Red Team Training

Description

The course is divided in 5 sections:

1. Initial foothold

This module includes the following topics:

• Reconnaissance:
• Identifying external assets
• Identifying technologies used internally
• Identifying sensitive information publicly exposed
• Identifying vectors for attacks and phishing
• Phishing:
• Choose your payload
• Evasion and tricks
• Context and pretext
• Finding new execution vectors
• R&D approach
• Compromising the external perimeter:
• Choosing a valuable asset
• Is it worth it?
• Detecting the detection in place
• Password spraying
• Compromising the client Azure tenant:
• Entra ID: enumeration et reconnaissance
• Extended scope
• Graph API

2. Payload Crafting

This module includes the following topics:

• EDR Bypass:
• Unhooking APIs in usermode
• Direct syscall
• Simple stage 0
• AMSI & ETW & ETW Ti
• Trusted Installer abuse
• Dealing with kernel callback
• Kernel exploit to defeat EDR
• C# obfuscation idea

3. Gaining access

This module includes the following topics:

• Identifying the pattern that should be used to avoid detection:
• Fingerprinter EDR / AV solution
• Adapting your toolset
• Evasion tricks
• Writing custom payloads:
• Which language?
• Why using a technique versus another one:
• Unmanaged Powershell
• Unmanaged .NET
• Raw command execution
• Building your infrastructure:
• Abusing of cloud services
• What a good profile look like
• Guardrails
• Redirector
• Cobalt Strike Artifacts Kit
• Consideration will building your own C2

4. Internal reconnaissance

This module includes the following topics:

• Identifying valuable users and assets
• How to scan for assets and users
• Stealth technique that can be used for enumeration:
• LDAP
• Public toolset
• RPC
• Hunting AD misconfiguration
• SDDL and permission abuse
• Identifying targets that may help achieving your predefined goals:
• Identifying computers
• Identifying services
• Identify users and software
• Bypassing LDAP detection and using Lsar* APIs
• Vulnerable system that can be used:
• Citrix escape
• Java Deserialization issue
• Default credentials:
• Printer with AD credentials
• Management portal such as Jenkins, Tomcat and more
• Defeating MFA internally:
• RSA pin backdoor
• Browser pivot
• Reusing an already established connection
• First step when you gain access:
• Reconnaissance on the target
• Monitoring
• What to run
• New Vulnerabilities:
• PetitPotam & ADCS case
• Abusing misconfiguration
• The power of RPC

5. Lateral Movement

This module includes the following topics:

• Capturing credentials:
• NetBIOS
• MITM
• Kerberoasting
• GPP
• Exposed shares
• Password spraying
• Browser is the new LSASS
• How to perform lateral movement:
• WMI
• WMI The stealth way
• DCOM
• SMB / DCERPC / SVCCTL
• Customizing toolset to avoid detection:
• Application whitelisting
• EDR / AV
• Understanding the underlying concept used by impacket suite
• Cobalt Strike sleepmask problem
• Cobalt Strike Artifact Kit overview
• Technique to perform lateral movement:
• Pass the hash
• Kerberos ticket
• Password reuse
• Relaying credentials and hashes
• Domain Trusts
• Domain hoping
• Moving to systems that don’t have Internet access
• Tunneling:
• Running tool locally
• SOCKS proxy
• Tunneling to a Windows system
• Tunneling to a Linux system
• SSH Tunneling
• Domain hoping
• Moving to systems that don’t have Internet access
• Building your lab:
• Playing with RPC
• Auditing Active Directory
• Playing with Windows features
• Reporting:
• What to report
• How to report
• Structure of your report

Key Learning Objectives

Understanding the concept of red teaming and how the toolset works. This training focuses on knowledge sharing.

Who Should Attend?

Red teamers looking to sharpen their skills. Blue teamers interested in learning how offensive teams operate and improving their ability to detect red team activities. Testers interested in transitioning into a red team role.

Prerequisite Knowledge

basic Windows, Linux and coding skills.

Hardware Requirements

virtualisation capability and a laptop

Bio