Live Workshop: Attack and Defense: Remote Thread Injection and Detection (Recorded)

Author

Uriel Kosayev
Uriel Kosayev is a cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response
Green Professional Technology Webinar Twitter Post

We hope your studies are going well! We’re excited to share the recorded workshop on Remote Thread Injection and EDR-based detection that took place on January 14. In this session, Uriel and Pavel from TrainSec walked through both the attacker perspective (injecting malicious code into a running process) and the defender perspective (writing a kernel driver to detect remote thread creation).

Why This Matters for Your Studies

Understanding both the offensive and defensive sides of code injection is crucial in cybersecurity roles. By watching this workshop:

  • You’ll see hands-on examples of how malware developers hide code in legitimate processes.
  • You’ll learn how defenders write kernel-level drivers to catch these attacks in real time.
  • You’ll add practical knowledge to your TrainSec coursework, strengthening your skills in malware research, reverse engineering, and EDR design.

Workshop Recordings

Below, you will find the two-part video recordings. We’ve split them for easy viewing. Feel free to watch them at your own pace.

Part 1

Part 2

Workshop Highlights

  1. Remote Thread Injection Basics
    • Demonstration of injecting a simple “Hello World” shellcode into Notepad using CreateRemoteThread.
    • Explanation of how attackers allocate memory and write malicious content into a running process.
  2. Practical Coding Examples
    • Uriel showed step-by-step code in Visual Studio.
    • He walked through API calls like OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
  3. EDR (Endpoint Detection & Response) Perspective
    • Pavel demonstrated how a kernel driver can detect new remote threads.
    • Showed how EDRs hook into process and thread creation events at the kernel level.
    • Highlighted the difference between a genuine remote thread and the first thread of a newly created process.
  4. Live Debugging
    • Used Process Explorer, IDA, and DebugView to see how injected code executes and how a kernel driver logs suspicious behavior.
  5. Q&A and Tips
    • Emphasis on understanding Windows internals, system calls, and the importance of strong foundations in C/C++.
    • Encouragement to “learn by doing” through real coding and experimentation.

If you have any questions or want to dive deeper into the code, feel free to post in the TrainSec community forums or reach out to us. We love hearing your thoughts and helping you apply these insights in your projects!

This material is also thought at our Windows security researcher learning path.

Windows Security Researcher Badge

$1408

$1128 or $113 X 10 payments

Windows Security Researcher

Provides the necessary knowledge, understanding, and tools to be a successful Windows OS researcher.

Become Windows Security researcher
blue depth

About the author

Uriel Kosayev
Uriel Kosayev is a cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response
All corses and publications

Useful Resources

Pavel’s GitHub
Pavel’s Books
Uriel’s GitHub
Antivirus Bypass Techniques Book

Learning Paths

Windows Master Developer
Windows Internals Master
Windows Security Researcher
Hardware Hacking Expert

Let's Connect

Contact Us
Join our Discord community

@2025 TrainSec. All rights reserved. Terms of Use | Privacy Policy

Wait! You can learn for free

Not ready to commit to a learning pathway?

We’ll keep you up to date with the latest cybersecurity trends, free content, and discounts in our newsletter.