3-DAY TRAINING 7 – In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition]



CAPACITY: 15 pax




This training is based on PurpleLABS – a dedicated virtual infrastructure for conducting detection and analysis of attackers’ behavior in terms of used techniques, tactics, procedures, and offensive tools. After the training, each attendee will get an additional 14-days of PurpleLABS access to play and learn more!

The In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition] training class has been designed to present students modern and emerging TTPs available for network exfiltration and lateral movement phases. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & tactics in real production environments will be easy, smooth and repeatable.

Through hands-on labs only, this training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.

Using an available set of tools, the student will play one by one with well prepared lateral movement, exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern adversary behavior.

Next to that, we will deep dive into the individual network protocols, services, and post exploitation techniques commonly in use and discuss the detection points.

The workshop should perfectly power up your skills in the field of adversary simulations and advanced threat detection.

Who Should Attend

  • Red and Blue team members
  • SOC Analysts and SIEM Engineers
  • Security / Data Analysts
  • Pentesters and Risk Auditors
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • AI / Machine Learning Security Developers
  • Chief Security Officers and IT Security Directors

Key Learning Objectives

  • Simulate real adversaries in the network by using dedicated Open Source projects and techniques including LDAP as hidden storage, AD as C2, DCSync / DCShadow, Pass The Hash / The Ticket, remote creds dumping, registering a protocol handler remotely and many more.
  • Bypass Linux and Windows local security restrictions and command-line arguments detections by using obfuscation and Living Off The Land Binaries And Scripts
  • Generate and run different, encrypted types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure port forwarding & C2 proxying, change transport on the fly and find what the network traffic artifacts of such actions are.
  • Manually generate suspicious network events from Python, ex. establish a C2 connection by using QUIC, HTTP2, NTP and more.
  • Simulate DNS DGA traffic, run DNS tunnels and remote shells, exfiltrate and hide data transfer using DNS-over-HTTPS, deliver payload over AXFR or pwn the local Docker API over DNS Rebinding
  • Setup a perfect implant jitter, connection time-outs and how to blend your C2 channel into the normal traffic
  • Use different HTTP techniques, headers and methods for stealing the data with combination of web application injection techniques (OOB) + walk through the world of web shells
  • Run, detect and understand a different TLS/SSL-based anomalies, exfiltration methods and hide behind chosen JA3 hash
  • Create a remote thread and deliver compressed and encrypted, in-memory offensive Powershell scripts during a post-exploitation stage for leaking the data and bypassing AV / EDR / AMSI
  • Clone, armor and phish popular websites and use them for covert channel
  • Create CDN domain fronting setup, punch holes in the NAT and run WAF filtering rules for C2 payload traffic
  • Achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
  • Bypass and pivot at scale by running internal HTTPS, WMI, Websockets, named pipes, WinRM, and P2P covert channels
  • Use popular cloud-based services for C2 communication and data-stealing, ex. Pastebin, Twitter, AWS, Dropbox, Google Drive.
  • Run verification actions for IT security products and providers during PoC / PoV
  • Discuss how Suricata IDS / Zeek IDS / Netflow / Sysmon / OSquery and Sigma rules can help you detect and correlate suspicious events
  • And a combination of many more. I guarantee, that your overall Linux, Windows and “feeling the network security” skills will also increase significantly.

In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your SOC/network security really works!

Prerequisite Knowledge

  • An intermediate level of command-line syntax experience using Linux and Windows
  • Fundament knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

Virtual Lab Infrastructure

This training is based on PurpleLABS – a dedicated virtual infrastructure for conducting detection and analysis of attackers’ behavior in terms of used techniques, tactics, procedures, and offensive tools. The environment has been set up to serve the constant improvement of competences in the field of threat hunting (threat hunting) and learning about current trends of offensive actions (red-teaming) vs detection phases (blue-teaming).
PurpleLABS provides analytical interfaces for all relevant data sources from individual systems and network services available in the virtual infrastructure (sysmon, windows events, fw, bro, suricata, osquery, auth, powershell, waf, proxy, audit, and more). Saying that you will get a chance for doing *bonus* detection and hunting steps against all the offensive labs we have available during the training. The coolest thing is after the training you will get an additional 14-days of access to PurpleLabs! Just take a look: https://www.defensive-security.com/purplelabs/

Hardware / Software Requirements

  • VPN client installed according to VPN Setup instructions
  • Slack account as an invite to dedicated training channel will be sent
  • Stable internet connection
  •  Recommended:
    • Zoom client installed
    • HD Camera to have 1:1 access to an instructor and the rest of the participants. Even virtually, let’s feel each other like we were in the class.
  • Comment: This training is based on dedicated PurpleLABS cloud infrastructure, so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience!”

