Early bird registration rate ends on the 28th of February
The In & Out – Network Data Exfiltration Techniques [RED-edition] training class has been designed to present students the modern and emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.
As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense/offense in depth strategy. We will also learn through the importance of network baselining, memory forensics, automated malware analysis solutions and finally the real threat simulation tactics that are the key important aspects of this training.
Next, we will deep dive into the individual network protocols, services and post exploitation techniques commonly in use by adversaries in corporate networks and discuss the security detection features. Using available set of tools, the student will play one by one with well prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern attacker behavior.
● Red and Blue team members
● Security / Data Analytics
● CIRT / Incident Response Specialists
● Network Security Engineers
● SOC members and SIEM Engineers
● AI / Machine Learning Developers
● Chief Security Officers and IT Security Directors
Through hands-on lab exfiltration, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.
All the above training description is based on pure hands-on laboratory where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network. This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments.
In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your SOC / network security really works!
I guarantee, that your overall Linux, Windows and “feeling the network security” skills will also increase significantly.
● An intermediate level of command line syntax experience using Linux and Windows
● Fundament knowledge of TCP/IP network protocols
● Penetration testing experience performing enumeration, exploiting, and lateral
movement is beneficial, but not required
● Basic programming skills is a plus, but not essential
● At least 20GB of free disk space
● At least 8GB of RAM
● Students should have the latest Virtualbox installed on their machine
● Full Admin access on your laptop
a. ATT&CK Framework.
b. TTP, Kill chain & Defense and Offense in depth.
c. The importance of:
– Network traffic baseline profiling
– Memory forensics
– Real threat simulations != penetration tests
– Data sources and log correlation
2. Modern RAT’s implementation and popular APT/C2 malware communication design – real use cases based on the malware Zoo:
a. The review of the latest APT campaigns
b. Multi-Staging and Network Link chaining
c. Data Hiding / obfuscation
d. Transfer / protocol customization
e. Timing channels / scheduled jobs / packet dripping
3. TCP/UDP bind and reverse shells:
a. Meterpreter + Veil Framework + Shellter + Sharpshooter:
– Generating staged / stageless exotic payloads
– Powershell & cmd.exe obfuscation
– Auditing and bypassing firewallsiv.
– Routing, relaying, pivoting & port forwarding
b. CLI tips & tricks:
– netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync
– /dev/tcp & /dev/udp
– installutil / regsvr32 / regsvcs / regasm / print / msbuild / installutil
– PHP / Perl / Python / Ruby / JSP / ASP / LUA / awk shellz
c. TCP/UDP raw socket tunnels.
d. Generate your own network shellcode & analyze the Exploit-db Shellcode Archive.
4. General bypassing, exfiltration, tunneling, pivoting, proxying and C2 techniques:
– Authoritative vs recursive
– CDN theory & domain fronting
– Fast-flux domains
– Dictionary and random characters DGA
– DNS proxy, DNS over HTTPS, DNS over TLS
– DNS Rebinding and other DNS anomalies
c. HTTP/S & web application exploitation techniques combo:
– HTTP methods / headers / cookies / redirects / error codes
– Chunked Transfer Encoding
– Website cloning and armoring
– WebDAV and Websockets C2
– Certificate exfiltration & TLS/SSL anomalies
– *Injections + exfiltration → OOB
– HTTP anomalies
d. AD / LDAP / RDP covert channels and Offensive Powershell Frameworks:
– Golden / Silver Ticket / Kerberoasting
– NTLM relaying and redirects
– UNC paths
e. Storage protocols: FTP / TFTP / SMB / NFS / iSCSI
f. WMI / WinRM / PS-remote
g. Forward / Reverse / SOCKS Proxy
h. SSH / SFTP / SCP
i. VPN / TOR / Open Proxy
j. POP3 / SMTP / IMAP
l. P2P / Torrent
m. + chaining of aboves and many more.
5. Cloud-based exfiltration techniques and C2 channels.
6. Just a Browser Exfiltration:
a. Local network scanning and hidden network enumeration through XSS
b. Audio / video exfil
7. Hoping from air-gapped networks → how to create your own Bad USB using RPI.
8. Signature-based event analytics, rule bypassing & malicious network traffic generation:
a. Suricata ET / VRT rules vs attacker → the syntax of the rules
b. Bro IDS log “features” for deep low-level network baselining and “weird” findings
c. Threat Intelligence feeds, lists and 3rd party APIs:
– IP reputation lists
– Malware / Phishing feeds
– C2 / Open Proxy lists / TOR exit-nodes
– Censys / VT / Passive Total / Shodan
9. Adversary simulation detection tests and automated platforms based on MITRE’s ATT&CK:
a. Atomic Red Team
b. APT simulator
c. Dumpster Fire
i. and many more
10. Summary → recommended defensive/protection tactics, tools and commercial platforms.