DOJO Details/Logisistics
DOJO Duration: 3 Days, March 16 to 18 (Saturday to Monday)
Types of Attendance available:
In-Person
Last updated February 19, 2024.
Course Abstract:
Introducing a cutting-edge training program crafted to empower penetration testers, red team members, and blue team defenders with the advanced skills needed to combat and outmaneuver apex threat actors. In the rapidly evolving landscape of cybersecurity, where attackers employ sophisticated methods such as in-memory implants, custom coding to bypass antivirus and EDR systems, and bespoke tools for lateral movement, the need for robust defensive strategies has never been more critical.
This course is meticulously designed to bridge the gap between conventional security measures and the advanced tactics utilized by adversaries, offering an in-depth exploration of the techniques and methodologies employed by these threat actors to evade host and network-level security solutions. Through a comprehensive curriculum that emphasizes hands-on experience and real-world scenarios, participants will gain unparalleled insights into enhancing enterprise-grade security postures, ensuring readiness to detect, respond to, and neutralize advanced cyber threats with precision and stealth.
As ransomware attacks escalate, many leading corporations and organizations with critical operations have neglected the optimal placement and configuration of their security controls. This training is designed to elevate the understanding and implementation of Enterprise-Based Security Controls. It delves into the tactics, techniques, procedures, and tools utilized by Threat Groups, shedding light on their clandestine operations and their ability to navigate through security defenses within environments that are both patched and actively monitored. Through this program, participants will gain insights into refining their security strategies to better anticipate and counteract the sophisticated maneuvers of these adversaries.
This comprehensive course is designed to equip participants with an advanced understanding of red team tactics, techniques, and procedures (TTPs), emphasizing the development of effective strategies for penetrating and assessing the security of modern digital environments. The curriculum begins with a deep dive into Red Team Resource Development, covering the intricacies of infrastructure setup using Mythic Command and Control (C2) and leveraging Azure Front Door CDN for Initial Access Security Controls. Students will explore defense evasion techniques such as HTML Smuggling and Right-to-Left Override (RTLO) through practical demonstrations and case studies. The module further elaborates on bypassing initial security controls and introduces students to Advanced Persistent Threat (APT) tactics, including embedding payloads in OneNote, exploiting .NET deserialization for initial access, backdooring Microsoft Installer files (MSIs), and more, each complemented by hands-on exercises to solidify learning.
This course offers an in-depth exploration into the realm of red team operations, focusing on equipping participants with the knowledge and skills necessary to execute sophisticated cyber-attacks and penetration testing strategies. The curriculum is meticulously designed to cover a wide array of topics, beginning with the development of red team infrastructure and the deployment of Mythic Command and Control (C2) systems, along with strategies for initial access security control evasion using techniques such as HTML Smuggling and Right-to-Left Override (RTLO). Participants will engage in hands-on exercises that include embedding payloads in OneNote, exploiting .NET deserialization, backdooring Microsoft Installer files, and more, aimed at mirroring Advanced Persistent Threat (APT) tactics for a practical understanding of how to bypass initial security measures.
As the course unfolds, learners will delve deeper into offensive cybersecurity practices, including the intricacies of APT initial access tradecraft and offensive C# programming, enhanced through comprehensive lab sessions. The emphasis on Windows API essentials showcases how these can be exploited for red team advantage, providing a foundation for executing host, network, and cloud-based attacks. This includes bypassing Anti-Malware Scan Interface (AMSI), Custom Code Signing Levels (CLM), and script block logging, alongside advanced techniques for fileless User Account Control (UAC) bypasses and application whitelisting circumvention. Credential access tactics, exploiting browser vulnerabilities, and leveraging custom tools for data exfiltration are explored in detail. Additionally, the course addresses the manipulation of network trust relationships and cloud-based attack methodologies, culminating in an understanding of telemetry collection, Event Tracing for Windows (ETW), Endpoint Detection and Response (EDR) systems, and evasion techniques through direct system calls and API unhooking, ensuring participants are well-prepared to conduct comprehensive red team operations in a variety of digital environments.
