Threat actors build their tradecraft for each campaign, they need to select the right tactics, techniques. Most of the time they use open source or commercial, but publicly available tools. They even re-purpose or pack existing malware acquired from other threat actors. The reason behind of this decision is tool development takes time, and if the known/current tools already work well, they don’t need upgrades either. However, the adversary simulation specialists need to operate in safer environments, therefore, they’re not allowed to use malicious tradecraft or unknown tools in general.
Tradecraft development is an essential skill for an adversary simulation specialist as it needs custom C2 protocols, implants, safer but realistic Mitre Att&ck TTPs, and finally cutting-edge evasions for the modern security controls including EDRs and Cyber Analytics. In this workshop, we’ll walk through reasons and ways of Tradecraft development, talk about where to start, and to go, finding example source codes, walking through the source code of existing C2s, implants, and draft tools. We’ll also discuss about weaponization techniques such as offensive pipelines, modern evasions techniques and tool integrations. During the exercises, we’ll prefer C# for programming, but you can replicate what you learn in various languages after this workshop (e.g. Python, Go, Rust).
During the workshop, the participants will be able to develop their own implants, C2s, evasions and more using examples and active tools such as Petaq Purple Team C2 and Malware, TA505+ Adversary Simulation Pack and Tehsat Malware Traffic Generator.
· Adversaries and Various Tradecraft Examples · Basics for Microsoft .Net Framework and C# · Writing sample codes, compiling it and getting familiar with Visual Studio · Non-traditional ways to compile or execute .NET Framework code · Merging and repurposing the existing PoC implementations
· Building Various Communication Protocols and Services · Building the Implant and Integrating to C2 · Implementing Essential Features to Operate · Building Mitre Att&ck Examples and Automation
· P/Invoke and WinAPI · Shellcode/DLL Injection Techniques · Anti-Virus and EDR Evasions · ETW Bypasses · D/Invoke, Syscalls and Beyond
Red Team members and Penetration Testers would get the benefits of developing new offensive capabilities and learning cutting-edge techniques. Through the techniques learned in this workshop, participants can develop their own custom implementations for the exercises to safely operate in an engagement.
Blue and Purple team members, such as Security Operations, Threat Hunting, Threat Intelligence and Incident Response team members, would also learn these new techniques and their associated IOCs. During the workshop, the defence techniques and their weaknesses will be discussed through demonstrations. It also gives the participants an opportunity of implementing Mitre Att&ck tests safely with automation through custom tool development.