Early bird registration rate ends on the 31st of January
The In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition] training class has been designed to present students modern and emerging TTPs available for network exfiltration and lateral movement phases. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & tactics in real production environments will be easy, smooth and repeatable.
Through hands-on labs only, this training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.
Using an available set of tools, the student will play one by one with well prepared lateral movement, exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern adversary behavior.
Next to that, we will deep dive into the individual network protocols, services, and post exploitation techniques commonly in use and discuss the detection points.
The workshop should perfectly power up your skills in the field of adversary simulations and advanced threat detection.
In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your SOC/network security really works!
1. Introduction:
Introduction to Adversary Simulations and Open Source Attack Emulation projects:
Atomic Red Team
RTA
APT simulator
Dumpster Fire
Firebolt
Flightsim
BYOB
Metta
Infection Monkey
Caldera
and more
2. Modern RATโs implementation and popular APT/C2 malware communication design – the review of the latest APT campaigns mapped to MITRE ATT&CK Framework and Sigma rules.
3. Not just the basics of TCP/UDP bind and reverse shells:
Meterpreter + Veil Framework + Shellter + Sharpshooter + Empire:
Generating staged / stageless exotic payloads
Powershell & cmd.exe obfuscation
Auditing and bypassing firewalls
Routing, relaying, pivoting & port forwarding
and more
CLI / LOLBAS tips & tricks:
netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync
/dev/tcp & /dev/udp
installutil / regsvr32 / regsvcs / regasm / print / msbuild / installutil
PHP / Perl / Python / Ruby / JSP / ASP / LUA / awk shellz
and more
Establish your own C2 communication channels by using:
Covenant
Koadic
PoshC2
Apfell
Faction C2
C3
and more
4. Covert channels and C2 techniques:
ICMP
DNS:
CDN theory, domain fronting and domain reputation
Fast-flux domains
Dictionary and random characters DGA
DNS proxy, DNS over HTTPS, DNS over TLS
Payload delivery over AXFR
DNS Rebinding and other DNS anomalies
HTTP/S & web application exploitation techniques combo:
HTTP methods / headers / cookies / redirects / error codes
Chunked Transfer Encoding
Website cloning and armoring
WebDAV and Websockets C2
Certificate exfiltration & TLS/SSL anomalies
*Injections + exfiltration โ OOB
Webshell as SOCKS proxy
QUIC / HTTP2
HTTP anomalies
5. Lateral movement and Offensive Frameworks:
AD as C2 / LDAP as hidden storage
DCShadow / DCsync
Golden / Silver Ticket
Kerberoasting
NTLM relaying and redirects
UNC paths
RDP tunneling
Credential dumping at scale
WMI / WinRM / PS-remote
Storage protocols: FTP / TFTP / SMB / NFS / iSCSI
Forward / Reverse / SOCKS Proxy
SSH tunneling / SFTP / SCP
VPN / TOR / Open Proxy
POP3 / SMTP / IMAP
+ chaining of above and many more.
6. Cloud-based exfiltration techniques and C2 channels:
Slack as C2
SSH over Google Drive
Pastebin as C2
7. FW / WAF protection for your C2 infrastructure
8. Signature-based event analytics, rule bypassing & malicious network traffic generation:
Suricata ET / VRT rules vs attacker โ the syntax of the rules
Bro IDS log โfeaturesโ for deep low-level network baselining and โweirdโย findings
Threat Intelligence feeds, lists and 3rd party APIs:
IP reputation lists
Malware / Phishing feeds
C2 / Open Proxy lists / TOR exit-nodes
Censys / VT / Passive Total / Shodan
9. Summary โ recommended defensive/protection tactics, tools, and commercial platforms:
TTP, Kill chain & Defense and Offense in depth.
The importance of:
Network traffic baseline profiling
Memory forensics
Important data sources and log correlation
Open Source Security Projects for SOC environment