Summary:
This intense course covers the skills required to conduct a simulation of a sophisticated adversary, including the latest tradecraft and offensive tactics. During the training you will gain insight in to planning and conducting a red team operation including all the steps required to perform efficient opensource intelligence, design and automate the deployment of operational infrastructure, gain initial access and perform post-exploitation and lateral movement. You will learn how to bypass defensive controls including anti-virus, EDR, AMSI and application whitelisting that will leave you equipped to target even the most mature environments.

Topics covered include:

• Design and deploy advanced red team infrastructure,

• Creating advanced payloads with PPID spoofing, process injection, execution cradles, COM staging, AMSI bypasses, blockdlls and ACG,

• Userland and administrative persistence techniques,

• Host triage and privilege escalation techniques

• Active Directory: exploiting kerberos, group policy, SQL server, LAPS, DCSync

Details:

Red teams are continually sharpening their tradecraft to evade ever evolving defensive countermeasures. This challenging 3-day training course provides in-depth opportunity to learn the latest in advanced tradecraft from seasoned red team operators from the comfort of your own cloud-based lab environment, in the browser! This course is not just about learning how to run tools, students will learn how the tools work under the hood as well as how to develop and customise their own; an essential skill for any red teamer.

Our advanced and fast-paced course provides attendees with all the necessary skills to conduct a simulation of a sophisticated adversary. We deep dive in to the latest tradecraft and offensive techniques required to target mature environments with modern defences, up-to-date operating systems and finely-honed blue teams. You will learn how to write your own advanced initial access payloads, equipped with strategies to bypass modern EDP/EDR solutions including PPID spoofing, argument confusion, blocking of third-party DLLs, AMSI bypasses and how to remove userland hooks.

During this intense course you will be equipped with the necessary knowledge provided by recognised industry red team experts to plan, manage and perform an advanced red team operation.

These steps include the essential knowledge to perform efficient and targeted opensource intelligence, design and automate the deployment of operation infrastructure, gain initial access to a target using sophisticated payloads with defensive evasion techniques, perform host triage, persistence and privilege escalation and move laterally whilst exploiting common Active Directory misconfigurations.

At the end of the training students will walk away equipped to target even the most mature environments and budding with knowledge about the indicators they didn't know their tools were emitting, but the blue team did!

Topics covered during the training include:

Day 1:
- Introduction to red team operations
We will detail how to plan a red team operation, absorb threat intelligence and adapt your methodology accordingly for the TTPs of the adversary you need to simulate.

- Active and passive reconnaissance
This module will cover how to find out all the essential actionable intelligence about your target and use it to better inform your initial access payloads.

- Infrastructure design concepts
In this module we will deep-dive in how to build effective and efficient red team infrastructure with automation, as well as important topics such as redirectors, reputation/categorisation and domain fronting

- Cobalt Strike and malleable profiles
Knowing how to get the best out of your implant can be the difference between flying under the radar and banging on the blue team’s door; in this module we will show you how to configure and use Cobalt Strike such that it can become a needle in blue team’s very big haystack of a Windows estate

- Initial access techniques
Getting a foothold is often one of the most complex components of a red team engagement, in this module we will explain the basics of creating initial access payloads using execution cradles, office exploits, windows script host, HTML applications, shortcuts and more.

- Defensive evasion
While your PowerShell one-liner macro probably worked wonders in 2014, in a modern and mature environment it just won't make the cut! In this module we will up your game and learn how to create advanced payloads using AMSI bypasses, application whitelisting bypasses, VBA stomping, HTML smuggling, keying, PPID spoofing, argument confusion, execution decoupling, blockdlls and ACG.

Day 2:

- Process Injection
You'll start the day with a deep-dive in to process injection techniques, learning how to slide under the radar of the latest and greatest EDR solutions. We'll cover createremotethread, ALPC, early bird and setthreadcontext techniques, examining the pros and cons of each.

- Custom Tooling
Next you'll put everything you learned so far in to practice and develop your own custom tools to bypass anti-virus and EDR defences. You'll start by building a custom loader that performs process injection, PPID spoofing and evades the common EDR and anti-virus defences.

- Host triage
You've got your foothold, what's next? This module will cover off some of the opsec steps you can take to avoid burning your precious foothold including detecting EDR and defensive solutions which may dictate tradecraft, and triaging the host to understand what you can recover to advance the operation.

- Persistence
Effective persistence is an art form and we will teach you how to paint the Mona Lisa, covering both userland and administrative privilege techniques that can fly under the blue teams radar.

- Privilege escalation
This module deep dives in to common privilege escalation techniques including through OS exploitation and misconfigurations, as well as learning how UAC works and how to find your own UAC bypasses.

Day 3:

- Pivoting and lateral movement
In an EDR world, operating over a pivot is one of the most effective strategies for avoiding detection. This module will outline common techniques for lateral movement using DCOM, WMI, PSExec and WinRM and how to perform them both on-host and over your pivot, along with the opsec tradeoffs for each.

