Purple Team Lab: Payload Delivery via File Masquerading & RAT Emulation

This is a controlled, educational Purple Team lab designed to emulate real-world attack scenarios in a secure lab environment and teach detection techniques using Windows-native tools. No prior hacking experience required.

Created by

Antonio June Veva Jr.

    • (0 Reviews)

00:39:30 Hours

0 Enrolled

English

Last updated

Wed, 08-Apr-2026

Course description

PURPLE TEAM LAB OFFICIAL COURSEWARE

"You can't build a real defense until you've walked through a real attack." By Antonio

⚠️ READ THIS FIRST ⚠️

This is real attack emulation—not a simulation. Your safety and legal protection start here.

Before you proceed, you must complete these steps:

  1. Build your isolated lab environment – Two Windows VMs with Host-Only networking. No internet during the lab. Payloads must never touch your real network or ISP.
    Free video available: Watch the step-by-step lab setup tutorial (no login required) to ensure we are all on the same page. Click here to watch: How to Build a Controlled Lab for This Course
    ⚠️ AWARENESS: The AI-Generated Photo Threat (2026)
    We live in an era where AI image generation tools — including Midjourney, Stable Diffusion, DALL-E, and Sora — can produce photorealistic images of lab environments, running virtual machines, and physical setups that are visually indistinguishable from real ones. A participant could submit a convincing fake lab photo without ever setting up a single VM. We take academic integrity seriously. To protect the value of this course, your certificate, and your professional reputation, we have replaced static photo submission with a Multi-Layer Verification Protocol that AI cannot fake.

    ✅ REQUIRED: Multi-Layer Lab Verification Submission
    You must submit ALL of the following to rekcahacademy@gmail.com before course access is granted:
    • ① Timestamped Physical Photo: Take a photo of your physical setup (laptop/PC screen showing both VMs running) with a handwritten note placed visibly in the frame containing: Your full name, Today's date, The text: "REKCAH ACADEMY — Purple Team Lab". Why: Handwritten elements with specific text are extremely difficult for AI image generators to produce accurately.
    • ② VM Manager Interface Screenshot: Take a screenshot of your VirtualBox or VMware application window showing both VMs listed by name with status "Running" visible. Why: This is taken from inside your actual virtualization software — it cannot be externally generated.
    • ③ Host-Only Network Configuration Screenshot: Inside each VM, open Network and Sharing Center → Change Adapter Settings (or run ipconfig /all in CMD) and take a screenshot showing the Host-Only adapter with its assigned IP address (e.g., 192.168.56.x range). Why: This is live system-generated data tied to your actual VM network configuration. It cannot be accurately fabricated.
    • ④ PowerShell/CMD Verification Output Screenshot: Open PowerShell or Command Prompt inside each VM and run: ipconfig /all. Screenshot the full output showing the Host-Only IP address and adapter name on both machines. Why: Live terminal output with system-specific hostname, adapter identifiers, and IP data is forensically verifiable.
    • ⑤ Optional but Strongly Recommended: 15–30 Second Screen Recording: Record a short screen recording (OBS, Xbox Game Bar, or any screen recorder) showing you switching between both running VMs with the VirtualBox/VMware interface visible. Why: A real-time recording demonstrating VM interaction is the highest-confidence verification method and is essentially impossible to fake convincingly with current AI tools.
  2. Sign and return the Participant Acknowledgment FormDownload the Participant Acknowledgment Form (PDF) – Print, sign in blue pen, and send a clear photo or scan to rekcahacademy@gmail.com.

Updated Submission Checklist:

✔ Signed Participant Acknowledgment Form (blue ink) — Download here
✔ Timestamped physical photo with handwritten name/date card
✔ VM Manager screenshot showing both VMs in "Running" state
✔ Host-Only network adapter screenshot (from inside each VM)
✔ ipconfig /all CMD/PowerShell output from both VMs
✔ (Optional) 15–30 second screen recording of live VM session
Email all to: rekcahacademy@gmail.com

No course access will be granted until all required items above are verified. This process protects YOU legally, academically, and professionally.

Course Overview: Purple Team Lab File Masquerading and RAT Emulation

PURPLE TEAM: MASTER BOTH WORLDS

Purple Team is the fusion of Red Team (Attack) and Blue Team (Defense). This course delivers both perspectives, empowering you to think like an attacker while building defender-level detection skills.

