The In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition] training class has been designed to present students modern and emerging TTPs available for network exfiltration and lateral movement phases. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & tactics in real production environments will be easy, smooth and repeatable.
Through hands-on labs only, this training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.
Using an available set of tools, the student will play one by one with well prepared lateral movement, exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern adversary behavior.
Next to that, we will deep dive into the individual network protocols, services, and post exploitation techniques commonly in use and discuss the detection points.
The workshop should perfectly power up your skills in the field of adversary simulations and advanced threat detection.
In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your SOC/network security really works!
PurpleLABS provides analytical interfaces for all relevant data sources from individual systems and network services available in the virtual infrastructure (sysmon, windows events, fw, bro, suricata, osquery, auth, powershell, waf, proxy, audit, and more). Saying that you will get a chance for doing *bonus* detection and hunting steps against all the offensive labs we have available during the training. The coolest thing is after the training you will get an additional 14-days of access to PurpleLabs! Just take a look: https://www.defensive-security.com/purplelabs/
Introduction to Adversary Simulations and Open Source Attack Emulation projects:
Atomic Red Team
2. Modern RAT’s implementation and popular APT/C2 malware communication design – the review of the latest APT campaigns mapped to MITRE ATT&CK Framework and Sigma rules.
3. Not just the basics of TCP/UDP bind and reverse shells:
Meterpreter + Veil Framework + Shellter + Sharpshooter + Empire:
Generating staged / stageless exotic payloads
Powershell & cmd.exe obfuscation
Auditing and bypassing firewalls
Routing, relaying, pivoting & port forwarding
CLI / LOLBAS tips & tricks:
netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync
/dev/tcp & /dev/udp
installutil / regsvr32 / regsvcs / regasm / print / msbuild / installutil
PHP / Perl / Python / Ruby / JSP / ASP / LUA / awk shellz
Establish your own C2 communication channels by using:
4. Covert channels and C2 techniques:
CDN theory, domain fronting and domain reputation
Dictionary and random characters DGA
DNS proxy, DNS over HTTPS, DNS over TLS
Payload delivery over AXFR
DNS Rebinding and other DNS anomalies
HTTP/S & web application exploitation techniques combo:
HTTP methods / headers / cookies / redirects / error codes
Chunked Transfer Encoding
Website cloning and armoring
WebDAV and Websockets C2
Certificate exfiltration & TLS/SSL anomalies
*Injections + exfiltration → OOB
Webshell as SOCKS proxy
QUIC / HTTP2
5. Lateral movement and Offensive Frameworks:
AD as C2 / LDAP as hidden storage
DCShadow / DCsync
Golden / Silver Ticket
NTLM relaying and redirects
Credential dumping at scale
WMI / WinRM / PS-remote
Storage protocols: FTP / TFTP / SMB / NFS / iSCSI
Forward / Reverse / SOCKS Proxy
SSH tunneling / SFTP / SCP
VPN / TOR / Open Proxy
POP3 / SMTP / IMAP
+ chaining of above and many more.
6. Cloud-based exfiltration techniques and C2 channels:
Slack as C2
SSH over Google Drive
Pastebin as C2
7. FW / WAF protection for your C2 infrastructure
8. Signature-based event analytics, rule bypassing & malicious network traffic generation:
Suricata ET / VRT rules vs attacker → the syntax of the rules
Bro IDS log “features” for deep low-level network baselining and “weird” findings
Threat Intelligence feeds, lists and 3rd party APIs:
IP reputation lists
Malware / Phishing feeds
C2 / Open Proxy lists / TOR exit-nodes
Censys / VT / Passive Total / Shodan
9. Summary → recommended defensive/protection tactics, tools, and commercial platforms:
TTP, Kill chain & Defense and Offense in depth.
The importance of:
Network traffic baseline profiling
Important data sources and log correlation
Open Source Security Projects for SOC environment