Advanced Red Team Operations • NorthSec 2025

John Stigerwalt White Knight Labs
Robert Pimente White Knight Labs

Dates: May 10, 11 and 12 2025
Difficulty: Nose bleed
Session Format: On-Site

Description

Cobalt Strike Setup: Learn to set up and configure Cobalt Strike or Havoc as your C2 server, simulating a real-world red team operation Building and Managing Redirectors: Use cloud-based services like AWS Lambda, Azure CDN, and GCP CDN to manage redirectors and evade detection Cloud-Based C2 Techniques: Deploy cloud infrastructure using Terraform to manage C2 channels and execute sophisticated attacks. Operational Tactics: Learn advanced tactics, from vulnerability identification to privilege escalation, and gain administrative domain control Simulated Attack Path: Engage in a simulated attack against the stigs-corp.local network, gaining domain admin and testing against next-generation EDR

Key Learning Objectives

The main objective of the ARTO course is for students to obtain a working knowledge of conducting large-scale red team operations in mature environments where multiple defensive solutions are in play. Students will: deploy their own redirectors in GCP AWS, and Azure; deploy their dedicated Cobalt Strike team server, all while learning how to avoid the pitfalls of poor OPSEC.

Who Should Attend?

This course is intended for the following audience: seasoned penetration testers that are attempting to break into red teaming, junior red team operators that seeking advanced skills to enhance their offensive skills, and also cloud architects/defenders that are interested in mastering how C2 frameworks work when AWS, GCP, and Azure are used to mask C2 traffic.

Prerequisite Knowledge

This is an advanced level course – a background in current red teaming techniques, C2 framework usage, post-exploitation, and deploying attack infrastructure in the cloud would be useful, but not required.

Hardware Requirements

Students are required to have an admin account in AWS with programmatic access (keys) for deploying the Terraform script. Students that are interested in exploring the Azure and GCP portions of the course will also need to have admin accounts in those CSPs. WKL recommends that students have a laptop with at least 16GB of RAM.

Bio

John Stigerwalt , White Knight Labs

John has worked as blue teamer, vCISO, developer, senior penetration tester, and red team lead. John served as the F-Secure red team lead for the western hemisphere. He has led long‐term red team engagements in highly complex Fortune 500 companies. He has worked together with Microsoft to increase kernel security for the Windows operating system. He has led training at BlackHat, DerbyCon, and Wild West Hackin’ Fest. He is the author WKL’s Advanced Red Team Operations course (ARTO). John has the following certifications: OSCP, OSCE, CRTP (Certified Red Team Professional), CRTE (Certified Red Team Expert), and SLAE (Assembly Language and Shellcoding). John is known as one of the most talented offensive cyber security experts in the world and can do whatever is asked of him on a computer.

Robert Pimente , White Knight Labs

Coming soon.

Return to training sessions