[RED]

Red Team

Attack simulation, payload creation, stealth techniques, covert access

[BLUE]

Blue Team

Network analysis, process auditing, forensic inspection, threat detection

[PURPLE]

Purple Team

Both worlds combined stronger defense through attack understanding

WINDOWS NATIVE NO KALI LINUX REQUIRED

This course is built entirely on Windows 11 Pro 25H2 using native tools: PowerShell, Python, and custom-built scripts. No Linux virtual machine or Kali Linux needed. All tools used in this course are crafted by the author from the ground up, giving you full control over the attack and defense simulation in a completely controlled lab environment. You learn exactly how the techniques work without relying on third-party tools.

Document Title: RTL-DOC-300-v1.0: Purple Team Lab - File Masquerading, Steganography and Remote Access Trojan RAT Emulation

Author: Antonio June Vevia Jr., Cybersecurity Instructor

Version: 1.0

Platform: Windows 11 Pro 25H2 | PowerShell | Python | Author-Crafted Tools

Classification: PURPLE TEAM TRAINING ATTACK AND DEFENSE

This is a comprehensive, hands-on training module designed for cybersecurity professionals who want to master one of the most deceptive attack vectors in the modern threat landscape: payload delivery via file masquerading. This course goes beyond theory, providing a structured, lab-based environment where students learn both Red Team attack techniques and Blue Team detection strategies the essence of Purple Team training.

The course meticulously guides participants through the entire lifecycle of a file masquerading attack, from creating a malicious payload to establishing covert remote access, while simultaneously teaching the forensic detection skills needed to identify and stop such threats. All exercises are performed using Windows 11 Pro 25H2 with PowerShell, Python, and custom tools built by the instructor giving you complete visibility and control over every step.

What Students Will Gain Both Red and Blue Skills

RED TEAM Attack Skills

Students will learn to think like an adversary and simulate real-world attacks:

  • Master Payload Masquerading Mechanics: Understand how attackers use file binders, Self-Extracting Archives (SFX), and icon spoofing to disguise malicious executables as harmless files like images.
  • Build Functional Offensive Tools: Create a PowerShell Reverse Shell payload from scratch and compile it into an executable, simulating a real-world Remote Access Trojan (RAT).
  • Execute a Complete Attack Simulation: Follow a step-by-step process to bind a payload to a legitimate image, spoof its file extension and icon, and deliver it via a simulated social engineering scenario.
  • Establish Covert Remote Access: Use the payload to establish a reverse shell connection and leverage Windows administrative shares (C$ share) for silent, remote file system access.

BLUE TEAM Defense Skills

Students will learn to detect, analyze, and respond to active compromises:

  • Network Analysis: Use netstat to identify suspicious established connections on critical ports.
  • Process Auditing: Use Process Hacker and Sysinternals tools to spot anomalous process trees, such as an image viewer spawning PowerShell.
  • Forensic Inspection: Enable file extension display in Windows Explorer to reveal the true nature of masqueraded files.
  • Implement Mandatory Cleanup: Execute proper post-engagement cleanup to remove all payloads and artifacts a critical real-world skill.
  • Legal, Ethical & Professional Standards — 2026 Edition

    ① Clarification on RAT Emulation — Non-Weaponized by Design
    All offensive tools created in this course — including the PowerShell Reverse Shell — are non-weaponized, purpose-built training scripts crafted by the instructor from scratch. They are engineered exclusively for operation within the isolated lab environment and do not connect to any external Command & Control (C2) infrastructure, remote server, or internet-facing endpoint. These tools cease to function the moment they leave the controlled lab boundary. This course does not produce production-grade malware. Any misuse outside the lab constitutes a criminal act under applicable law.
  • ② Windows Defender & Antivirus Guidance for Lab Use
    Windows 11 Pro 25H2 ships with Microsoft Defender Antivirus and Microsoft Defender for Endpoint (MDE), which will actively detect and quarantine the PowerShell Reverse Shell and SFX payloads used in this lab — even within an isolated VM. This is expected and normal behavior. Participants are guided within the course to temporarily disable Windows Defender on the lab VMs only, for the duration of the exercise. Re-enabling Defender and running a full scan is a mandatory step in the cleanup phase (Phase 6). Never disable antivirus on any production, corporate, or internet-connected machine under any circumstances.
  • ③ Absolute Prohibition on Use Outside the Lab
    The techniques taught in this course — including payload creation, reverse shell deployment, file masquerading, and SMB share access — must never be executed on any system, network, or device outside your personally owned, isolated lab environment. This explicitly includes: home routers, ISP-connected networks, corporate or organizational networks, cloud instances, shared hosting environments, and any device belonging to another person or entity. Doing so constitutes a criminal offense under:

