Charles Hamilton - Red Team Training

This training is Sold-Out

May 25th and 26th

Course Abstract

The training is divided in four sections: Initial foothold, Gaining access, internal reconnaissance and lateral movement. The training will cover each section in depth by providing technical evidence of how each technique works. Red team exercises are performed to assess responsiveness and detection capability. As a red teamer, it is important to understand what each tool and commands we use is doing behind the curtain to be able to provide proper guidance. The training will help you understand the tool and technique being used during a red team, develop your own toolset, adapt existing tools when needed, provide guidance on where to look for new techniques or potential evasion tricks and finally an overview of the popular technique used to perform red team exercise.

Expect to perform code review, network analysis, code behavior analysis and write code to improve your red team capabilities.

Outline

The course is divided in 4 sections:

Initial foothold

This module includes the following topics:

  • Reconnaissance:
    • Identifying external assets
    • Identifying technologies used internally
    • Identifying sensitive information publicly exposed
    • Identifying vectors for attacks and phishing
  • Phishing:
    • Choose your payload
    • Evasion and tricks
    • Context and pretext
  • Compromising the external perimeter:
    • Choosing a valuable asset
    • Is it worth it?
    • Detecting the detection in place
    • Password spraying

Gaining access

This module includes the following topics:

  • Identifying the pattern that should be used to avoid detection:
    • Fingerprinter EDR / AV solution
    • Adapting your toolset
    • Evasion tricks
  • Writing custom payloads:
    • Which language?
    • Why using a technique versus another one:
    • Unmanaged Powershell
    • Raw command execution
  • Internal reconnaissance

This module includes the following topics:

  • Identifying valuable users and assets
  • How to scan for assets and users
  • Stealth technique that can be used for enumeration:
    • LDAP
    • Public toolset
    • RPC
  • Identifying targets that may help achieving your predefined goals:
    • Identifying computers
    • Identifying services
    • Identify users and software
  • Vulnerable system that can be used:
    • Citrix escape
    • Java Deserialization issue
  • Default credentials:
    • Printer with AD credentials
    • Management portal such as Jenkins, Tomcat and more
  • Defeating MFA internally:
    • RSA pin backdoor
    • Browser pivot
    • Reusing an already established connection
  • First step when you gain access:
    • Reconnaissance on the target
    • Monitoring
    • What to run
  • Lateral movement

This module includes the following topics:

  • Capturing credentials:
    • NetBIOS
    • MITM
    • Kerberoasting
    • GPP
    • Exposed shares
    • Password spraying
  • How to perform lateral movement:
    • WMI
    • DCOM
    • SMB / DCERPC / SVCCTL
  • Customizing toolset to avoid detection:
    • Application whitelisting
    • EDR / AV
  • Technique to perform lateral movement:
    • Pass the hash
    • Kerberos ticket
    • Password reuse
    • Relaying credentials and hashes
  • Domain Trusts
  • Domain hoping
  • Moving to systems that don’t have Internet access
  • Tunneling:
    • Running tool locally
    • SOCKS proxy

Who Should Attend

This course is designed to improve your red teaming capabilities. Anyone interested in understanding how the red team toolset is working and improving stealtiness by understanding the core concept behind the most used technique should attend this training. No prior red team experience required. The concept and tricks presented during the training can also be applied to traditional testing engagement.

What You Need

  • A Windows machine
  • A Linux (Ubuntu prefered) Both environments can be virtualized.

Bio

Charles Hamilton ,

Charles Hamilton is a Red Teamer, who holds the OSCE, OSCP, and SLAE64 certifications. He has more than ten years of experience delivering offensive testing services for various government clients and commercial verticals. In recent years, Charles has focused on covert Red Team operations against complex and secured environments. These operations have allowed him to hone his craft at quietly navigating a client's network without detection. Since 2014, he is the founder and operator of the RingZer0 Team website, a platform focused on teaching hacking fundamentals. The RingZer0 community currently has more than 36,000 members worldwide. Charles is also a prolific toolsmith and speaker in the InfoSec industry under the handle of Mr.Un1k0d3r. Some of Charles Hamilton trade craft can be found in his github repository (see below)

Return to training sessions