network connectivity using ICMP packets
    • Demonstrated with the loopback address
    • Using -n to limit the number of packets
  • ipconfig /all – displays detailed network configuration
  • nslookup – resolves domain names to IP addresses
  • netstat -nao – shows active connections, listening ports, and process IDs
  • route print – displays the routing table
  • arp -a – shows IP-to-MAC address mappings

  File and Directory Management
  

  • Listing directory contents using dir
  • Navigating directories using cd
  • Creating files using echo
  • Viewing file contents using type

  Command Help and Error Handling
  

  • Using /? to display command usage and parameters
  • Using net help message to translate Windows error codes into readable messages

  This section highlights how attackers and defenders alike rely heavily on native Windows tools. Windows Domain Account Management The final segment introduces command-line management of users and groups in a Windows domain, a crucial concept in enterprise security environments. User and Group Enumeration
  

  • net user /domain
    • Checks user status
    • Identifies whether the account is active
    • Confirms group memberships (e.g., domain admin)
  • net users /domain
    • Lists all domain users
  • net group /domain
    • Lists all domain groups
  • net group /domain
    • Displays users belonging to a specific group

  Managing Domain Privileges
  

  • Adding a user to domain administrators:
    • net group domain admins /add /domain
  • Removing a user from domain administrators:
    • Using the /delete parameter
  • Activating a disabled domain account:
    • net user /active:yes /domain

  These commands demonstrate how domain permissions are controlled and why privileged access must be carefully protected. WMIC as an Alternative
  

  • wmic group list brief
  • wmic user account list brief

  WMIC provides a concise way to list users and groups and is often used for quick reconnaissance and administration. Key Educational Takeaways
  

  • Command-line tools exist on every system and are powerful by design
  • Many security operations depend on native utilities rather than exploits
  • Understanding system administration improves both offensive and defensive skills
  • Domain environments require careful privilege management
  • Strong visibility and auditing are essential to prevent misuse

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 29, 2025Course 16 - Red Team Ethical Hacking Beginner Course | Episode 1: Introduction to Red Teaming: Concepts, Tools, and Tactics

  In this lesson, you’ll learn about:
  

  • The purpose and mindset of red teaming in cybersecurity
  • The difference between red teams and blue teams
  • How the MITRE ATT&CK framework structures real-world attacks
  • Core Windows command-line environments used in security operations
  • The role of Command and Control (C2) frameworks in post-exploitation
  • Widely used red team and post-exploitation analysis tools
  • The concept behind payload handling and controlled demonstrations

  Introduction to Red Teaming This lesson provides a comprehensive introduction to red teaming, an adversarial security discipline where professionals simulate real-world attackers to evaluate and strengthen an organization’s defenses. Red teaming goes beyond simple vulnerability scanning and focuses on realistic attack scenarios, long-term access, and stealth. Red teaming is conducted ethically and legally within defined scopes to help organizations understand how attackers think, move, and persist inside networks. Red Team vs. Blue Team
  

  • Red Team
    • Simulates real attackers
    • Attempts to bypass defenses
    • Identifies weaknesses in people, processes, and technology
    • Requires creativity, research skills, and deep technical knowledge
  • Blue Team
    • Defends the organization
    • Monitors logs (firewalls, IDS, IPS, systems, networks)
    • Detects suspicious activity
    • Responds to and mitigates attacks

  The interaction between red and blue teams improves overall security posture through continuous testing and feedback. MITRE ATT&CK Framework The MITRE ATT&CK framework is a globally recognized knowledge base documenting adversary behavior based on real-world incidents. Key characteristics:
  

  • Organized into tactics (the attacker’s goal)
  • Techniques explain how goals are achieved
  • Procedures describe real attacks observed in the wild
  • Structured into 12 tactical columns, covering the full attack lifecycle

  Security teams use ATT&CK to:
  

  • Understand attacker behavior
  • Map defenses to known techniques
  • Improve detection and response strategies

  Essential Windows Command-Line Environments Red teamers and defenders must understand native Windows tools because attackers often abuse legitimate utilities. Command Prompt (CMD)
  

  • Traditional Windows command-line interpreter
  • Used for file management, networking, and basic administration
  • Supports batch scripting

  PowerShell
  

  • Advanced command-line and scripting environment
  • Uses powerful commandlets
  • Enables automation and deep system management
  • Supports aliases (e.g., ls) for ease of use

  WMIC (Windows Management Instrumentation Command Line)
  

  • Interface for interacting with WMI
  • Can query system information
  • Manage processes and configurations
  • Works locally or remotely

  Scheduled Tasks
  

  • Used to automate execution of programs or scripts
  • Can run tasks at specific times or events
  • Often abused for persistence

  Service Control Manager (SCM)
  