    Oman Cybercrime Law — Royal Decree No. 12/2011 (unauthorized access, malware deployment, remote infiltration)
    Oman Personal Data Protection Law — Royal Decree No. 6/2022
    Telecom Regulatory Authority (TRA) of Oman regulations
    Computer Fraud and Abuse Act — CFAA (USA)
    Computer Misuse Act 1990 (UK)
    UAE Federal Cybercrime Law — Federal Decree-Law No. 34 of 2021 (applicable to GCC participants)
    NCA Cybersecurity Framework (Saudi Arabia) (applicable to KSA participants)

    Potential consequences include criminal prosecution, imprisonment, civil liability, professional certification revocation, and a permanent criminal record.
  • ④ Professional Documentation & 2026 Compliance Standards
    Participants are trained to document lab findings using a structured report format aligned with ISO/IEC 27001:2022 information security management standards and the MITRE ATT&CK Framework (v15, 2025). The course maps all attack and defense exercises to current ATT&CK technique IDs: T1036 (Masquerading), T1059.001 (PowerShell), T1021.002 (SMB/Admin Shares), and T1566 (Phishing/Delivery). Professional documentation is not optional — it is a mandatory deliverable that transforms your lab exercise into a portfolio-ready artifact valued by SOC teams, penetration testing firms, and cybersecurity hiring managers across the GCC and globally.

Why the Original Document is an Essential Investment

The knowledge you have accessed is a preview. The complete, original document authored by Antonio June Vevia Jr. is a meticulously crafted training asset that provides the full, uninterrupted value of this Purple Team learning experience.

Here is what you will get in the full original document that makes it an indispensable resource:

  • Complete, Step-by-Step Instructions: Full detailed walkthroughs for every phase, including precise commands, configuration screenshots, and exact syntax. No guesswork.
  • High-Fidelity Screenshots and Visual Guides: Critical visuals for WinRAR SFX setup, icon spoofing, netstat detection, and process tree analysis. See exactly what success looks like.
  • A Complete Troubleshooting Guide: Comprehensive table of common issues and precise solutions. Saves hours of frustration.
  • A Formal Assessment Rubric and Test Case Matrix: TC-001 to TC-011 objectives and rubric to gauge your proficiency level. Transforms the lab into a quantifiable skill-building session.
  • All Required Forms and Templates: Participant Acknowledgment Form, Approval and Signatures sections. Practical documentation for real-world authorized testing.
  • In-Depth Legal Framework and Compliance Checklist: Detailed table of applicable laws, Oman-specific legal considerations, and compliance checklist. Learn professional responsibilities.
  • A Certificate of Completion: Formal certificate to validate your skills and dedication to professional development.

Applicable Cyber Laws and Disclaimers

This training is governed by a strict legal and ethical framework. All students must acknowledge and agree to the following:

  • Unauthorized use may violate: Computer Fraud and Abuse Act (CFAA - USA), GDPR (EU), Computer Misuse Act 1990 (UK), Cybercrime Prevention Act (Philippines), and Oman Cybercrime Law.
  • Potential Consequences: Criminal prosecution, imprisonment, civil lawsuits, professional certification revocation, employment termination, and a permanent criminal record.
  • Core Agreements: You will only test against systems you own or have explicit written authorization for. You will delete all payloads and lab artifacts immediately after the exercise. This training does not grant legal immunity.

Oman-Specific Legal Considerations: Participants in Oman must be aware that unauthorized access, malware deployment, and remote access without authorization are criminal offenses under Royal Decree No. 12/2011, punishable by imprisonment and fines. All activities must also comply with the Personal Data Protection Law and Telecom Regulatory Authority (TRA) regulations.

COMPLETE PURPLE TEAM DOCUMENTATION

LAB Manual and Certificate

Available only to students who have completed the course requirements

OMR 35

Original Document with PPT (PDF)

Personalized with your name • Licensed for individual use

OMR 20

Certificate (PDF)

High-quality image • Signed by instructor • Delivered to your Inbox

OMR 50

Bundle: PDF + Certificate

Complete your portfolio with both

The original document is watermarked with your name and licensed for personal use only. Redistribution is prohibited.

Course Preview

EARN YOUR DIGITAL CERTIFICATE

Upon completion of this course and successfully passing all quizzes, you can avail a digital certificate of completion from Rekcah Academy. This certificate validates your Purple Team skills and is perfect for your LinkedIn profile, resume, or professional portfolio.

