Live Workshop: Attack and Defense: Remote Thread Injection and Detection (Recorded)

January 28, 2025

Author

Uriel Kosayev

Uriel Kosayev is a cybersecurity researcher, reverse engineer, and author of MAoS and Antivirus Bypass Techniques. He’s led real-world red team ops, malware investigations, and incident response cases. As the founder of TrainSec Academy, he teaches professionals to think like attackers and defend with precision. His training is practical, focused, and based on real threats, not theory.

Green Professional Technology Webinar Twitter Post

We hope your studies are going well! We’re excited to share the recorded workshop on Remote Thread Injection and EDR-based detection that took place on January 14. In this session, Uriel and Pavel from TrainSec walked through both the attacker perspective (injecting malicious code into a running process) and the defender perspective (writing a kernel driver to detect remote thread creation).

Why This Matters for Your Studies

Understanding both the offensive and defensive sides of code injection is crucial in cybersecurity roles. By watching this workshop:

You’ll see hands-on examples of how malware developers hide code in legitimate processes.
You’ll learn how defenders write kernel-level drivers to catch these attacks in real time.
You’ll add practical knowledge to your TrainSec coursework, strengthening your skills in malware research, reverse engineering, and EDR design.

Workshop Recordings

Below, you will find the two-part video recordings. We’ve split them for easy viewing. Feel free to watch them at your own pace.

Part 1

Part 2

Workshop Highlights

Remote Thread Injection Basics
- Demonstration of injecting a simple “Hello World” shellcode into Notepad using CreateRemoteThread.
- Explanation of how attackers allocate memory and write malicious content into a running process.
Practical Coding Examples
- Uriel showed step-by-step code in Visual Studio.
- He walked through API calls like OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
EDR (Endpoint Detection & Response) Perspective
- Pavel demonstrated how a kernel driver can detect new remote threads.
- Showed how EDRs hook into process and thread creation events at the kernel level.
- Highlighted the difference between a genuine remote thread and the first thread of a newly created process.
Live Debugging
- Used Process Explorer, IDA, and DebugView to see how injected code executes and how a kernel driver logs suspicious behavior.
Q&A and Tips
- Emphasis on understanding Windows internals, system calls, and the importance of strong foundations in C/C++.
- Encouragement to “learn by doing” through real coding and experimentation.

If you have any questions or want to dive deeper into the code, feel free to post in the TrainSec community forums or reach out to us. We love hearing your thoughts and helping you apply these insights in your projects!

This material is also thought at our Windows security researcher learning path.