Red Teaming - The Advanced User-Land Techniques

Red Teaming: The Advanced User-Land Techniques

Red Teaming "The Advanced User-Land Techniques" imparts user-land exploitation techniques specifically designed to evade advanced enterprise security products, as well as make incident detection and response a real nightmare. Students will practice Red Teaming against a network with hundreds of machines, containing multiple VLANs, and which are properly defended by endpoint detection, response and defence-in-depth.

Among the many topics covered are:
  • Complete malware platform covering web, mobile, endpoint and network
  • Rapid deployment of command control infrastructure in the cloud
  • Data exfiltration techniques for segmented enterprise networks
  • Operational security and tripwires to detect security investigations
  • Anti-forensics and anti-threat-hunting concepts and techniques
  • Total enterprise network compromise including SCADA and ERP

Theoretical knowledge makes up 40% of the course, and 60% is made up of practical exercises. The last day of the course is a practical Red Team exercise where students will put the skills they have learnt into practice.

Course Outcome
In this course, we teach similar attack techniques used by threat actors such as APT28, Project Sauron, or DUBNIUM, to compromise networks.

If you are a penetration tester, the knowledge imparted in this course will assist you to deliver long-term Red Team campaigns that simulate persistent attackers equipped with advanced user-land exploitation toolsets. If you work in incident detection and response, this course will show you how the adversaries are defeating many enterprise security solutions and provide you with insights on what can be done to stop them. Throughout the course, we will show the students the forensics artefacts they are generating on the network that could allow the incident response team to detect them.

Intended Audience
Penetration testers, incident responders, security analysts, security engineers and heads of information security with strong technical background are all welcome to attend this course.

Instructor(s)
This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.

Course Outline:

Module 1: Windows Memory Internals
  • Allocation
  • Paging
  • Permissions
  • Mapping
  • Flow of CreateProcess
  • Portable Executable format
  • PEB and TEB memory structures
  • Key Windows APIs
  • Learning C for Windows internals programming

Module 2: Memory Manipulation techniques
  • Modifying the PEB and TEB
  • DLL injection
  • DLL search order hijacking
  • DLL side loading
  • Process hollowing
  • PowerShell memory-only techniques
  • Building Skeleton Keys
  • Attacking password managers

Module 4: Command & Control
  • Cloud command and control infrastructure
  • C&C via FTP, HTTP/S, SMTP, POP and DNS
  • C&C via popular websites and social media
  • Data exfiltration via removeable media
  • Data compression
  • Data encryption
  • Proxy chains

Module 5: Operational Security
  • Hardening C&C infrastructure
  • Obfuscating binaries and shellcode
  • Adding decoys to mislead security analysts
  • Installing tripwires to detect security investigations

Module 6: Proxy Implants
  • Port forwarding with native Windows utilities
  • Building custom proxy protocols to evade detection
  • Encrypting data in transit and securing the implants

Module 7: Defence Evasion
  • Abusing InstallUtil
  • Detecting execution in virtual machines
  • Bypassing application whitelisting
  • Writing your own password dumper
  • Building a remote plugin engine
  • Defeating digital forensic techniques

Module 8: Attacking The Enterprise
  • Accessing financial databases
  • Accessing HR portals
  • Accessing SCADA networks
  • Accessing critical files servers
  • Bypassing network segmentation
  • Getting around 2-factor authentication

Module 9: Attacking Smartphones
  • Building smartphone malware
  • Recording the camera
  • Recording the microphone
  • Stealing pictures
  • Stealing the contact list
  • Collect text messages

Module 10: Red Team Exercise
The last day of the course is a practical Red Team exercise where students will put the skills they have learnt into practice. Students will practice Red Teaming against a network with hundreds of machines, containing multiple VLANs, and which are properly defended by endpoint detection, response and defence-in-depth.

Enrol


Fees
  • Ticket: $5,000.00 AUD including GST.

Enrolment
23-27 April 2018 Melbourne, AU Enrol me!
Terms and Conditions
  • Payment methods are either booking online via Event Brite or contacting us for an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.

Requirements

Knowledge Requirements
We recommend students to have mastered the concepts and techniques covered in the previous level of Red Team course series before attending this course.

Software Requirements
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.

Bring Your Hacking Toolset
For the Red Team exercise on day 5 of the course, we invite you to bring your own hacking tools and put them to the test against a hardened enterprise network protected by our instructor(s).