Certificate Sample

To purchase the original document, contact me directly:

Email: rekcahacademy@gmail.com

I will provide you with the bank transfer details to complete your purchase. After confirmation, you will receive the complete, unabridged document, empowering you to build, simulate, and defend like a true Purple Team professional.

For the certificate: complete the course and quizzes, then contact me to arrange payment and delivery.

Stay curious. Stay ethical. Stay secure.

What will i learn?

  • Understand File Masquerading Mechanics
  • Create a Functional PowerShell Reverse Shell
  • Bind Payloads to Legitimate Files
  • Spoof File Extensions and Icons
  • Establish Covert Remote Access
  • Detect Active Compromises Using Network Analysis
  • Identify Malicious Process Trees
  • Reveal Masqueraded Files Through Forensic Inspection
  • Navigate Cyber Laws and Ethical Boundaries
  • Perform Professional Cleanup and Documentation

Requirements

  • A Computer with Internet Connection
  • Willingness to Learn — No Prior Hacking Knowledge Needed
  • Access to an Online Virtual Lab Platform
  • Basic Computer Skills — Comfort with Mouse and Keyboard
  • A Desire to Understand Both Attack and Defense
  • Optional: Basic knowledge of Python or PowerShell

Frequently asked question

Upon completion, you will be able to simulate a complete file masquerading attack in a controlled lab environment. You will create a PowerShell Reverse Shell (RAT), bind it to a legitimate image using SFX archives, spoof icons and extensions to disguise the payload, deliver it via social engineering scenarios, and establish covert remote access using Windows administrative shares (C$). Equally important, you will master Blue Team detection techniques — using netstat, Process Hacker, and file extension inspection — to identify and stop such attacks. You will also understand the legal boundaries and be able to document your findings like a professional penetration tester.

This is 100% hands-on. The entire course is built around a structured lab exercise with six distinct phases: payload creation, masquerading (binder), delivery, execution, remote access, and cleanup. You will work directly with PowerShell, WinRAR/7-Zip SFX, Netcat, and Sysinternals tools. The original document provides precise commands, configuration screenshots, and a test case matrix (TC-001 to TC-011) to validate every step. You don’t just read about attacks — you execute them in an isolated lab environment.

The free preview gives you an outline. The original document delivers the complete, unabridged training asset. It includes: Step-by-step instructions with no gaps — every command, every click. High-fidelity screenshots showing exactly what each phase should look like (SFX settings, icon spoofing, netstat output, process trees). A full troubleshooting matrix with solutions to common issues (reverse shell not connecting, antivirus interference, extension still hidden). Formal assessment tools: test case matrix, assessment rubric, and professional forms (Participant Acknowledgment, Approval & Signatures). In-depth legal framework: detailed tables of applicable cyber laws by jurisdiction, plus Oman-specific compliance notes. A certificate of completion template included within the document. In short, the original document transforms a basic lab into a professional-grade training experience.

Yes, the course is legal when used correctly. All techniques are taught exclusively for educational purposes and authorized penetration testing within controlled lab environments. The course places a heavy emphasis on ethics and legal compliance. You will learn about the Computer Fraud and Abuse Act (CFAA), GDPR, Oman Cybercrime Law (Royal Decree No. 12/2011), and other regulations. The original document includes a compliance checklist and a signed participant acknowledgment form to ensure you understand your obligations. Unauthorized use outside the lab is illegal, and the course makes that explicitly clear.

Absolutely. Oman has strict cybercrime legislation under Royal Decree No. 12/2011, which criminalizes unauthorized access, malware deployment, and remote system infiltration. The Personal Data Protection Law (Royal Decree No. 6/2022) also imposes strict rules on data handling. The original document includes a dedicated section on Oman-specific legal considerations, ensuring you understand the local legal landscape before conducting any lab exercises. All activities must comply with Telecom Regulatory Authority (TRA) guidelines and be performed only on authorized, lab-owned systems.

You do not need to be an expert, but basic familiarity with Windows, the command line, and fundamental networking concepts is helpful. The course is designed for cybersecurity professionals, Lawyers, Police officers in cybercrime department, students, and ethical hackers who want to specialize in endpoint security, SOC operations, or red teaming. The step-by-step instructions in the original document are written clearly enough that a motivated learner with foundational IT knowledge can follow along successfully. All required tools (PowerShell, WinRAR, Netcat, Process Hacker) are explained and configured within the lab.

