Practical Red Teaming: Weaponization & Adversary Simulation

$4,299.00

Duration

4 days

Delivery Method

in-person

Level

intermediate

Seats Available

20

Duration

4 days

Delivery Method

in-person

Level

intermediate

ATTEND IN-PERSON: Onsite in Phuket

DATE: 21-24 August 2023

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
21 Aug Monday 0900-17:00 ICT/GMT+7 8 Hours
22 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
23 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours
24 Aug Thursday 0900-17:00 ICT/GMT+7 8 Hours

Advanced Red Teaming: Weaponization & Adversary Simulation is a hands-on offensive training that focuses on helping organizations battle against ever-growing targeted attacks and ransomware attacks by simulating their adversaries and putting your defenses and your blue team at test to improve the organization security posture

This training focuses on developing cyber weapons that can evade AV detection, EDR logs, and forensics traces like how advanced targeted attacks do, and provide you with insights on how to improve your organization’s overall detections and security posture.

The training provides practical guidance & attendees should walk away with the following skills:

• How to simulate a real APT Attack given its TTPs.
• How to build your own malware to test their defenses (or clients’ defenses) against completely new malware.
• How to build your own Red Team infrastructure in AWS and secure it from being detected or blocked by the company’s security team.
• How to learn not just the techniques and how to use them, but how each technique works internally and how you can develop your own version of it.

 

Agenda
DAY 1

APT Attacks & Red Team Infrastructure on AWS
• What is an APT Attack?
• What are the Attack Stages? And what’s MITTRE ATTACK?
• APT attack lifecycle
• Examples of real-world APT attacks
• Deep dive into the attackers’ tactics, techniques, and procedures (TTPs) Using Threat Intelligence
• Understand the attackers’ malware arsenal
• Setting Up Your Infrastructure in the cloud
• Setting up your account in AWS & Terraform
• Build your network and Caldera VM in the cloud
• Create Redirectors to obfuscate your C&C IP

Phishing & Social Engineering Mastery
• Create a Phishing Platform using GoPhish & EmailGun
• Create Your Phishing Pages using EvilGinx 2
• Build Your Phishing plan using OSINT
• Build your phishing emails templates
• Bypass 2-Factor Authentication using EvilGinx 2

Initial Access: Get your foot into the organization network
• Spearphishing with a malicious document
• Spearphishing with link
• Spearphishing using social media
• Advanced Execution Techniques: LNK Files
• Advanced Execution Techniques: COM Objects
• Write your first spear-phishing attack with a malicious document (Hands-on)

 

DAY 2:

Write Your First HTTP Malware
• Build a Vulnerable organization in AWS
• Connect to Caldera C2 using HTTP
• Implement Base64 encoding in your malware
• Implement JSON parsing in your malware
• Send victim machine information to your C&C
• Receive and execute commands from Caldera
• Automate command execution across multiple victims
• Test your malware in your vulnerable AWS Lab

Malware Plugin Framework Implementation
• Add a framework for plugins with additional features
• Add a keylogger plugin to log keystrokes and steal credentials.
• Add commands for Caldera to download the keylogger logs

Maintaining Persistence In-Depth (Advanced Techniques)
• Maintain Persistence in the victim machine
• Advanced Persistence methods
• Disguise the malware inside a legitimate process (Malware-as-a-DLL)
• Persistence through DLL Injection

Privilege Escalation Techniques
• UAC bypass techniques
• Advanced UAC bypass techniques: Abusing Application Shimming
• Abuse services for privilege escalation
• Escalate to SYSTEM account.

 

DAY 3:

Malware Obfuscation: Bypass File Signature Scanning
• Strings Encryption
• Advanced Encryption Techniques
• Dynamic API Loading
• Hidden In Plain Sight: Malware Steganography

Network Obfuscation: Bypass IDS, IPS, NDR, and Machine learning-based tools
• Network Data Encryption
• Hidden In Plain Sight 01: HTML Smuggling
• Hidden In Plain Sight 02: Steganography
• HTTPS Communication
• Using legitimate websites for communications
• DNS Flux and DNS over HTTPS
• Other Protocols & Channels (ICMP, DNS)

Bypass EDRs & Behavioral-Based Detection
• Process Injection & DLL Injection
• Sysmon & EDR Bypass Techniques
• Unhook EDR APIs
• Invisible Process Injection Without Alerting EDRs
• AppLocker And Application Whitelisting bypass Techniques
• Signed your malware with a trusted Certificate

 

DAY 4:

Impersonating Users: Credential Theft & Token Impersonalization
• Credential Theft using lsass memory dump
• Bypass lsass protection
• Token Impersonation & Logon Types Overview
• Token Impersonation implementation in your malware
• Steal Remote Desktop Sessions
• Lateral movement using caldera and your agent

Hack the Domain Controller Through Lateral Movements
• Using WMIC & Powershell to gather users and network information
• Understand domain account permissions and access level
• NTLM Attacks: Pass The Hash
• Kerberos Attacks: Pass The Ticket
• Kerberos Attacks: Overpass The Hash
• Silver & Golden Tickets
• Lateral movement using Scheduled tasks
• Lateral movement using Remote COM Objects
• Lateral movement using WMIC & Powershell Remoting

Why You Should Take This Course

Advanced Red Teaming: Weaponization & Adversary Simulation is a hands-on offensive training that focuses on helping organizations battle against ever-growing targeted attacks and ransomware attacks by simulating their adversaries and putting your defenses and your blue team at test to improve the organization security posture.
This training focuses on developing cyber weapons that can evade AV detection, EDR logs, and forensics traces like how advanced targeted attacks do, and provide you with insights on how to improve your organization’s overall detections and security posture.

Who Should Attend

  • Cyber Security Professionals
  • ​Penetration Testers
  • Purple Teamers & Threat Hunters
  • Incident Handlers
  • ​SOC Analysts

Key Learning Objectives

  • Simulate a real APT Attack given its TTPs and build their own malware to test their defenses (or clients' defenses) against completely new malware.

  • Build their own Red Team infrastructure and secure it from being detected or blocked by the company's security team.

  • Learn not just the techniques and how to use them, but how each technique works internally and how they can develop their own version of it.
  • Prerequisite Knowledge

    • Good IT administration background in Windows mainly (Linux is preferred)
    • Good cybersecurity background
    • Good programming skills in C++

    Hardware / Software Requirements

    • Laptop with minimum 8GB RAM and 80GB free hard disk space
    • Virtualbox or VMWare Installed with a clean Windows VM for development. (If you have windows installed as the main OS, you can use it for development and testing – not recommended).
    • Have visual studio community edition and VSCode installed on the development VM
    • AWS Account (We will be using the free tier but they might need to buy a domain to practice phishing – Optional )
    • Delegates must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.

    Your Instructor

    Amr Thabet is a malware researcher and an incident handler with over 10 years of experience, he worked in some of the Fortune 500 companies including Symantec, Tenable, and others.

    He is the founder of MalTrak and the author of “Mastering Malware Analysis” published by Packt Publishing.

    Amr is a speaker and a trainer at some of the top security conferences all around the world, including Blackhat, DEFCON, Hack In Paris and VB Conference. He was also featured in Christian Science Monitor for his work on Stuxnet.

    His mission is to help security professionals all around the world to build their expertise in malware analysis, threat hunting, red teaming. and most importantly, protect their organization’s infrastructure from targeted attacks, ransomware attacks, and APT attacks.