  • Managed via SC.exe
  • Controls Windows services
  • Can create, modify, start, and stop services
  • High-risk if abused due to elevated privileges

  Command and Control (C2) Frameworks C2 frameworks allow attackers—and red teamers in controlled exercises—to manage compromised systems remotely after initial access. Capabilities typically include:
  

  • Executing commands remotely
  • Data exfiltration
  • Keylogging and screen capture
  • Lateral movement automation

  Commonly referenced frameworks:
  

  • Cobalt Strike (commercial, widely used)
  • Covenant (free, .NET-based)
  • Empire (PowerShell-based, no longer maintained)

  Red teamers often modify default C2 behaviors to evade detection and avoid signature-based defenses such as IDS and IPS. Advanced Red Team and Post-Exploitation Tools PowerSploit
  

  • Collection of PowerShell modules
  • Covers enumeration, privilege escalation, persistence, and evasion
  • Includes tools like PowerUp

  PowerView
  

  • Focuses on Active Directory reconnaissance
  • Gathers information about users, groups, trusts, and permissions
  • Helps build situational awareness in domain environments

  BloodHound
  

  • Visualizes Active Directory relationships
  • Uses a graph database (Neo4j)
  • Identifies privilege escalation paths
  • Shows how a standard user could reach domain admin access

  Mimikatz
  

  • Known for credential extraction
  • Can retrieve password hashes and credentials from memory
  • Demonstrates weaknesses in credential handling
  • Emphasizes the importance of modern defensive controls

  Impacket
  

  • Python-based toolkit for network protocol interaction
  • Supports authentication attacks and remote execution techniques
  • Useful for understanding how Windows authentication can be abused

  Metasploit Payload Handling (Conceptual Demonstration) The episode concludes with a controlled demonstration explaining how red teamers:
  

  • Configure listeners
  • Generate payloads for testing purposes
  • Establish sessions on target systems within legal scopes

  This section is intended to help students understand post-exploitation workflows, not to encourage misuse. Emphasis is placed on lab environments and authorization. Key Ethical and Defensive Takeaways
  

  • Red teaming exists to improve security, not harm systems
  • Many attacks abuse legitimate system tools rather than exploits
  • Understanding attacker techniques strengthens defense strategies
  • Frameworks like MITRE ATT&CK bridge offense and defense
  • Visibility, logging, and behavior-based detection are critical

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 28, 2025Course 15 - Write an Android Trojan from scratch | Episode 4: Implementing an Android Reverse Shell using Java Native APIs (without Netcat)

  In this lesson, you’ll learn about:
  

  • How Android malware can achieve remote control without external binaries
  • The security risks of native Java networking and execution APIs
  • Behavioral patterns of reverse-connection Trojans on mobile devices
  • Why “living off the land” techniques are effective for malware
  • How defenders detect Java-based reverse shells on Android
  • Practical security lessons for Android developers and analysts

  Overview: Reverse Shells Using Native Android APIs (Defensive Perspective) This lesson examines, from a malware analysis and defensive standpoint, how an Android Trojan can establish a reverse remote shell using only built-in Java and Android APIs, without embedding third-party tools. By avoiding external binaries, this technique significantly increases stealth and bypasses many signature-based detection mechanisms, making it an important case study for mobile security professionals. Stage 1: Outbound Connection Establishment Instead of exposing a service on the victim device, the malicious app initiates an outbound network connection to a remote system controlled by the attacker. Security implications:
  

  • Outbound connections are typically permitted by firewalls
  • No inbound ports need to be opened on the victim
  • The attack works even behind NAT or restricted networks

  Defensive indicators:
  

  • Persistent outbound socket connections from non-networking apps
  • Immediate network activity upon application launch
  • Hard-coded remote endpoints inside the application

  Stage 2: Command Channel Over Standard I/O Streams Once connected, malware often sets up a command-and-response channel using standard input/output abstractions. From an attacker’s perspective:
  

  • Commands are received as plain text
  • Output is sent back over the same connection
  • No specialized protocols are required

  From a defender’s perspective:
  

  • Long-lived bidirectional socket sessions are suspicious
  • Repeated small text-based data exchanges resemble C2 behavior
  • Mobile apps rarely need interactive command channels

  Stage 3: Abusing Runtime Command Execution The core risk demonstrated in this episode is the abuse of runtime execution APIs to run system-level commands. Key security insight:
  

  • These APIs are legitimate and widely available
  • They are intended for controlled system interactions
  • Malware repurposes them for arbitrary command execution

  Detection considerations:
  

  • Runtime execution combined with network input is a major red flag
  • Command execution triggered by remote input indicates full compromise
  • Sandboxing limits damage, but data exposure remains severe

  Stage 4: Output Capture and Exfiltration After execution, malware captures the command output and transmits it back to the remote controller. Why this is dangerous:
  

