Red Teaming: The Advanced User-Land Techniques

Our Red Teaming “The Advanced User-Land Techniques” course teaches user-land exploitation techniques specifically designed to evade advanced enterprise security products, as well as make incident detection and response a real nightmare. Students will practice Red Teaming against procedurally generated computer networks, containing multiple VLANs, and which are properly defended by endpoint detection and response, and defence-in-depth.

Some of the key topics covered are:
  • Complete malware platform covering web, mobile, endpoint and network
  • Rapid deployment of command control infrastructure in the cloud
  • Data exfiltration techniques for segmented enterprise networks
  • Operational security and tripwires to detect security investigations
  • Anti-forensics and anti-threat-hunting concepts and techniques
  • Total enterprise network compromise including SCADA and ERP

Theoretical knowledge makes up 40% of the course, and 60% is made up of practical exercises. The last day of the course is a practical Red Team exercise where students will put the skills they have learnt into practice.

Course Outcome
In this course, we teach similar attack techniques used by threat actors such as APT28, Project Sauron, or DUBNIUM, to compromise networks.

If you are a penetration tester, the knowledge you gain in this course will assist you to deliver long-term Red Team campaigns that simulate persistent attackers equipped with advanced user-land exploitation toolsets. If you work in incident detection and response, this course will show you how the adversaries are defeating many enterprise security solutions. This course will also provide you with insights on what can be done to stop adversaries.

Intended Audience
Penetration testers, incident responders, security analysts, security engineers and heads of information security with strong technical background are all welcome to attend this course.

Instructor(s)
This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.

Course Outline:

Module 1: Advanced Red Team Exercises Design Workshop

We begin the course by teaching structured techniques to invent, propose, and design Red Team Exercises. The students will be equipped with all the knowledge and tools to then draft formal Red Team proposals that can be distributed internally within an organisation, or to external clients, for approval.

Those techniques are invaluable to any Red Team manager who wishes to run exercises that go beyond traditional “sophisticated penetration testing” engagement relying on the sole capabilities offered in Metasploit, Empire, or other penetration testing tools. We will cover how to professionally design ransomware attacks, blackmail scenarios, and how to obtain approval to test out destructive attacks in a network to test the effectiveness of security controls meant to help recover from such scenarios.

Module 2: Windows Processes & Threads Internals
In this module, we dive into how processes and threads are implemented in the Windows operating system. We impart the Windows APIs available to any Red Teamer to perform the following attacks, and how to do it:
  • DLL Injection
  • PE Injection
  • Process Replacement
  • Threat Execution Hijacking
  • Shell Tray Injection
  • APC DLL Injection
  • IAT Hooking
  • Inline Hooking
  • Hook Injection
  • “Code Caves”
  • Unlinking

We will also manually review the source code of Meterpreter’s Incognito module, and Mimikatz for the students to learn how dumping passwords from LSASS is done. At the end of this module, the students will have all the theoretical foundations to reimplement Mimikatz, or any advanced persistent threat (APT) userland techniques they wish.

Module 3: Windows Reverse Engineering and Programming

We will devote several hours to teaching the fundamentals of the Windows Debugger (WINDBG) and how to interact with the Windows APIs in C/C++ and Golang. This module is incredibly important for students that are not programmers or that have not done any serious programming in recent years.

By the end of the module, students should be comfortable with the debugger, with Visual Studio, and should know how to read code, in any language, that interacts with the Windows subsystem.

Module 4: Windows Programming for Offensive Security

On the second day of the course, we will offer multiple offensive-security programming exercises to the students for them to put into practice everything they have learnt that far. Students who can complete these exercises will prove to themselves that they can develop malware on Windows that performs code injection, hooking, backdoors processes with skeleton keys, and dumps passwords from memory.

Module 5: Malware Reverse Engineering for Red Teaming Operations

In this module, the students will receive a crash-course on reverse engineering malware in IDA. Then, they will be tasked with quickly analyzing many different types of malware samples to rapidly extract attacker tradecraft that they can implement within their own Red Team engagements.

This module is often an eye-opener for penetration testers who historically have been limited with the functionalities of their favorite toolset, and, upon completion of this module, will now be able to take any APT toolkit, quickly extract new tradecraft, and use it to their own benefits.

Module 6: Evading the Blue Team

It’s paramount that professional Red Teamers can critically analyze the malware they use to anticipate how defenders are likely trying to try and detect them. Implementation of functions such as beaconing, password-dumping, persistence, privilege escalation, and memory-only execution, can all be vulnerable to generic detection techniques that modern endpoint detection and response tool cover, and custom detection rules implemented by the Security Operations Centre.

In this module, we will teach you how to identify such vulnerabilities in the tools you use, whether they are open-source or proprietary, and how to fix the weaknesses you’ve discovered.

Module 7: Custom Command & Control (C2) Infrastructure Development
Building resilient, secure, and stealthy command and control (C2) infrastructure is the cornerstone of any Red Team toolset. In this module, we teach a systematic approach to C2 development that includes:
  • Designing custom protocols
  • Designing extendable malware
  • Handling multiple implant connections
  • Encapsulating C2 traffic into legitimate network traffic
  • Data compression and encoding
  • Encrypting sensitive data in transit
  • Beaconing
  • Domain fronting
  • C2 via social media platforms
  • USB exfiltration

Module 8: Operational Security

In this module we review multiple APT campaigns where defenders and security researchers successfully infiltrated the attackers’ infrastructure and, in many cases, deanonymized the people behind the malware. Using these case studies, we teach the students about operational security pitfalls that they may choose to avoid in their own Red Team Exercises should they want to.

Module 9: Proxy Implants Development

In this short module, we teach the students how to program their own proxy implants to pivot into restricted network environments. This is a very common, and useful, tool that Red Teamers will need to use to penetrate sensitive networks such as SCADA and ERP networks.

Module 10: Mobile Malware Development
In this final lecture, we teach the students how to build mobile malware just in case the need ever arises. Specifically, the following techniques are covered:
  • Recording the camera
  • Recording the microphone
  • Stealing pictures
  • Stealing the contact list
  • Collect text messages

Module 11: Red Team Exercise
The last day of the course is a practical Red Team exercise where students will put the skills they have learnt into practice.

Enrol


Fees
  • Ticket: $5,000.00 AUD including GST.

Enrolment
No open registration programmes scheduled. Contact us to run this learning programme onsite.
Terms and Conditions
  • Payment methods are either booking online via Event Brite or contacting us for an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.

Requirements

Knowledge Requirements
We recommend students to have mastered the concepts and techniques covered in the previous level of Red Team course series before attending this course.

Software Requirements
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.

Bring Your Hacking Toolset
For the Red Team exercise on day 5 of the course, we invite you to bring your own hacking tools and put them to the test against a hardened enterprise network protected by our instructor(s).