Red Teaming - The Fundamentals

Red Teaming: The Fundamentals

Mossé Cyber Security Institute teaches a unique approach to penetration testing based on simulating the attack techniques and strategies of real attackers against organisations’ networks for defence purposes.

Red Teaming – The Fundamentals is a basic yet potent introductory course to Red Teaming. Our instructors teach the fundamental knowledge and skills that novice Red Teamers require to deliver cyber-attack simulations. No prior knowledge of computer hacking is assumed. Detailed step-by-step instructions are provided for students to learn how to attack Windows networks using some of the same ways that like real attackers use.

Our teaching approach in our Red Teaming course involves imparting the fundamental concepts and strategies that underline every attack campaign. Through our approach and method, we thus ensure that our students gain a profound understanding of how to attack any computer networks without being limited to relying on premade hacking toolsets. We should also note that toolsets such as Kali or Metasploit are rarely, if ever, employed by real attackers. The adversaries do their own security research, and build their own tools. After taking this course you may also be able to build your own tools.

Theoretical knowledge makes up 40% of the class, and the other 60% consists of practical exercises. At the end of the course, a Red Team exercise is conducted that can be reproduced at your workplace.

Course Outcome
You will learn strategies and tactics to reproduce real-world attack campaigns against enterprise networks for defence purposes. Below are some of the tactics and strategic learnings you can expect form this course:
  • Key Windows internals knowledge for offensive missions
  • Writing your own malware in any programming language
  • Stealing credentials over the network, from RAM and from disk
  • Traversing the network and compromising multiple endpoints
  • Survive computer reboot and remain undetected
  • Deploy long-term espionage tools on the endpoints

If you work on the defensive side of cyber security, this course teaches you the most common attack techniques that are employed by the adversaries to compromise Windows networks. Companies that can fine-tune their security defences to prevent, detect and respond to the techniques imparted in this course will be in an extremely good position to defend against their critical IT assets against modern-day attackers.

Intended Audience
Newcomers to the IT security industry, penetration testers, Red Teamers, incident responders, malware analysts, security engineers, and forensics analysts.

Instructor(s)
This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.

Course Outline:

Module 1: Introduction
  • What is a Red Team Operation?
  • Obtaining the skills to do Red Teaming
  • Designing a Red Team Operation
  • Executing a Red Team Operation
  • Anticipating and managing attack simulation risks
  • Designing a business process for Red Teaming
  • Preparing a Red Team Playbook

Module 2: Windows Internals
  • User-land vs. kernel-land
  • Processes, thread, services and drivers
  • The registry
  • The file system
  • Event logs
  • Users and groups
  • Access tokens
  • Schedules tasks
  • Active Directory
  • Windows Management Instrumentation
  • Networking
  • Command execution and scripting

Module 3: Windows Defences
  • Secure Boot
  • Protected processes
  • Secure Kernel Mode
  • Virtual Trust Levels
  • PatchGuard
  • Enterprise Data Protection
  • Data leakage prevention
  • Application whitelisting
  • Antivirus software
  • Host-based security monitoring

Module 4: Tactics, Techniques and Procedures
  • Introduction to the Kill Chain model
  • Reviewing real-life APT groups:
    • Animal Farm (France)
    • APT28 (Russia)
    • Equation Group (USA)
    • Project Sauron (Unknown)

Module 5: Programming back-to-basics
  • Installing Go
  • Control Structures
  • Functions
  • Data
  • Initialisation
  • Methods
  • Packages
  • Networking
  • Go commands

Module 6: Endpoint Malware
  • Writing a reverse shell
  • Persisting on the remote machine
  • Uploading and downloading files
  • Encrypting network traffic

Module 7: Web Malware
  • Building rapid web shells in PHP, .NET and Java
  • Obfuscation and anti-virus evasion
  • Anti-forensics techniques for web shells

Module 8: Spear Phishing
  • Drafting spear-phishing emails
  • Microsoft Office Macros
  • HTML Applications
  • Memory corruption vulnerabilities
  • Shortcuts

Module 9: Privilege Escalation
  • Bypass UAC
  • Insecure permissions
  • Abusing the Scheduler
  • Passwords in the SYSVOL folder
  • Password guessing

Module 10: Persistence
  • Accessibility Features
  • Windows credentials
  • Logon scripts
  • Modifying existing services
  • Path interception
  • Scheduled tasks
  • Shortcut modification
  • WMI providers
  • Startup folders
  • Registry-based malware

Module 11: Internal Discovery
  • Windows Registry
  • Active Directory
  • Windows Management Instrumentation
  • Clipboard data
  • Email collection
  • Screen capture
  • Local network analysis
  • Network sniffing
  • Keylogging

Module 12: Lateral Movement
  • Logon scripts
  • Pass the hash
  • Pass the ticket
  • Remote Desktop Protocol
  • Windows Remote Management
  • Remote Windows services
  • Remote file copy
  • The Scheduler
  • Taint shared content

Module 13: Red Team exercise
  • Defining the goals and objectives
  • Setting your team
  • Defining your TTPs
  • Preparing your malware
  • Executing the mission
  • Reporting on the outcome

Enrol


Fees
  • Ticket: $5,000.00 AUD including GST.

Enrolment
27 Nov - 01 Dec 2017 Melbourne, AU Enrol me!
Terms and Conditions
  • Payment methods are either booking online via Event Brite or contacting us for an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.

Requirements

Recommended Study
To get the most out of this class, we recommend that you refresh your programming skills by doing the exercise in the "Tour of Go": https://tour.golang.org/list
If you get a chance, we also recommend that you read about the Windows components listed under Module 2 “Windows Internals”. Even if those components will be covered in detailed during the course, studying them prior to the course will make it a lot easier for you to understand every other module in the class.

Software Requirement
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.

Testimonial

This has been one of the best courses I have ever attended, and that comes from somebody that run's their own cyber security firm
- Joe Negem, Director, QILA