- Exploiting Active Directory
Active Directory is the beast that underpins most organisations and understanding how to exploit it is vital for many red team operations. In this module we will cover the internals of Active Directory. As with the rest of the course, you won't be running exploits here so leave metasploit and ms17-010 at home! Instead you will learn the internals and weaknesses of kerberos, access controls, group policy, constrained and unconstrained delegation, LAPS, SQL Server and more.

The course follows a theory, demonstration, lab and review model. The theory to each topic is first outlined including instructor-driven on-screen demonstrations to show the internals of the techniques. Students are then given the freedom to implement the techniques in their lab using their own c2 channel as if it were a real red team operation. A full lab guide walkthrough is also provided to keep everyone on track. Finally, the lab solutions are reviewed with Q and A to ensure full knowledge transfer takes place. Each module lasts approximately one hour thirty minutes, with around one hour of lab time.

About the Lab:
The course lab simulates an end-to-end sophisticated cyber-attack against the Iron Bank of Braavos. Before kicking off the lab, you will review the threat intelligence report (courtesy of MITRE) on the adversary we intend to simulate; the Cobalt Group. After absorbing the TTPs used by this group, you will kick off the lab journey by performing reconnaissance against the bank to identify potential entry points. You will then proceed to deploying your red team infrastructure and conduct a spear phishing campaign using advanced initial access techniques to obtain a foothold on the bank's internal network. You will then learn to privilege escalate, move laterally and exploit Active Directory weaknesses to achieve your "beyond domain admin" objectives. Our lab uses the latest Windows OS', with anti-virus, AMSI and custom EDP solutions; if you think your PowerShell one-liner macros will cut it, think again!

Each student receives access to their own dedicated multi-tiered Active Directory environment hosted in the cloud. The lab is accessed through the web browser, providing full interactive use through a kali image with Cobalt Strike.

Learning Objectives:
Red teams are continually sharpening their tradecraft to evade ever evolving defensive countermeasures. This challenging 3-day training course provides in-depth opportunity to learn the latest in advanced tradecraft from seasoned red team operators.

During the course, you will learn how to plan and execute a sophisticated red team operation against a mature organisation, evading defensive countermeasures along the way. We will cover the full life cycle of a red team operation from reconnaissance, efficient infrastructure deployment, techniques for gaining initial access, performing post-exploitation, establishing persistence and moving laterally.

The training course is heavily focused on the use and extension of Cobalt Strike; during the course students will have access to the licensed copy of the implant and will learn how to extend it using features such as the resource kit.

Following the training students will be equipped to:

• Perform in-depth opensource intelligence gathering,

• Automate efficient infrastructure deployment,

• Build sophisticated payloads for gaining initial access,

• Evade security controls such as anti-virus, AMSI and application whitelisting,

• Perform post-exploitation tasks such as host and network reconnaissance,

• Pivot to n-tiered networks using SOCKS,

• Establish persistence,

• Perform Active Directory attacks such as kerberoasting, ASREP, abuse unconstrained delegation and exploit insecure ACLs,

• Move laterally across a Windows estate.

Student Requirements:

Students will require a laptop with administrator rights and WiFi. Each student will receive their own dedicated lab environment for the course which can be accessed using a web browser.

Target Audience:

This course is aimed at experienced penetration testers looking to gain entry in to the red team world, as well as seasoned red teamers looking to advance or sharpen their tradecraft.

What's Included:

• Three days training

• Beverages and snacks during breaks

• Daily lunch

Accommodation:

The training will take place at MDSec's office, located at 32a Park Green, Macclesfield, Cheshire. Several hotels are located in local proximity, including:

• https://www.travelodge.co.uk/hotels/412/Macclesfield-Central-hotel

• https://www.tripadvisor.co.uk/Hotel_Review-g191278-d14199208-Reviews-Sleep_Eat_Repeat-Macclesfield_Cheshire_England.html

What Our Students Say:

"Upgrade your arsenal, step up the game" - Tiago Sintra

"If you don't know where to start, this is the place." - Anonymous

"A wealth of useful red team information based on experience, provided by top class industry experts. I highly recommend this course." - Charlie Clark

"Fantastic course. Up to date, relevant and delivered in an easy to understand fashion. Excellent value and extremely informative" - Ian Lyte

"Zero to Hero? Not quite. But it's a great opener to understanding RedTeam principles and feels like the missing course for getting started with Cobalt Strike." - Adam

"The training was amazing, and I would highly recommend it to anyone wanting to work in the red team field, and those already working in the field" - Anonymous

"A great learning experience, lots of technical skills learnt and some great tips on mindset for approaching RT engagements." - Anonymous

"An essential follow up to an OSCP to adapt your knowledge to a red-team role" - Jamie Grive

FAQs

How can I contact the organizer with any questions?

For further information or to pose any questions please contact MDSec on contact@mdsec.co.uk

Tickets can also be purchased directly with an invoice by contacting MDSec directly.

What's the refund policy?

Full refunds will be provided up to 30 days before the course start date

PLEASE NOTE, MINIMUM COURSE NUMBERS APPLY - A FULL REFUND WILL BE PROVIDED IN THE EVENT THAT THE COURSE DOES NOT PROCEED