You will need: Two Windows 11 Pro machines (or virtual machines) in an isolated lab network. PowerShell 5.1+ (built into Windows). WinRAR or 7-Zip (for SFX archive creation). Netcat (nc.exe) — provided in the lab resources. Process Hacker or Sysinternals Suite (for detection exercises). A text editor (VS Code recommended). The original document lists full hardware/software requirements, installation commands, and configuration steps to get your lab environment ready. Everything is standard and easily sourced.

The course aligns directly with MITRE ATT&CK tactics and techniques, including: T1036 — Masquerading (file extension and icon spoofing) T1059.001 — PowerShell (reverse shell execution) T1021.002 — SMB/Windows Admin Shares (lateral movement) T1566 — Phishing (delivery via social engineering) By understanding these techniques, you gain insight into how advanced persistent threats (APTs) and real-world adversaries operate. The Blue Team detection sections teach you how to spot these very techniques in your own environment.

The original document is available at a limited-time 50% discount: Original Price: OMR 35 For that amount, you receive: The complete RTL-DOC-300-v1.0 PDF document (over 20 pages of detailed content, licensed and personalized with your name). All payload scripts, SFX configurations, and command references. Full troubleshooting guide and test case matrix. Professional forms, legal compliance checklist, and certificate of completion template (digital format within the PDF). Optional Add-On — PDF Certificate: If you would like a high-quality, professionally signed certificate, (or a beautifully formatted digital version suitable for framing and display), you can request this for an additional OMR 20. This is a personalized certificate with your name, completion date, and instructor signature — perfect for your portfolio, LinkedIn profile, or office wall. Simply mention that you want the printable certificate when you place your order.

To purchase, contact the author directly: WhatsApp: 95217614 (text only — no calls) Email: rekcahacademy@gmail.com Pricing Options: Item Price Original Document (PDF) OMR 10 Printable Certificate (physical or high-res digital) OMR 10 Bundle: Document + Certificate OMR 18 (save OMR 2) After contacting, you will receive bank transfer instructions. Once payment is confirmed: The complete original document (PDF) will be delivered via email or secure file transfer within 12 hours. If you ordered the printable certificate, you will receive either a high-resolution digital certificate ready for printing, or arrangements will be made for a physical signed copy depending on your location and preference. WhatsApp inquiries are welcome — simply send your name, preferred email, and specify whether you want the document only or the bundle with the printable certificate.

Antonio June Veva Jr.

Hi, my name is Antonio June Veva Jr. Nickname "June or Anthony" I am a Senior IT Instructor and owner of the REKCAH ACADEMY

Antonio is a passionate educator with expertise in various fields, including Math, Computers, Electronics, and Science. His journey into the world of computers began at the young age of 12, sparking his lifelong fascination with technology.Antonio's dedication to his craft is evident through his extensive qualifications, which include a range of IT and industrial certifications. He is a certified Technical Education and Skills Development Authority (TESDA) Assessor, demonstrating his commitment to upholding high standards in education. Antonio has also achieved certifications in Assessors Methodology and Trainers Methodology (AM/TM), reflecting his commitment to effective teaching and assessment.Antonio has over 30 years of experience in computer systems since 1996, specializing in computer networking and security. Throughout his career, Antonio has held teaching positions at reputable institutions in the Philippines. He served as an IT Instructor at Sumulong College of Arts and Sciences (SCAS) and the University of Rizal System (URS), where he shared his knowledge and passion for technology with eager students. Additionally, Antonio was a distinguished instructor at TESDA-CATIAFI, specializing in Computer Hardware Servicing (CHS) and Computer Maintenance (PCM). His proficiency extended to programming, as he also imparted knowledge as a Java Instructor.Antonio is also a former IT Instructor at CNCTC, one of the leading and renowned IT Upskill & Reskill Hands-On IT Training institutions in the Philippines, known for its 'Hands-On IT Training.'He is also a former IT Instructor, a title registered under the Ministry of Manpower, who worked at the University of Technology and Applied Sciences, formerly known as the Higher College of Technology in Muscat, Oman.Not only a dedicated educator, but Antonio has also held managerial roles in the IT industry. He served as an IT Manager at Governess Guru IT Training in the Philippines, where his leadership and technical expertise played a pivotal role in the organization's success.Antonio's multifaceted experience, unwavering commitment to education, and deep-rooted passion for technology make him an exceptional instructor and leader in the field. His journey is a testament to the power of lifelong learning and the impact of dedicated educators on the next generation of professionals.
View profile

$0

Lectures

10

Skill level

Advanced

Expiry period

3 Months
Remove from cart Add to cart Buy now

Share this course

Related courses