Date | Day | Time | Duration |
21 Aug | Monday | 0900-17:00 ICT/GMT+7 | 8 Hours |
22 Aug | Tuesday | 0900-17:00 ICT/GMT+7 | 8 Hours |
23 Aug | Wednesday | 0900-17:00 ICT/GMT+7 | 8 Hours |
24 Aug | Thursday | 0900-17:00 ICT/GMT+7 | 8 Hours |
This training focuses on developing cyber weapons that can evade AV detection, EDR logs, and forensics traces like how advanced targeted attacks do, and provide you with insights on how to improve your organization’s overall detections and security posture.
The training provides practical guidance & attendees should walk away with the following skills:
• How to simulate a real APT Attack given its TTPs.
• How to build your own malware to test their defenses (or clients’ defenses) against completely new malware.
• How to build your own Red Team infrastructure in AWS and secure it from being detected or blocked by the company’s security team.
• How to learn not just the techniques and how to use them, but how each technique works internally and how you can develop your own version of it.
APT Attacks & Red Team Infrastructure on AWS
• What is an APT Attack?
• What are the Attack Stages? And what’s MITTRE ATTACK?
• APT attack lifecycle
• Examples of real-world APT attacks
• Deep dive into the attackers’ tactics, techniques, and procedures (TTPs) Using Threat Intelligence
• Understand the attackers’ malware arsenal
• Setting Up Your Infrastructure in the cloud
• Setting up your account in AWS & Terraform
• Build your network and Caldera VM in the cloud
• Create Redirectors to obfuscate your C&C IP
Phishing & Social Engineering Mastery
• Create a Phishing Platform using GoPhish & EmailGun
• Create Your Phishing Pages using EvilGinx 2
• Build Your Phishing plan using OSINT
• Build your phishing emails templates
• Bypass 2-Factor Authentication using EvilGinx 2
Initial Access: Get your foot into the organization network
• Spearphishing with a malicious document
• Spearphishing with link
• Spearphishing using social media
• Advanced Execution Techniques: LNK Files
• Advanced Execution Techniques: COM Objects
• Write your first spear-phishing attack with a malicious document (Hands-on)
Write Your First HTTP Malware
• Build a Vulnerable organization in AWS
• Connect to Caldera C2 using HTTP
• Implement Base64 encoding in your malware
• Implement JSON parsing in your malware
• Send victim machine information to your C&C
• Receive and execute commands from Caldera
• Automate command execution across multiple victims
• Test your malware in your vulnerable AWS Lab
Malware Plugin Framework Implementation
• Add a framework for plugins with additional features
• Add a keylogger plugin to log keystrokes and steal credentials.
• Add commands for Caldera to download the keylogger logs
Maintaining Persistence In-Depth (Advanced Techniques)
• Maintain Persistence in the victim machine
• Advanced Persistence methods
• Disguise the malware inside a legitimate process (Malware-as-a-DLL)
• Persistence through DLL Injection
Privilege Escalation Techniques
• UAC bypass techniques
• Advanced UAC bypass techniques: Abusing Application Shimming
• Abuse services for privilege escalation
• Escalate to SYSTEM account.
Malware Obfuscation: Bypass File Signature Scanning
• Strings Encryption
• Advanced Encryption Techniques
• Dynamic API Loading
• Hidden In Plain Sight: Malware Steganography
Network Obfuscation: Bypass IDS, IPS, NDR, and Machine learning-based tools
• Network Data Encryption
• Hidden In Plain Sight 01: HTML Smuggling
• Hidden In Plain Sight 02: Steganography
• HTTPS Communication
• Using legitimate websites for communications
• DNS Flux and DNS over HTTPS
• Other Protocols & Channels (ICMP, DNS)
Bypass EDRs & Behavioral-Based Detection
• Process Injection & DLL Injection
• Sysmon & EDR Bypass Techniques
• Unhook EDR APIs
• Invisible Process Injection Without Alerting EDRs
• AppLocker And Application Whitelisting bypass Techniques
• Signed your malware with a trusted Certificate
Impersonating Users: Credential Theft & Token Impersonalization
• Credential Theft using lsass memory dump
• Bypass lsass protection
• Token Impersonation & Logon Types Overview
• Token Impersonation implementation in your malware
• Steal Remote Desktop Sessions
• Lateral movement using caldera and your agent
Hack the Domain Controller Through Lateral Movements
• Using WMIC & Powershell to gather users and network information
• Understand domain account permissions and access level
• NTLM Attacks: Pass The Hash
• Kerberos Attacks: Pass The Ticket
• Kerberos Attacks: Overpass The Hash
• Silver & Golden Tickets
• Lateral movement using Scheduled tasks
• Lateral movement using Remote COM Objects
• Lateral movement using WMIC & Powershell Remoting
Amr Thabet is a malware researcher and an incident handler with over 10 years of experience, he worked in some of the Fortune 500 companies including Symantec, Tenable, and others.
He is the founder of MalTrak and the author of “Mastering Malware Analysis” published by Packt Publishing.
Amr is a speaker and a trainer at some of the top security conferences all around the world, including Blackhat, DEFCON, Hack In Paris and VB Conference. He was also featured in Christian Science Monitor for his work on Stuxnet.
His mission is to help security professionals all around the world to build their expertise in malware analysis, threat hunting, red teaming. and most importantly, protect their organization’s infrastructure from targeted attacks, ransomware attacks, and APT attacks.