Trainer Name: Manish Gupta , Yash Bharadwaj

Title: StealthOps : Red Team Tradecraft Targeting Enterprise Security Controls

Duration: 3 Days

Dates: Sept. 6, 2022 To Sept. 8, 2022

Training Objectives

Most enterprises deal with misconfigured security controls in their infrastructure. It is well known that attackers have evaded, circumvented, and even abused these controls with the intention to gain access to critical assets. The training is designed for red teams, penetration testers, system administrators, and Blue Team members to understand different tactics, techniques, and attacks used by adversaries. The major portion includes identifying misconfigurations in controls, developing offensive trade-craft & then stealthily evading it following the latest attack vectors.

Candidates will gain enough knowledge of the enterprise-grade security controls and how they can be evaded in Host, Network, and Cloud synced devices. The class will go through various security controls, writing custom scripts in C#, abusing windows internals/features and monitoring solutions, writing custom bypasses for evading host, network, and cloud security (EDR) controls and bypassing cross-forest restrictions in Active Directory Environment, etc. Training is focused on Windows & Linux platforms in order to better refine detection in an enterprise.

Training level: Intermediate; Basic

Training Preview

Apex Threat Actors having advanced capabilities like leveraging in-memory implants, writing custom codes to evade AVs & EDR, moving laterally with custom made Tools, evading host and network-level security solutions for stealthiness, etc are constantly consolidating their attack techniques (and Tactics) against Defensive Teams. To strengthen enterprise-grade security, the training is designed for penetration testers, system administrators, and Blue Team members to understand different tactics, techniques, and attacks used by adversaries.

Training Outline

Day 1 (Introduction to Enterprise Security Controls)

  • Anti-Virus
  • End-Point Detection and Response (EDR)
  • End-Point Defender Features (AMSI, CLM, UAC, Applocker, WDAC, WDAG, WDEG (ASR), Sandbox)
  • Directory-Level Controls (JEA, JIT, PAW, PAM, Credential Guard, Remote Credential Guard, GPO, LAPS, Constrained Delegation, Resource-Based Constrained Delegation, etc)
  • Linux Environment (AppArmor, SELinux)
  • EDR, XDR Demonstration

Day 2 (Offensive C# Tradecraft, Windows API & Bypasses)

  • CSharp Essentials
  • CSharp Beginner [10 Hands-on Labs]
  • Offensive C# Trade-Craft [6 Hands-on Labs]
  • Windows API Essentials
  • Utilizing Windows API for Red Team Profit [9 Hands-on Lab]
  • AMSI, CLM, Script Block Logging, ASR Rules, UAC Bypass
  • Application Whitelisting: Applocker, WDAC


Day 3 (Abusing / Evading Security Controls - Feature Abuse)

  • Abusing Windows Features (PowerShell, LOLBAS, Sandbox, WSL)
  • Constrained Delegation & Resource-based constrained delegation
  • SCCM & SCOM Abuse
  • GPO Abuse
  • Bypassing Credential Guard
  • Credential Access in Windows & Linux
  • Cross Forest Abuse Scenarios [5 Different Techniques]
  • Bypassing Enterprise Endpoint Detection & Response Solutions in Real-Time
 

What to Bring?

  • A system with at least 8GB RAM has Virtualization support.
  • VMware Workstation / Fusion installed with 40 GB storage capacity
  • Updated Open VPN Client
  • Updated Web Browser

Training Prerequisites

  • Comfortable with command line environment - PWSH, Terminal
  • Fair knowledge of Penetration Testing Methodology

Who Should Attend?

  • Penetration Testers / Red Teams
  • System Administrators
  • Malware Developers
  • SOC analysts
  • Threat Hunting Team
  • Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities

What Attendees will get?

Course material including commands, slides, and enterprise lab walk-through, 30 days of full lab access with technical support during and after the training class.

What to Expect?

  • Understanding misconfigurations in Host-Level, Network-level Security Controls, and their active evasion/bypass
  • Fair scripting Knowledge of C# & Windows API
  • The training helps in enhancing the visibility of Enterprise Based Security Controls in the organization.
  • Candidates will get enhanced threat visibility capabilities in both Host & Network-level on Windows, and Linux environments.
  • Candidates will get to know how NOT to configure enterprise security controls
  • The additional 30 days of lab access after class provides candidates to enhance skills at their own pace which comes with technical support.

What not to Expect?

  • Be a Malware Developer Professional
  • Any 0-Day Technique
  • Inclusion of Cloud Security Controls

 

About the Trainer

Manish Gupta is Director of CyberWarFare Labs in India having 6.5+ years of expertise in Offensive Information Security. Where he specializes in Offensive Security and Red Teaming Activities on enterprise Environment. A part-time Bug Bounty Hunter and CTF Player. His Research interest includes Real World Cyber Attack Simulation and Advanced persistent Threat (APT). Previously he has spoken at reputed conferences like Blackhat USA 19, DEFCON 19, Nullcon 2020, BSIDES CT 20 where he showcased his red teaming toolkit "PivotSuite". He is currently working on developing OpenSource Offensive Security Toolkit which helps Red Teamers / Penetration Testers. He will be delivering his next Offensive / Defensive Operations Cyber Security Trainings in Nullcon 21 (Sept 21) & multiple corporate training.

Yash Bharadwaj, working as a technical architect at CyberWarFare Labs. Highly attentive towards finding, learning and discovering new TTP’s used during offensive engagements. His area of interest includes (but not limited to) building Red / Blue team infrastructure, evading AVs & EDRs, Pwning Active Directory infrastructure, stealth enterprise networks & Multi cloud attacks. Previously he has delivered hands-on red team trainings at BSIDES Ahmedabad, OWASP Seasides 20, Red & Blue Team Training at BSIDES Delhi, OWASP APPSEC Indonesia 20, CISO Platform 20 & YASCON 21 & performed. He has trained at various international conferences(Nullcon 21, BSIDES Connecticut). You can reach out to him on Twitter @flopyash