Register for the class

Course Abstract

The training is divided in five sections: Initial foothold, Gaining access, Offensive Coding, internal reconnaissance and lateral movement. The training will cover each section in depth by providing technical evidence of how each technique works. Red team exercises are performed to assess responsiveness and detection capability. As a red teamer, it is important to understand what each tool and commands we use is doing behind the curtain to be able to provide proper guidance. The training will help you understand the tool and technique being used during a red team, develop your own toolset, adapt existing tools when needed, provide guidance on where to look for new techniques or potential evasion tricks and finally an overview of the popular technique used to perform red team exercise.

Expect to perform code review, network analysis, code behavior analysis and write code to improve your red team capabilities.

Outline

The course is divided in 5 sections:

Initial foothold

This module includes the following topics:

• Reconnaissance:
  • Identifying external assets
  • Identifying technologies used internally
  • Identifying sensitive information publicly exposed
  • Identifying vectors for attacks and phishing
• Phishing:
  • Choose your payload
  • Evasion and tricks
  • Context and pretext
  • FInding new execution vectors
  • R&D approach
• Compromising the external perimeter:
  • Choosing a valuable asset
  • Is it worth it?
  • Detecting the detection in place
  • Password spraying
• Compromising the client Azure tenant:
  • Entra ID: enumeration et reconnaissance
  • Extended scope
  • Graph API

Payload Crafting

This module includes the following topics:

• EDR Bypass:
  • Unhooking APIs in usermode
  • Direct syscall
  • Simple stage 0
  • AMSI & ETW & ETW Ti
  • Trusted Installer abuse
  • Dealing with kernel callback
  • Kernel exploit to defeat EDR
  • C# obfuscation idea

Gaining access

This module includes the following topics:

• Identifying the pattern that should be used to avoid detection:
  • Fingerprinter EDR / AV solution
  • Adapting your toolset
  • Evasion tricks
• Writing custom payloads:
  • Which language?
  • Why using a technique versus another one:
  • Unmanaged Powershell
  • Unmanaged .NET
  • Raw command execution
• Building your infrastructure:
  • Abusing of cloud services
  • What a good profile look like
  • Guardrails
  • Redirector
  • Cobalt Strike Artifacts Kit
  • Consideration will building your own C2

Internal reconnaissance

This module includes the following topics:

• Identifying valuable users and assets
• How to scan for assets and users
• Stealth technique that can be used for enumeration:
  • LDAP
  • Public toolset
  • RPC
  • Hunting AD misconfiguration
  • SDDL and permission abuse
• Identifying targets that may help achieving your predefined goals:
  • Identifying computers
  • Identifying services
  • Identify users and software
  • Bypassing LDAP detection and using Lsar* APIs
• Vulnerable system that can be used:
  • Citrix escape
  • Java Deserialization issue
• Default credentials:
  • Printer with AD credentials
  • Management portal such as Jenkins, Tomcat and more
• Defeating MFA internally:
  • RSA pin backdoor
  • Browser pivot
  • Reusing an already established connection
• First step when you gain access:
  • Reconnaissance on the target
  • Monitoring
  • What to run
• New Vulnerabilities:
• PetitPotam & ADCS case
• Abusing misconfiguration
• The power of RPC

Lateral Movement

This module includes the following topics:

• Capturing credentials:
  • NetBIOS
  • MITM
  • Kerberoasting
  • GPP
  • Exposed shares
  • Password spraying
  • Browser is the new LSASS
• How to perform lateral movement:
  • WMI
  • WMI The stealth way
  • DCOM
  • SMB / DCERPC / SVCCTL
• Customizing toolset to avoid detection:
  • Application whitelisting
  • EDR / AV
  • Understanding the underlying concept used by impacket suite
  • Cobalt Strike sleepmask problem
  • Cobalt Strike Artifact Kit overview
• Technique to perform lateral movement:
  • Pass the hash
  • Kerberos ticket
  • Password reuse
  • Relaying credentials and hashes
• Domain Trusts
• Domain hoping
• Moving to systems that don’t have Internet access
• Tunneling:
  • Running tool locally
  • SOCKS proxy
  • Tunneling to a Windows system
  • Tunneling to a Linux system
  • SSH Tunneling
• Domain hoping
• Moving to systems that don’t have Internet access
• Building your lab:
  • Playing with RPC
  • Auditing Active Directory
  • Playing with Windows features
• Reporting:
  • What to report
  • How to report
  • Structure of your report

Register for the class