Practical Red Teaming: Malware Development & Adversary Simulation

By Amr Thabet

Elevator Pitch

This is a live instructor-led training that focuses on developing cyber weapons that can evade AV detection, EDR logs, and forensics traces like how targeted attacks do, and provide you with insights on how to improve your organization’s overall detections and security posture

Description

Practical Red Teaming: Malware Development & Adversary Simulation is a hands-on offensive training that focuses on helping organizations battle against ever-growing targeted attacks and ransomware attacks by simulating their adversaries and putting your defenses and your blue team at test to improve the organization’s security posture.

This training focuses on developing cyber weapons that can evade AV detection, EDR logs, and forensics traces like how targeted attacks do, and provides you with insights on how to improve your organization’s overall detections and security posture.

This year, we have included a simulated Active Directory environment that we will take control of through a series of hands-on AD lateral movement exercises covering NTLM, kerberos and PKI attacks.

What previous students said about this training: “Outstanding training, worth its weight in gold. Content: Up-to-date and very very impressive. Delivery: Very well delivered, Amr put his heart and soul into it and was very helpful. Great human being. Much appreciated.” by John Johnes

“This is one of the best trainings I’ve attended. I couldn’t be happier with my decision to take this training.” by Adebayo

LEARNING OBJECTIVES:

  • Simulate a real APT Attack given its TTPs.
  • Build your own malware to test their defenses (or clients’ defenses) against completely new malware.
  • Build your own Red Team infrastructure in AWS and secure it from being detected or blocked by the company’s security team.
  • Learn not just the techniques and how to use them, but how each technique works internally and how you can develop your own version of it.

PROGRAM OUTLINE

DAY 1

APT Attacks & Red Team Infrastructure on AWS

  • What is an APT Attack? ​* What are the Attack Stages? And what’s MITTRE ATTACK?
  • APT attack lifecycle ​* Examples of real-world APT attacks
  • Deep dive into the attackers’ tactics, techniques, and procedures (TTPs) Using Threat Intelligence ​* Understand the attackers’ malware arsenal ​* Setting Up Your Infrastructure in the cloud ​* Setting up your account in AWS & Terraform ​* Build your network and Caldera VM in the cloud ​* Create Redirectors to obfuscate your C&C IP

Initial Access: Get your foot into the organization network

  • Spearphishing with a malicious document
  • Spearphishing with link
  • Spearphishing using social media
  • Advanced Execution Techniques: LNK Files ​* Advanced Execution Techniques: COM Objects ​* Write your first spear-phishing attack with a malicious document (Hands-on)
  • LOLBins & Bypassing Applocker

Write Your First HTTP Malware

  • Build a Vulnerable organization in AWS
  • Connect to Caldera C2 using HTTP
  • Implement Base64 encoding in your malware
  • Implement JSON parsing in your malware
  • ​Send victim machine information to your C&C ​* Receive and execute commands from Caldera ​* Automate command execution across multiple victims ​ DAY 2 —— ###Maintaining Persistence In-Depth
  • Maintain Persistence in the victim machine
  • Advanced Persistence methods
  • Disguise the malware inside a legitimate process (Malware as a DLL)
  • Persistence through DLL Injection
  • Privilege Escalation Techniques
  • UAC bypass techniques
  • ​Advanced UAC bypass techniques: Abusing Application Shimming
  • Abuse services for privilege escalation

Defense Evasion: Malware Obfuscation

  • Malicious Documents: VBA Stomping
  • Strings Encryption ​* Dynamic API Loading ​* Hidden In Plain Sight: Malware Steganography
  • Hidden In Plain Sight 01: HTML Smuggling ​* Hidden In Plain Sight 02: Steganography
  • Bypassing EDR through Stealthy Process Injection

Defense Evasion: Network Obfuscation

  • Network Data Encryption​
  • HTTPS Communication ​* Using legitimate websites for communications
  • DNS Flux and DNS over HTTPS
  • Other Protocols & Channels (ICMP, DNS)

DAY 03:

###Impersonating Users: Credential Theft & Token Impersonalization * Credential Theft using lsass memory dump * Bypass lsass protection * Token Impersonation & Logon Types Overview * Token Impersonation implementation in your malware * ​Steal Remote Desktop Sessions

Lateral Movements

  • NTLM Attacks: Pass The Hash
  • ​Kerberos Attacks: Pass The Ticket
  • Kerberos Attacks: Overpass The Hash
  • Kerberos Attacks: Delegations
  • Silver & Golden Tickets
  • AD CS/PKI Attacks: Certificate Theft & Maintaining Persistence
  • AD CS/PKI Attacks: Privilege Escalation Using Certificates
  • AD CS/PKI Attacks: Domain Persistence

AD Attacks Lab Exercise

  • Demonstrating AD attacks through a series of exercises in a simulated AD environment

Who Should Attend

This training is for Security Professionals who want to expand their skills in red teaming, understand how real-world attacks look like and better protect their organizations against APT Attacks, Targeted Ransomware attacks and Fileless attacks This includes:

  • Cyber Security Professionals ​* Penetration Testers
  • Purple Teamers & Threat Hunters
  • Incident Handlers ​* SOC Analysts

Materials Provided:

  • Training Prerequisite & Lab Setup Guide: a step-by-step guide for preparing your machine and your AWS account for the training (we will be using the AWS Free Tier options along the training, there shouldn’t be any extra payments)
  • All the slides and the labs (including the red team infrastructure on the cloud source code)

Delegate Requirements:

  • Good IT administration background in Windows mainly (Linux is preferred)
  • Good cybersecurity background.
  • Good programming skills in C++

DURATION:

3 Days