Back to All Events

StealthOps: Red Team Tradecraft Targeting Enterprise Security Controls


  • secwest.net Vancouver Canada (map)

DOJO Details/Logisistics

DOJO Duration: 3 Days, March 16 to 18 (Saturday to Monday)

Types of Attendance available:

  • In-Person

Last updated February 19, 2024.

 

Course Abstract:

Introducing a cutting-edge training program crafted to empower penetration testers, red team members, and blue team defenders with the advanced skills needed to combat and outmaneuver apex threat actors. In the rapidly evolving landscape of cybersecurity, where attackers employ sophisticated methods such as in-memory implants, custom coding to bypass antivirus and EDR systems, and bespoke tools for lateral movement, the need for robust defensive strategies has never been more critical.

This course is meticulously designed to bridge the gap between conventional security measures and the advanced tactics utilized by adversaries, offering an in-depth exploration of the techniques and methodologies employed by these threat actors to evade host and network-level security solutions. Through a comprehensive curriculum that emphasizes hands-on experience and real-world scenarios, participants will gain unparalleled insights into enhancing enterprise-grade security postures, ensuring readiness to detect, respond to, and neutralize advanced cyber threats with precision and stealth.

As ransomware attacks escalate, many leading corporations and organizations with critical operations have neglected the optimal placement and configuration of their security controls. This training is designed to elevate the understanding and implementation of Enterprise-Based Security Controls. It delves into the tactics, techniques, procedures, and tools utilized by Threat Groups, shedding light on their clandestine operations and their ability to navigate through security defenses within environments that are both patched and actively monitored. Through this program, participants will gain insights into refining their security strategies to better anticipate and counteract the sophisticated maneuvers of these adversaries.

This comprehensive course is designed to equip participants with an advanced understanding of red team tactics, techniques, and procedures (TTPs), emphasizing the development of effective strategies for penetrating and assessing the security of modern digital environments. The curriculum begins with a deep dive into Red Team Resource Development, covering the intricacies of infrastructure setup using Mythic Command and Control (C2) and leveraging Azure Front Door CDN for Initial Access Security Controls. Students will explore defense evasion techniques such as HTML Smuggling and Right-to-Left Override (RTLO) through practical demonstrations and case studies. The module further elaborates on bypassing initial security controls and introduces students to Advanced Persistent Threat (APT) tactics, including embedding payloads in OneNote, exploiting .NET deserialization for initial access, backdooring Microsoft Installer files (MSIs), and more, each complemented by hands-on exercises to solidify learning.

This course offers an in-depth exploration into the realm of red team operations, focusing on equipping participants with the knowledge and skills necessary to execute sophisticated cyber-attacks and penetration testing strategies. The curriculum is meticulously designed to cover a wide array of topics, beginning with the development of red team infrastructure and the deployment of Mythic Command and Control (C2) systems, along with strategies for initial access security control evasion using techniques such as HTML Smuggling and Right-to-Left Override (RTLO). Participants will engage in hands-on exercises that include embedding payloads in OneNote, exploiting .NET deserialization, backdooring Microsoft Installer files, and more, aimed at mirroring Advanced Persistent Threat (APT) tactics for a practical understanding of how to bypass initial security measures.

As the course unfolds, learners will delve deeper into offensive cybersecurity practices, including the intricacies of APT initial access tradecraft and offensive C# programming, enhanced through comprehensive lab sessions. The emphasis on Windows API essentials showcases how these can be exploited for red team advantage, providing a foundation for executing host, network, and cloud-based attacks. This includes bypassing Anti-Malware Scan Interface (AMSI), Custom Code Signing Levels (CLM), and script block logging, alongside advanced techniques for fileless User Account Control (UAC) bypasses and application whitelisting circumvention. Credential access tactics, exploiting browser vulnerabilities, and leveraging custom tools for data exfiltration are explored in detail. Additionally, the course addresses the manipulation of network trust relationships and cloud-based attack methodologies, culminating in an understanding of telemetry collection, Event Tracing for Windows (ETW), Endpoint Detection and Response (EDR) systems, and evasion techniques through direct system calls and API unhooking, ensuring participants are well-prepared to conduct comprehensive red team operations in a variety of digital environments.

