Charles Hamilton - Red Team Training (on-site & remote)

May 14 & 15, 2024

Course Abstract

The training is divided in five sections: Initial foothold, Gaining access, Offensive Coding, internal reconnaissance and lateral movement. The training will cover each section in depth by providing technical evidence of how each technique works. Red team exercises are performed to assess responsiveness and detection capability. As a red teamer, it is important to understand what each tool and commands we use is doing behind the curtain to be able to provide proper guidance. The training will help you understand the tool and technique being used during a red team, develop your own toolset, adapt existing tools when needed, provide guidance on where to look for new techniques or potential evasion tricks and finally an overview of the popular technique used to perform red team exercise.

Expect to perform code review, network analysis, code behavior analysis and write code to improve your red team capabilities.

Outline

The course is divided in 5 sections:

Initial foothold

This module includes the following topics:

  • Reconnaissance:
    • Identifying external assets
    • Identifying technologies used internally
    • Identifying sensitive information publicly exposed
    • Identifying vectors for attacks and phishing
  • Phishing:
    • Choose your payload
    • Evasion and tricks
    • Context and pretext
    • Finding new execution vectors
    • R&D approach
  • Compromising the external perimeter:
    • Choosing a valuable asset
    • Is it worth it?
    • Detecting the detection in place
    • Password spraying
  • Compromising the client Azure tenant:
    • Entra ID: enumeration and reconnaissance
    • Extended scope
    • Graph API

Payload Crafting

This module includes the following topics:

  • EDR Bypass:
    • Unhooking APIs in usermode
    • Direct syscall
    • Simple stage 0
    • AMSI & ETW & ETW Ti
    • Trusted Installer abuse
    • Dealing with kernel callback
    • Kernel exploit to defeat EDR
    • C# obfuscation idea

Gaining access

This module includes the following topics:

  • Identifying the pattern that should be used to avoid detection:
    • Fingerprinter EDR / AV solution
    • Adapting your toolset
    • Evasion tricks
  • Writing custom payloads:
    • Which language?
    • Why using a technique versus another one:
    • Unmanaged Powershell
    • Unmanaged .NET
    • Raw command execution
  • Building your infrastructure:
    • Abusing cloud services
    • What a good profile looks like
    • Guardrails
    • Redirector
    • Cobalt Strike Artifacts Kit
    • Consideration in building your own C2

Internal reconnaissance

This module includes the following topics:

  • Identifying valuable users and assets
  • How to scan for assets and users
  • Stealth technique that can be used for enumeration:
    • LDAP
    • Public toolset
    • RPC
    • Hunting AD misconfiguration
    • SDDL and permission abuse
  • Identifying targets that may help achieving your predefined goals:
    • Identifying computers
    • Identifying services
    • Identify users and software
    • Bypassing LDAP detection and using Lsar* APIs
  • Vulnerable system that can be used:
    • Citrix escape
    • Java Deserialization issue
  • Default credentials:
    • Printer with AD credentials
    • Management portal such as Jenkins, Tomcat and more
  • Defeating MFA internally:
    • RSA pin backdoor
    • Browser pivot
    • Reusing an already established connection
  • First step when you gain access:
    • Reconnaissance on the target
    • Monitoring
    • What to run
  • New Vulnerabilities:
    • PetitPotam & ADCS case
    • Abusing misconfiguration
    • The power of RPC

Lateral Movement

This module includes the following topics:

  • Capturing credentials:
    • NetBIOS
    • MITM
    • Kerberoasting
    • GPP
    • Exposed shares
    • Password spraying
    • Browser is the new LSASS
  • How to perform lateral movement:
    • WMI
    • WMI The stealth way
    • DCOM
    • SMB / DCERPC / SVCCTL
  • Customizing toolset to avoid detection:
    • Application whitelisting
    • EDR / AV
    • Understanding the underlying concept used by impacket suite
    • Cobalt Strike sleepmask problem
    • Cobalt Strike Artifact Kit overview
  • Technique to perform lateral movement:
    • Pass the hash
    • Kerberos ticket
    • Password reuse
    • Relaying credentials and hashes
  • Domain Trusts
  • Domain hoping
  • Moving to systems that don’t have Internet access
  • Tunneling:
    • Running tool locally
    • SOCKS proxy
    • Tunneling to a Windows system
    • Tunneling to a Linux system
    • SSH tunneling
  • Building your lab:
    • Playing with RPC
    • Auditing Active Directory
    • Playing with Windows features

Who Should Attend

This course is designed to improve your red teaming capabilities. Anyone interested in understanding how the red team toolset is working and improving stealtiness by understanding the core concept behind the most used technique should attend this training. No prior red team experience required. The concept and tricks presented during the training can also be applied to traditional testing engagement.

What You Need

  • A Windows machine
  • A Linux (Ubuntu prefered) Both environments can be virtualized.

Bio

Charles F. Hamilton (Mr.Un1k0d3r) Director, KPMG Canada

Charles Hamilton is a Red Teamer, with more than ten years of experience delivering offensive testing services for various government clients and commercial verticals. In recent years, Charles has focused on covert Red Team operations against complex and secured environments. These operations have allowed him to hone his craft at quietly navigating a client's network without detection. Since 2014, he is the founder and operator of the RingZer0 Team website, a platform focused on teaching hacking fundamentals. The RingZer0 community currently has more than 40,000 members worldwide. Charles is also a prolific toolsmith and speaker in the Infosec industry under the handle of Mr.Un1k0d3r.

Return to training sessions