Practical Red Teaming: Weaponization & Adversary Simulation

ATTEND IN-PERSON: Onsite in Phuket

DATE: 21-24 August 2023

TIME: 09:00 to 17:00 ICT/GMT+7

Advanced Red Teaming: Weaponization & Adversary Simulation is a hands-on offensive training that focuses on helping organizations battle against ever-growing targeted attacks and ransomware attacks by simulating their adversaries and putting your defenses and your blue team at test to improve the organization security posture

This training focuses on developing cyber weapons that can evade AV detection, EDR logs, and forensics traces like how advanced targeted attacks do, and provide you with insights on how to improve your organization’s overall detections and security posture.

The training provides practical guidance & attendees should walk away with the following skills:

• How to simulate a real APT Attack given its TTPs.
• How to build your own malware to test their defenses (or clients’ defenses) against completely new malware.
• How to build your own Red Team infrastructure in AWS and secure it from being detected or blocked by the company’s security team.
• How to learn not just the techniques and how to use them, but how each technique works internally and how you can develop your own version of it.

Agenda

DAY 1

APT Attacks & Red Team Infrastructure on AWS
• What is an APT Attack?
• What are the Attack Stages? And what’s MITTRE ATTACK?
• APT attack lifecycle
• Examples of real-world APT attacks
• Deep dive into the attackers’ tactics, techniques, and procedures (TTPs) Using Threat Intelligence
• Understand the attackers’ malware arsenal
• Setting Up Your Infrastructure in the cloud
• Setting up your account in AWS & Terraform
• Build your network and Caldera VM in the cloud
• Create Redirectors to obfuscate your C&C IP

Phishing & Social Engineering Mastery
• Create a Phishing Platform using GoPhish & EmailGun
• Create Your Phishing Pages using EvilGinx 2
• Build Your Phishing plan using OSINT
• Build your phishing emails templates
• Bypass 2-Factor Authentication using EvilGinx 2

Initial Access: Get your foot into the organization network
• Spearphishing with a malicious document
• Spearphishing with link
• Spearphishing using social media
• Advanced Execution Techniques: LNK Files
• Advanced Execution Techniques: COM Objects
• Write your first spear-phishing attack with a malicious document (Hands-on)

DAY 2:

Write Your First HTTP Malware
• Build a Vulnerable organization in AWS
• Connect to Caldera C2 using HTTP
• Implement Base64 encoding in your malware
• Implement JSON parsing in your malware
• Send victim machine information to your C&C
• Receive and execute commands from Caldera
• Automate command execution across multiple victims
• Test your malware in your vulnerable AWS Lab

Malware Plugin Framework Implementation
• Add a framework for plugins with additional features
• Add a keylogger plugin to log keystrokes and steal credentials.
• Add commands for Caldera to download the keylogger logs

Maintaining Persistence In-Depth (Advanced Techniques)
• Maintain Persistence in the victim machine
• Advanced Persistence methods
• Disguise the malware inside a legitimate process (Malware-as-a-DLL)
• Persistence through DLL Injection

Privilege Escalation Techniques
• UAC bypass techniques
• Advanced UAC bypass techniques: Abusing Application Shimming
• Abuse services for privilege escalation
• Escalate to SYSTEM account.

DAY 3:

Malware Obfuscation: Bypass File Signature Scanning
• Strings Encryption
• Advanced Encryption Techniques
• Dynamic API Loading
• Hidden In Plain Sight: Malware Steganography

Network Obfuscation: Bypass IDS, IPS, NDR, and Machine learning-based tools
• Network Data Encryption
• Hidden In Plain Sight 01: HTML Smuggling
• Hidden In Plain Sight 02: Steganography
• HTTPS Communication
• Using legitimate websites for communications
• DNS Flux and DNS over HTTPS
• Other Protocols & Channels (ICMP, DNS)

Bypass EDRs & Behavioral-Based Detection
• Process Injection & DLL Injection
• Sysmon & EDR Bypass Techniques
• Unhook EDR APIs
• Invisible Process Injection Without Alerting EDRs
• AppLocker And Application Whitelisting bypass Techniques
• Signed your malware with a trusted Certificate

DAY 4:

Impersonating Users: Credential Theft & Token Impersonalization
• Credential Theft using lsass memory dump
• Bypass lsass protection
• Token Impersonation & Logon Types Overview
• Token Impersonation implementation in your malware
• Steal Remote Desktop Sessions
• Lateral movement using caldera and your agent

Hack the Domain Controller Through Lateral Movements
• Using WMIC & Powershell to gather users and network information
• Understand domain account permissions and access level
• NTLM Attacks: Pass The Hash
• Kerberos Attacks: Pass The Ticket
• Kerberos Attacks: Overpass The Hash
• Silver & Golden Tickets
• Lateral movement using Scheduled tasks
• Lateral movement using Remote COM Objects
• Lateral movement using WMIC & Powershell Remoting