Agenda Day 1, 2 & 3

1. Introduction:

  • Introduction to Adversary Simulations and Open Source Attack Emulation projects:

    • Atomic Red Team

    • RTA

    • APT simulator

    • Dumpster Fire

    • Firebolt

    • Flightsim

    • BYOB

    • Metta

    • Infection Monkey

    • Caldera

    • and more

2. Modern RAT’s implementation and popular APT/C2 malware communication design – the review of the latest APT campaigns mapped to MITRE ATT&CK Framework and Sigma rules.

3. Not just the basics of TCP/UDP bind and reverse shells:

  • Meterpreter + Veil Framework + Shellter + Sharpshooter + Empire:

    • Generating staged / stageless exotic payloads

    • Powershell & cmd.exe obfuscation

    • Auditing and bypassing firewalls

    • Routing, relaying, pivoting & port forwarding

    • and more

  • CLI / LOLBAS tips & tricks:

    • netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync

    • /dev/tcp & /dev/udp

    • installutil / regsvr32 / regsvcs / regasm / print / msbuild / installutil

    • PHP / Perl / Python / Ruby / JSP / ASP / LUA / awk shellz

    • and more

  • TCP/UDP raw socket tunnels.
  • Establish your own C2 communication channels by using:

    • Covenant

    • Koadic

    • PoshC2

    • Apfell

    • Faction C2

    • C3

    • and more

4. Covert channels and C2 techniques:

  • ICMP

  • DNS:

    • CDN theory, domain fronting and domain reputation

    • Fast-flux domains

    • Dictionary and random characters DGA

    • DNS proxy, DNS over HTTPS, DNS over TLS

    • Payload delivery over AXFR

    • DNS Rebinding and other DNS anomalies

  • HTTP/S & web application exploitation techniques combo:

    • HTTP methods / headers / cookies / redirects / error codes

    • Chunked Transfer Encoding

    • Website cloning and armoring

    • WebDAV and Websockets C2

    • Certificate exfiltration & TLS/SSL anomalies

    • *Injections + exfiltration → OOB

    • Webshell as SOCKS proxy

    • QUIC / HTTP2

    • HTTP anomalies

5. Lateral movement and Offensive Frameworks:

  • AD as C2 / LDAP as hidden storage

  • DCShadow / DCsync

  • Golden / Silver Ticket

  • Kerberoasting

  • NTLM relaying and redirects

  • UNC paths

  • RDP tunneling

  • Credential dumping at scale

  • WMI / WinRM / PS-remote

  • Storage protocols: FTP / TFTP / SMB / NFS / iSCSI

  • Forward / Reverse / SOCKS Proxy

  • SSH tunneling / SFTP / SCP

  • VPN / TOR / Open Proxy

  • POP3 / SMTP / IMAP

  • + chaining of above and many more.

6. Cloud-based exfiltration techniques and C2 channels:

  • Slack as C2

  • SSH over Google Drive

  • Pastebin as C2

7. FW / WAF protection for your C2 infrastructure

8. Signature-based event analytics, rule bypassing & malicious network traffic generation:

  • Suricata ET / VRT rules vs attacker → the syntax of the rules

  • Bro IDS log “features” for deep low-level network baselining and “weird”  findings

  • Threat Intelligence feeds, lists and 3rd party APIs:

    • IP reputation lists

    • Malware / Phishing feeds

    • C2 / Open Proxy lists / TOR exit-nodes

    • Censys / VT / Passive Total / Shodan

9. Summary → recommended defensive/protection tactics, tools, and commercial platforms:

  • TTP, Kill chain & Defense and Offense in depth.

  • The importance of:

    • Network traffic baseline profiling

    • Memory forensics

    • Important data sources and log correlation

    • Open Source Security Projects for SOC environment

Location: Training Rooms Date: July 20, 2020 Time: 9:00 am - 6:00 pm Leszek Miś