RED TEAM TRAINING – ADVANCED THREAT ACTOR SIMULATION (ATAS)

Course overview

This course will train your already inquisitive mind how to emulate real world threat actors. It’s fast paced and it’s intense. You will be exposed to an in-depth methodology suitable for operating as a top tier professional red teamer. You will learn not only advanced tactics, techniques, and procedures (TTPs), but also how to run a successful engagement from start to finish, with a focus on operational security and sound risk management.

Our instructors are world class red teamers who spend most of their time on multi month engagements compromising central banks, government, critical national infrastructure, and more.

October 2023

£2,400
  • 2 – 5 October, 2023
  • Live Online (GMT)

What you will learn

The tactics, techniques and procedures taught in this course are constantly updated and adapted to keep up to date with the latest techniques used by known threat actors in the wild. The latest TTPs used by real-world threat actors will be demonstrated on a practical level. This includes stealthily bypassing defensive security controls (e.g. common EDR and next-gen AV products), which are typically operating within modern enterprise environments, as well as the pitfalls and lessons learned through many engagements and built-up experience across our own red team. The instructors will impart knowledge from the field including wins, losses, improvements, optimizations, and most importantly operational security.

The course includes both a theory element as well as hands on practical exercises, where the techniques learned can be practiced in a lab environment specifically designed to replicate a typical corporate network. While the course focuses heavily on the latest offensive techniques used by a red team, it also covers common defensive techniques that are deployed by the blue team, such as host-based event logging and monitoring, strict egress filtering, application whitelisting and various other endpoint protections.

You’ll be with our expert red team instructors for four days. This is broken down into three days of teaching, with four structured sessions per day mixed with multiple labs and demos after each session. Below you will find an overview of the course, with some highlights detailed for each session. The final day concludes the training and allows you to bring all your accumulated knowledge to the test, as we tackle a real-world assault course.

Session 1

Introduction / C2 Proxy and Supporting Infrastructure Setup

  • Cyber Kill Chain, Scoping & Pre-Engagement, Legal & Ethics, Reconnaissance & OSINT, Threat Intelligence
  • C2 architecture, Rewrite Rules, Controlling Traffic and User Behaviour & Red Team Monitoring

Session 2

Domain Fronting and Proxy Reputation

  • Purchasing collateral, Staying Anonymous, Fronting and Domain Reputation
  • Certificates, Phishing, Email Security, Information Leakage and Burners

Session 3

C2 Communications / Implant Configurations

  • C2 communication, C2 safety and Operational security
  • Inner Workings of an Implant, Security Bypasses and Defensive Considerations (AMSI, ETW, Hooking etc)

Session 4

C2 Frameworks & Introduction to PoshC2

  • Overview of many C2 Frameworks
  • Introduction to PoshC2

Session 1

Weaponization

  • Weaponization Handlers, Macro Embedded Office Documents / Excel4.0 SLK, OLE (Office 2013 / Office 2016+)
  • Windows Script Hosting (JS&HTA), ClickOnce / Java applets and Document and Application Signing

Session 2

Download Cradles

  • Downloaders, One Liners and Code snippets

Session 3

Execution

  • Bypassing Whitelisting, Custom C++/C# Droppers and AMSI/ETW Bypass Techniques

Session 4

Mac OS X Execution & Delivery

  • Phishing, Social Engineering, USB, Network Devices & Physical
  • Delivery Evasion (HTML smuggling), Delivery Tracking and Live Experiences

Session 1

Situational Awareness & Persistence

  • Understanding your Environment, Finding hidden defensive products
  • Laying Persistence, Advanced Persistence & Custom Droppers

Session 2

Privilege Escalation / Active Directory Attacks

  • Host Based Attacks, Elevating Privileges, Network Attacks
  • Active Directory Attack (Kerb / Deleg etc), ACL Abuse Common Vulnerabilities

Session 3

Active Directory Trusts / Cloud Tenancy and Lateral Movement

  • Understanding Trusts, Attacking Trusts and Hybrid Cloud Environment
  • Common Lateral Movement Techniques, Stealth and Advanced Methods

Session 4

Database Intrusion / Memory Abuse

  • Attacking Databases, Common Weaknesses and Interacting through C2
  • Stealing Data from Memory and other Commonly Found Memory Artefacts

Assault course

The training lab is built with realistic defensive security controls and countermeasures deployed, which will require you to use your newly acquired skills to bypass them.

The aim of the assault course is to run a red team engagement with the objective of penetrating the BLOREBANK network, including its defenses, via phishing. Then, you will abuse typical weaknesses, such as those highlighted throughout the course, with the ultimate objective of gaining access to a critical non-domain joined and segregated database server, to retrieve credit card information.

Key objectives

  • Perform a simulated phishing attack against a typical corporate environment with standard defenses, such as EDR (Microsoft Defender and Kaspersky), mail filtering and AppLocker restrictions, using the knowledge you have gained through the course to obtain a foothold.
  • Perform situational awareness and lay persistence to secure your initial foothold. Users are simulated and may reboot their workstations from time to time to ensure they have the latest updates.
  • Perform reconnaissance against a multi-domain environment and attempt to enumerate Active Directory and find any vulnerabilities that may exist within the environment, keeping opsec in mind at all times.
  • Attempt privilege escalation on-host and against the environment using your C2 framework of choice and aim to perform multi-layered network pivoting to access multiple targets in a highly monitored network.
  • Enumerate the target objective and attempt to compromise the critical system in scope for the red team. This will include multiple levels of privilege escalation and lateral movement in order to gain access to the objective system.

“The training team provided unprecedented access to lessons from the front line that cannot be extracted from books, blogs and training materials or other courses.”

Dan Stewart, Head of Testing, Quorum Cyber

“Great course content delivered by extremely knowledgeable red teamers. The practical lab was a great environment where newly learned techniques can be applied”

Sasha Raljic, Principal Security Consultant

“Offers excellent value for penetration testing consultants. It taught real-world effective simulated attack strategies, tools and techniques which I now use to conduct simulated attacks against our clients”

Kai Stimpson, Principal Security Consultant