  • Allows reconnaissance of the device
  • Enables data harvesting
  • Confirms execution success to the attacker

  Defensive signals:
  

  • Reading process output programmatically
  • Immediate transmission of collected data
  • Tight execution → capture → send loops

  Why This Technique Is Especially Dangerous This approach demonstrates a “living off the land” strategy:
  

  • No third-party binaries
  • No exploits required
  • Only standard APIs are used

  As a result:
  

  • Signature-based antivirus tools struggle
  • Detection relies on behavioral analysis
  • Permissions and runtime behavior become critical

  Defensive Takeaways
  

  • Native APIs can be as dangerous as exploits when misused
  • Network + runtime execution = high-risk behavior
  • Reverse connections are preferred for stealth and reliability
  • Permissions alone are not enough — behavior matters
  • Endpoint monitoring and runtime analysis are essential

  Secure Development Lessons For Android developers:
  

  • Avoid runtime command execution unless absolutely necessary
  • Validate and restrict all network-driven input
  • Follow the principle of least privilege
  • Monitor for unexpected outbound connections

  For security teams:
  

  • Correlate execution, threading, and networking behaviors
  • Inspect long-lived socket connections
  • Flag apps that mix remote input with command execution

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 27, 2025Course 15 - Write an Android Trojan from scratch | Episode 3: Building a Reverse Connection Trojan: Programmatic Netcat Execution

  In this lesson, you’ll learn about:
  

  • How Android malware finalizes execution workflows (conceptually)
  • Why file permissions are a critical security control on Android
  • How malicious apps abuse legitimate Java APIs for command execution
  • The importance of threading and permissions in Android security
  • Network-based indicators of reverse-connection malware
  • How defenders detect and stop reverse-shell behavior on mobile devices

  Overview: Finalizing a Reverse-Connection Trojan (Defensive Perspective) This lesson analyzes, from a defensive and analytical standpoint, the final stage commonly seen in Android Trojans that aim to establish remote control over an infected device. The focus is on understanding what happens, why it works, and how it can be detected and prevented. At this stage, the malicious application has already embedded and relocated an external executable into its private storage. The remaining steps revolve around preparing, executing, and network-enabling that component. Stage 1: File Permission Abuse Android enforces strict execution rules for files stored within an application’s sandbox. From an attacker’s perspective:
  

  • A file copied into private storage is not executable by default
  • Execution requires changing file permission attributes
  • This is often done using legitimate system APIs intended for benign use

  From a defender’s perspective:
  

  • Programmatic permission changes on binary files are a strong malware indicator
  • Legitimate apps rarely modify executable permissions at runtime
  • Security tools monitor these behaviors closely

  This stage highlights how attackers abuse allowed system functionality, rather than exploiting a vulnerability. Stage 2: Execution via Java Runtime Interfaces Instead of exploiting the system directly, many Android Trojans rely on:
  

  • Built-in Java runtime execution mechanisms
  • Command invocation from within the app process
  • Background execution to avoid UI freezes or user suspicion

  Defensive insight:
  

  • Runtime command execution from mobile apps is uncommon in legitimate software
  • When combined with binary execution, it significantly increases risk scoring
  • Thread-based execution can help malware evade basic behavioral analysis

  Stage 3: Reverse Network Connections Rather than waiting for an incoming connection, modern mobile malware prefers reverse connections, where the infected device initiates outbound communication. Why this is effective:
  

  • Outbound connections are often allowed by firewalls
  • The attacker does not need to know the victim’s network details
  • The connection can be automated and silent

  For defenders:
  

  • Unexpected outbound connections from user apps are highly suspicious
  • Persistent or immediate connections after app launch are red flags
  • Endpoint detection tools correlate execution + network activity

  The Role of Android Permissions Android’s permission model is a critical defensive layer. Key takeaway:
  

  • Even malicious code cannot access the network without explicit permission
  • Malware frequently fails until required permissions are granted
  • Reviewing requested permissions is one of the simplest detection methods

  From a security standpoint:
  

  • Apps requesting network access without clear justification deserve scrutiny
  • Permission abuse is a primary indicator in mobile malware analysis

  Why This Stage Is Critical for Detection The final execution phase is where:
  

  • Malicious intent becomes observable
  • Network indicators appear
  • Behavioral detection becomes effective

  Security teams monitor for:
  

  • Executable permission changes
  • Runtime command execution
  • Background threads performing network activity
  • Shell-like behavior patterns
  • Immediate post-install execution

  Key Defensive Takeaways
  

  • Android malware often completes execution without exploiting vulnerabilities
  • Permission misuse is central to mobile Trojan success
  • Reverse connections are preferred for reliability and stealth
  • Runtime execution APIs are frequently abused
  • Network monitoring is essential for mobile threat detection

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---