StealthOps : Red Team Tradecraft Targeting Enterprise Security Controls

Trainer Name: Manish Gupta , Yash Bharadwaj
Title: StealthOps : Red Team Tradecraft Targeting Enterprise Security Controls
Duration: 3 Days
Dates: Sept. 6, 2022 To Sept. 8, 2022

TRAINING OBJECTIVES

Most enterprises deal with misconfigured security controls in their infrastructure. It is well known that attackers have evaded, circumvented, and even abused these controls with the intention to gain access to critical assets. The training is designed for red teams, penetration testers, system administrators, and Blue Team members to understand different tactics, techniques, and attacks used by adversaries. The major portion includes identifying misconfigurations in controls, developing offensive trade-craft & then stealthily evading it following the latest attack vectors.

Candidates will gain enough knowledge of the enterprise-grade security controls and how they can be evaded in Host, Network, and Cloud synced devices. The class will go through various security controls, writing custom scripts in C#, abusing windows internals/features and monitoring solutions, writing custom bypasses for evading host, network, and cloud security (EDR) controls and bypassing cross-forest restrictions in Active Directory Environment, etc. Training is focused on Windows & Linux platforms in order to better refine detection in an enterprise.

Training level: Intermediate; Basic

TRAINING PREVIEW:

Apex Threat Actors having advanced capabilities like leveraging in-memory implants, writing custom codes to evade AVs & EDR, moving laterally with custom made Tools, evading host and network-level security solutions for stealthiness, etc are constantly consolidating their attack techniques (and Tactics) against Defensive Teams. To strengthen enterprise-grade security, the training is designed for penetration testers, system administrators, and Blue Team members to understand different tactics, techniques, and attacks used by adversaries.

TRAINING OUTLINE:

Day 1 (Introduction to Enterprise Security Controls)

• Anti-Virus
• End-Point Detection and Response (EDR)
• End-Point Defender Features (AMSI, CLM, UAC, Applocker, WDAC, WDAG, WDEG (ASR), Sandbox)
• Directory-Level Controls (JEA, JIT, PAW, PAM, Credential Guard, Remote Credential Guard, GPO, LAPS, Constrained Delegation, Resource-Based Constrained Delegation, etc)
• Linux Environment (AppArmor, SELinux)
• EDR, XDR Demonstration

Day 2 (Offensive C# Tradecraft, Windows API & Bypasses)

• CSharp Essentials
• CSharp Beginner [10 Hands-on Labs]
• Offensive C# Trade-Craft [6 Hands-on Labs]
• Windows API Essentials
• Utilizing Windows API for Red Team Profit [9 Hands-on Lab]
• AMSI, CLM, Script Block Logging, ASR Rules, UAC Bypass
• Application Whitelisting: Applocker, WDAC

Day 3 (Abusing / Evading Security Controls - Feature Abuse)

• Abusing Windows Features (PowerShell, LOLBAS, Sandbox, WSL)
• Constrained Delegation & Resource-based constrained delegation
• SCCM & SCOM Abuse
• GPO Abuse
• Bypassing Credential Guard
• Credential Access in Windows & Linux
• Cross Forest Abuse Scenarios [5 Different Techniques]
• Bypassing Enterprise Endpoint Detection & Response Solutions in Real-Time

WHAT TO BRING?

• A system with at least 8GB RAM has Virtualization support.
• VMware Workstation / Fusion installed with 40 GB storage capacity
• Updated Open VPN Client
• Updated Web Browser

TRAINING PREREQUISITES:

• Comfortable with command line environment - PWSH, Terminal
• Fair knowledge of Penetration Testing Methodology

WHO SHOULD ATTEND?

• Penetration Testers / Red Teams
• System Administrators
• Malware Developers
• SOC analysts
• Threat Hunting Team
• Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities

WHAT ATTENDEES WILL GET?

Course material including commands, slides, and enterprise lab walk-through, 30 days of full lab access with technical support during and after the training class.

WHAT TO EXPECT?

• Understanding misconfigurations in Host-Level, Network-level Security Controls, and their active evasion/bypass
• Fair scripting Knowledge of C# & Windows API
• The training helps in enhancing the visibility of Enterprise Based Security Controls in the organization.
• Candidates will get enhanced threat visibility capabilities in both Host & Network-level on Windows, and Linux environments.
• Candidates will get to know how NOT to configure enterprise security controls
• The additional 30 days of lab access after class provides candidates to enhance skills at their own pace which comes with technical support.

WHAT NOT TO EXPECT?

• Be a Malware Developer Professional
• Any 0-Day Technique
• Inclusion of Cloud Security Controls

About Trainer

Manish Gupta is the Director of CyberWarFare Labs and has 6.5+ years of expertise in offensive Information Security. Where he specializes in Red Teaming Activities in enterprise Environments. His research interest includes Real World Cyber Attack Simulation and Advanced Persistent Threat (APT). Previously he has presented his research at reputed conferences like Blackhat USA, DEFCON, Nullcon, c0c0n, BSIDES Chapters, X33fcon, NorthSec & other corporate training, etc.

Yash Bharadwaj Co-Founder & Technical Architect at CyberWarFare Labs with over 5.5 Years of Experience as a Technologist. Highly attentive towards finding, learning, and discovering new TTPs used during offensive engagements. His area of interest includes building Red / Blue team infrastructure, evading AVs & EDRs, Pwning On-Prem infrastructure & Multi-cloud attacks. Previously he has delivered hands-on red/blue/purple team training/talks/workshops at Nullcon, X33fCon, c0c0n, NorthSec, BSIDES Chapters, OWASP, CISO Platform, and YASCON. You can reach out to him on Twitter @flopyash