 

Course Agenda :

Module 1 : Red Team Resource Development

  • Red Team Infrastructure Development

    • Mythic C2

    • Azure Front Door CDN

  • Initial Access Security Controls

  • Initial Access Defense Evasion Techniques

    • HTML Smuggling

    • RTLO Demonstration

  • Initial Access Case Study

  • Working Initial Access Vectors

  • Bypassing Initial Security Controls

    • HTML Smuggling

  • APT TTPs :

    • Embedding Payloads in OneNote [1 Exercise]

    • .NET <3 Serialization with Initial Access TTP [1 Exercise]

    • Backdooring MSIs [1 Exercise]

    • LNK TTP with Parent Process De-Chaining [1 Exercise]

    • Leveraging ClickOnce [1 Exercise]

Module 2 : Tradecraft Development for Offensive Operations

  • APT29 Initial Access Tradecraft

  • CSharp Essentials [4 Hands-on Labs]

  • Offensive C# Trade-Craft [3 Hands-on Labs]

  • Windows API Essentials

  • Utilizing Windows API for Red Team Profit [3 Hands-on Lab]

Module 3 : Host, Network & Cloud Based Attacks

  • Hosts Based :

    • AMSI, CLM, Script Block Logging, ASR Rules Bypasses [1 Labs Each]

    • Fileless UAC Bypass [1 Lab]

    • Application Whitelisting : Applocker, WDAC

    • Credential Access

      • Browser based:

        • Chrome & Firefox [1 Lab Each]

      • Windows based:

        • PS-Readline Module

        • Custom C# Dumper

        • Bonus Access to private credential dumper tool

  • Network Based :

    • 5 Ways of abusing Cross-Forest Trust

      • Foreign Security Principals (FSPs)

      • Trust Keys Abuse

      • Over-Permissible Certificate Template

      • Privileged Access Management (PAM)

      • Kerberoasting

    • Cloud Based :

      • Primary Refresh Tokens (PRT) Abuse

      • Password Hash Sync (PHS) Abuse

      • Golden SAML Attack

      • OAuth Device Code

      • On-Premise to Cloud Lateral Movement Case Study

Module 4 (Contd..)

  • Introduction to Telemetry Collection

  • ETW & EDR's Basics

  • ETW Patching [1 Lab Each]

  • AMSI + ETW Patching [1 Lab Each]

  • General Evasion Areas [4 Exercises]

    • Native APIs

    • Unhooking by Patching

    • DLL Unhooking

    • Direct Syscalls

*Candidates will Get FULL 30 Days Lab Access with write-ups after training which comes with technical support.

 

Course Learning Objective :

  • Address the rising threat of ransomware attacks by understanding the oversight in security controls, placement, and configuration among top-tier and critical businesses.

  • Enhance the visibility and effectiveness of Enterprise-Based Security Controls within your organization.

  • Explore the tactics, techniques, procedures, and tools employed by Threat Groups, including their methods for stealth operations and circumventing security mechanisms in patched and monitored environments.

  • Gain advanced skills in enhancing threat visibility at both the host and network level across Windows and Linux environments.

  • Learn the common pitfalls in configuring enterprise security controls and how to avoid them, ensuring a robust defense against potential threats.

 

DOJO Pre-requisites:

  • Comfortable with command line environment

  • Fair knowledge of Penetration Testing Methodology

 

Who Should Take This Course ?

  • Penetration Testers / Red Teams

  • System Administrators

  • Malware Developers

  • SOC analysts

  • Threat Hunting Team

  • Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities

 

What Students Should Bring?

  • System with at least 16GB RAM having VMWare workstation installed

  • Attacker Linux Box [Parrot] With Internet Connectivity

  • Updated Web Browser

(Team will share Customized StealthOps VM 1 week before the training date)

 

About the Instructor: Yash Bharadwaj

Yash Bharadwaj, Co-Founder & CTO at CyberWarFare Labs with over 5.5 Years of Experience as Technologist. Highly attentive towards finding, learning and discovering new TTP's used during offensive engagements. His area of interest includes building Red / Blue team infrastructure, Security Controls Internals, Pwning On-Premise & Multi cloud infrastructure. Previously he has delivered hands-on red / blue / purple team trainings / talks / workshops at Nullcon, X33fCon, NorthSec, BSIDES Chapters (US & Asia Pacific), OWASP Indonesia, CISO Platform, YASCON & other private trainings. You can reach out to him on Twitter @flopyash

 
 
Previous
Previous
March 16

x86-64 OS Internals

Next
Next
March 16

Rust for Security Engineers