3-DAY TRAINING 3 – In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition]

DURATION: 3 DAYS

CAPACITY: 20 pax

SEATS AVAILABLE: CLASS CANCELLED


EUR2599 (early bird)

EUR3199 (normal)

Early bird registration rate ends on the 31st of January


Overview

The In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition] training class has been designed to present students modern and emerging TTPs available for network exfiltration and lateral movement phases. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & tactics in real production environments will be easy, smooth and repeatable.

Through hands-on labs only, this training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.

Using an available set of tools, the student will play one by one with well prepared lateral movement, exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern adversary behavior.

Next to that, we will deep dive into the individual network protocols, services, and post exploitation techniques commonly in use and discuss the detection points.

The workshop should perfectly power up your skills in the field of adversary simulations and advanced threat detection.

Who Should Attend

  • Red and Blue team members
  • SOC Analysts and SIEM Engineers
  • Security / Data Analysts
  • Pentesters and Risk Auditors
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • AI / Machine Learning Security Developers
  • Chief Security Officers and IT Security Directors

Key Learning Objectives

  • Simulate real adversaries in the network by using dedicated Open Source projects and techniques including LDAP as hidden storage, AD as C2, DCSync / DCShadow, Pass The Hash / The Ticket, remote creds dumping, registering a protocol handler remotely and many more.
  • Bypass Linux and Windows local security restrictions and command-line arguments detections by using obfuscation and Living Off The Land Binaries And Scripts
  • Generate and run different, encrypted types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure port forwarding & C2 proxying, change transport on the fly and find what the network traffic artifacts of such actions are.
  • Manually generate suspicious network events from Python, ex. establish a C2 connection by using QUIC, HTTP2, NTP and more.
  • Simulate DNS DGA traffic, run DNS tunnels and remote shells, exfiltrate and hide data transfer using DNS-over-HTTPS, deliver payload over AXFR or pwn the local Docker API over DNS Rebinding
  • Setup a perfect implant jitter, connection time-outs and how to blend your C2 channel into the normal traffic
  • Use different HTTP techniques, headers and methods for stealing the data with combination of web application injection techniques (OOB) + walk through the world of web shells
  • Run, detect and understand a different TLS/SSL-based anomalies, exfiltration methods and hide behind chosen JA3 hash
  • Create a remote thread and deliver compressed and encrypted, in-memory offensive Powershell scripts during a post-exploitation stage for leaking the data and bypassing AV / EDR / AMSI
  • Clone, armor and phish popular websites and use them for covert channel
  • Create CDN domain fronting setup, punch holes in the NAT and run WAF filtering rules for C2 payload traffic
  • Achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
  • Bypass and pivot at scale by running internal HTTPS, WMI, Websockets, named pipes, WinRM, and P2P covert channels
  • Use popular cloud-based services for C2 communication and data-stealing, ex. Pastebin, Twitter, AWS, Dropbox, Google Drive.
  • Run verification actions for IT security products and providers during PoC / PoV
  • Discuss how Suricata IDS / Zeek IDS / Netflow / Sysmon / OSquery and Sigma rules can help you detect and correlate suspicious events
  • And a combination of many more. I guarantee, that your overall Linux, Windows and “feeling the network security” skills will also increase significantly.

In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your SOC/network security really works!

Preequisite Knowledge

  • An intermediate level of command-line syntax experience using Linux and Windows
  • Fundament knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

Hardware / Software Requirements

  • At least 30GB of free disk space
  • At least 8GB of RAM
  • Students should have the latest Virtualbox installed on their machine
  • Full Admin access on your laptop

Agenda Day 1, 2 & 3

1. Introduction:

  • Introduction to Adversary Simulations and Open Source Attack Emulation projects:

    • Atomic Red Team

    • RTA

    • APT simulator

    • Dumpster Fire

    • Firebolt

    • Flightsim

    • BYOB

    • Metta

    • Infection Monkey

    • Caldera

    • and more

2. Modern RATโ€™s implementation and popular APT/C2 malware communication design – the review of the latest APT campaigns mapped to MITRE ATT&CK Framework and Sigma rules.

3. Not just the basics of TCP/UDP bind and reverse shells:

  • Meterpreter + Veil Framework + Shellter + Sharpshooter + Empire:

    • Generating staged / stageless exotic payloads

    • Powershell & cmd.exe obfuscation

    • Auditing and bypassing firewalls

    • Routing, relaying, pivoting & port forwarding

    • and more

  • CLI / LOLBAS tips & tricks:

    • netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync

    • /dev/tcp & /dev/udp

    • installutil / regsvr32 / regsvcs / regasm / print / msbuild / installutil

    • PHP / Perl / Python / Ruby / JSP / ASP / LUA / awk shellz

    • and more

  • TCP/UDP raw socket tunnels.
  • Establish your own C2 communication channels by using:

    • Covenant

    • Koadic

    • PoshC2

    • Apfell

    • Faction C2

    • C3

    • and more

4. Covert channels and C2 techniques:

  • ICMP

  • DNS:

    • CDN theory, domain fronting and domain reputation

    • Fast-flux domains

    • Dictionary and random characters DGA

    • DNS proxy, DNS over HTTPS, DNS over TLS

    • Payload delivery over AXFR

    • DNS Rebinding and other DNS anomalies

  • HTTP/S & web application exploitation techniques combo:

    • HTTP methods / headers / cookies / redirects / error codes

    • Chunked Transfer Encoding

    • Website cloning and armoring

    • WebDAV and Websockets C2

    • Certificate exfiltration & TLS/SSL anomalies

    • *Injections + exfiltration โ†’ OOB

    • Webshell as SOCKS proxy

    • QUIC / HTTP2

    • HTTP anomalies

5. Lateral movement and Offensive Frameworks:

  • AD as C2 / LDAP as hidden storage

  • DCShadow / DCsync

  • Golden / Silver Ticket

  • Kerberoasting

  • NTLM relaying and redirects

  • UNC paths

  • RDP tunneling

  • Credential dumping at scale

  • WMI / WinRM / PS-remote

  • Storage protocols: FTP / TFTP / SMB / NFS / iSCSI

  • Forward / Reverse / SOCKS Proxy

  • SSH tunneling / SFTP / SCP

  • VPN / TOR / Open Proxy

  • POP3 / SMTP / IMAP

  • + chaining of above and many more.

6. Cloud-based exfiltration techniques and C2 channels:

  • Slack as C2

  • SSH over Google Drive

  • Pastebin as C2

7. FW / WAF protection for your C2 infrastructure

8. Signature-based event analytics, rule bypassing & malicious network traffic generation:

  • Suricata ET / VRT rules vs attacker โ†’ the syntax of the rules

  • Bro IDS log โ€œfeaturesโ€ for deep low-level network baselining and โ€œweirdโ€ย  findings

  • Threat Intelligence feeds, lists and 3rd party APIs:

    • IP reputation lists

    • Malware / Phishing feeds

    • C2 / Open Proxy lists / TOR exit-nodes

    • Censys / VT / Passive Total / Shodan

9. Summary โ†’ recommended defensive/protection tactics, tools, and commercial platforms:

  • TTP, Kill chain & Defense and Offense in depth.

  • The importance of:

    • Network traffic baseline profiling

    • Memory forensics

    • Important data sources and log correlation

    • Open Source Security Projects for SOC environment

TRAININGS
Location: Training Rooms Date: April 20, 2020 Time: 9:00 am - 6:00 pm Leszek Mis