Threat actors build their tradecraft for each campaign, they need to select the right tactics, techniques. Most of the time they use open source or commercial, but publicly available tools. They even re-purpose or pack existing malware acquired from other threat actors. The reason behind of this decision is tool development takes time, and if the known/current tools already work well, they don’t need upgrades either. However, the adversary simulation specialists need to operate in safer environments, therefore, they’re not allowed to use malicious tradecraft or unknown tools in general.
Tradecraft development is an essential skill for an adversary simulation specialist as it needs custom C2 protocols, implants, safer but realistic Mitre Att&ck TTPs, and finally cutting-edge evasions for the modern security controls including EDRs and Cyber Analytics. In this workshop, we’ll walk through reasons and ways of Tradecraft development, talk about where to start, and to go, finding example source codes, walking through the source code of existing C2s, implants, and draft tools. We’ll also discuss about weaponization techniques such as offensive pipelines, modern evasions techniques and tool integrations. During the exercises, we’ll prefer C# for programming, but you can replicate what you learn in various languages after this workshop (e.g. Python, Go, Rust).
During the workshop, the participants will be able to develop their own implants, C2s, evasions and more using examples and active tools such as Petaq Purple Team C2 and Malware, TA505+ Adversary Simulation Pack and Tehsat Malware Traffic Generator.
Red Team members and Penetration Testers would get the benefits of developing new offensive capabilities and learning cutting-edge techniques. Through the techniques learned in this workshop, participants can develop their own custom implementations for the exercises to safely operate in an engagement.
Blue and Purple team members, such as Security Operations, Threat Hunting, Threat Intelligence and Incident Response team members, would also learn these new techniques and their associated IOCs. During the workshop, the defence techniques and their weaknesses will be discussed through demonstrations. It also gives the participants an opportunity of implementing Mitre Att&ck tests safely with automation through custom tool development.
The participants should have a brief understanding of the adversary simulation concepts.
In addition, essential programming skills would make the exercises easier for the participants. Without programming skills, it’s still possible to learn new techniques with understanding/watching the demonstrations and exercises, but not advised.
To participate with the exercises, it’s suggested to bring a laptop running a Windows 10 operating system (or a Virtual Machine) with .NET Framework 4+ and Visual Studio Community Edition installed.
Introduction to Tradecraft Development
Building a C2 and Implant
Implementing WinAPI, Evasions and Unmanage Code Executions