Adversary Tactics: Red Team Ops

May 12, 13, 14 and 15th

Course Abstract

As organizations scramble for a way to keep from becoming the next breach headline, they’ve begun looking for ways to simulate the sophisticated attackers they now face. Organizations that have started to adopt an “assume breach” mentality understand that it’s not a matter of if they’re compromised by these advanced adversaries, but when. The best way to test modern environments against these more advanced threats is with a Red Team that leverages the same tactics, techniques and procedures (TTPs) as the adversaries themselves. If you want to learn how to perform Red Team operations, sharpen your technical skillset, or understand how to defend against modern adversary tradecraft, Adversary Tactics: Red Team Ops is the course for you.

This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems, modern defenses, and active network defenders responding to Red Team activities. We will cover all phases of a Red Team engagement in depth: advanced attack infrastructure setup and maintenance, user profiling and phishing, host enumeration and “safety checks”, advanced lateral movement, sophisticated Active Directory domain enumeration and escalation, persistence (userland, elevated, and domain flavors), advanced Kerberos attacks, data mining, and exfiltration.

A focus will be on “offense-in-depth”, i.e. the ability to rapidly adapt to defensive mitigations and responses with a variety of offensive tactics and techniques. To drive this concept home, students will go up against live incident responders that will actively hunt for and block malicious activity in the environment. The responders will provide real-time feedback to students to demonstrate what artifacts attackers can leave behind, and how students can adapt their tradecraft to minimize their footprint. Come learn to use some of the most well-known offensive tools from the authors themselves, including co-creators and developers of PowerView, PowerShell Empire, PowerSploit, PowerUp, and BloodHound.

Outline

Day 1:

  • Red Team philosophy/overview
  • Engagement management
  • Covert infrastructure deep dive - setup, protection, maintenance
  • Initial external reconnaissance and OSINT
  • “Offense-in-depth”
  • Evading network detections and active incident responders (“hunting”)

Day 2:

  • Initial access
  • Host triage and offensive “safety checks”
  • Detection and evasion of host-based defenses
  • Maintaining your foothold (short vs. long term and userland vs elevated persistence strategies)
  • Privilege escalation methods through abuse of misconfigurations

Day 3:

  • User and network resource mining
  • Credential abuse
  • Active Directory enumeration and abuse - intelligence gathering, domain escalation, covert persistence, and BloodHound
  • Kerberos attacks in depth
  • Pivoting through the target network

Day 4:

  • Providing value to client
  • Blue team training objectives
  • Data movement and external exfiltration
  • Complete lab debrief

Who Should Attend

This course is not for beginners and includes a team-based, on-keyboard execution of a simulated red team engagement in a complex network scenario. Participants should be comfortable with penetration testing concepts and tools, Active Directory, and attacking Microsoft Windows environments.

What to Bring

A laptop with the ability to connect to the internet. The course VMs/lab environment will be cloud-hosted and accessible through a browser.

Bio

Ryan Cobb Operator and Red Teamer, SpecterOps

Ryan Cobb is an operator and red teamer at SpecterOps, who specializes in building offensive security toolsets. Ryan has contributed to several open source security projects, such as Empire and Invoke-Obfuscation, and is the author of PSAmsi, SharpSploit, and Covenant. Ryan has presented at several security conferences, including: DerbyCon, BSides Austin, and BSides DFW. Ryan maintains a blog at cobbr.io where he shares research and development projects.

Brian Reitz Threat Hunter and Operator, SpecterOps

Brian is a threat hunter and operator for SpecterOps with several years of experience performing penetration tests, red team engagements, and adversary hunting. Brian has lead and provided expert assistance for dozens of technical security assessments for large private-sector clients and government agencies. He has performed multiple long-term adversary detection and continuous monitoring assessments, combining commercial and open source tools to provide extensive visibility into enterprise networks.

Calvin Hedler Red Team Operator, SpecterOps

Calvin is a red team operator with SpecterOps, and has several years of experience with red team operations and penetration testing. With SpecterOps, Calvin delivers training courses, performs red team engagements, and assists with tool development, specializing in Aggressor Script. He has also spoken on penetration testing and red teaming at several conferences, including BSides Detroit, GrrCON, and A2Y.asm. Before joining SpecterOps, Calvin performed penetration testing and red team engagements for smaller organizations across the United States.

Lee Christensen Red Team Operator, SpecterOps

Lee is a senior red team operator, threat hunter, and capability engineer for SpecterOps. Lee has performed red team and hunt engagements against Fortune 500 companies for several years, and has trained on offensive/defensive tactics at events throughout the world. Lee enjoys building tools to support red team and hunt operations. Lee is the author of several offensive tools and techniques, including UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets), and KeeThief.

Return to training sessions