Course Agenda :
Module 1 : Red Team Resource Development
Red Team Infrastructure Development
Mythic C2
Azure Front Door CDN
Initial Access Security Controls
Initial Access Defense Evasion Techniques
HTML Smuggling
RTLO Demonstration
Initial Access Case Study
Working Initial Access Vectors
Bypassing Initial Security Controls
HTML Smuggling
APT TTPs :
Embedding Payloads in OneNote [1 Exercise]
.NET <3 Serialization with Initial Access TTP [1 Exercise]
Backdooring MSIs [1 Exercise]
LNK TTP with Parent Process De-Chaining [1 Exercise]
Leveraging ClickOnce [1 Exercise]
Module 2 : Tradecraft Development for Offensive Operations
APT29 Initial Access Tradecraft
CSharp Essentials [4 Hands-on Labs]
Offensive C# Trade-Craft [3 Hands-on Labs]
Windows API Essentials
Utilizing Windows API for Red Team Profit [3 Hands-on Lab]
Module 3 : Host, Network & Cloud Based Attacks
Hosts Based :
AMSI, CLM, Script Block Logging, ASR Rules Bypasses [1 Labs Each]
Fileless UAC Bypass [1 Lab]
Application Whitelisting : Applocker, WDAC
Credential Access
Browser based:
Chrome & Firefox [1 Lab Each]
Windows based:
PS-Readline Module
Custom C# Dumper
Bonus Access to private credential dumper tool
Network Based :
5 Ways of abusing Cross-Forest Trust
Foreign Security Principals (FSPs)
Trust Keys Abuse
Over-Permissible Certificate Template
Privileged Access Management (PAM)
Kerberoasting
Cloud Based :
Primary Refresh Tokens (PRT) Abuse
Password Hash Sync (PHS) Abuse
Golden SAML Attack
OAuth Device Code
On-Premise to Cloud Lateral Movement Case Study
Module 4 (Contd..)
Introduction to Telemetry Collection
ETW & EDR's Basics
ETW Patching [1 Lab Each]
AMSI + ETW Patching [1 Lab Each]
General Evasion Areas [4 Exercises]
Native APIs
Unhooking by Patching
DLL Unhooking
Direct Syscalls
*Candidates will Get FULL 30 Days Lab Access with write-ups after training which comes with technical support.
Course Learning Objective :
Address the rising threat of ransomware attacks by understanding the oversight in security controls, placement, and configuration among top-tier and critical businesses.
Enhance the visibility and effectiveness of Enterprise-Based Security Controls within your organization.
Explore the tactics, techniques, procedures, and tools employed by Threat Groups, including their methods for stealth operations and circumventing security mechanisms in patched and monitored environments.
Gain advanced skills in enhancing threat visibility at both the host and network level across Windows and Linux environments.
Learn the common pitfalls in configuring enterprise security controls and how to avoid them, ensuring a robust defense against potential threats.
DOJO Pre-requisites:
Comfortable with command line environment
Fair knowledge of Penetration Testing Methodology
Who Should Take This Course ?
Penetration Testers / Red Teams
System Administrators
Malware Developers
SOC analysts
Threat Hunting Team
Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities
What Students Should Bring?
System with at least 16GB RAM having VMWare workstation installed
Attacker Linux Box [Parrot] With Internet Connectivity
Updated Web Browser
(Team will share Customized StealthOps VM 1 week before the training date)
About the Instructor: Yash Bharadwaj
Yash Bharadwaj, Co-Founder & CTO at CyberWarFare Labs with over 5.5 Years of Experience as Technologist. Highly attentive towards finding, learning and discovering new TTP's used during offensive engagements. His area of interest includes building Red / Blue team infrastructure, Security Controls Internals, Pwning On-Premise & Multi cloud infrastructure. Previously he has delivered hands-on red / blue / purple team trainings / talks / workshops at Nullcon, X33fCon, NorthSec, BSIDES Chapters (US & Asia Pacific), OWASP Indonesia, CISO Platform, YASCON & other private trainings. You can reach out to him on Twitter @flopyash