FortyNorth - Intrusion Operations

May 25th to 28th

Course Abstract

Modern day attackers are relentlessly developing new tradecraft and methodologies that allow them to successfully compromise hardened targets for a variety of motivations. While it may look easy from the outside, there are many latent steps that attackers take to ensure their success. Our job as red teamers is to emulate this attack life cycle in an effort to identify and remedy these vulnerabilities.

Attackers bring unique perspectives, tools, and resources to the table in their efforts to accomplish their goals, requiring organizations to do the same by consistently applying new defensive technologies and procedures to prevent their environment from being breached. When conducting a red team assessment against organizations with mature security programs, you need to ensure you are using the latest tradecraft and techniques to help avoid detection. That’s where we come in!

Step by step, we will take you through the attacker lifecycle and capture best practices that you can follow to protect your foothold within your target. You will start with no information, build a profile on your target, establish a foothold, persist within their environment, bypass modern defenses, and achieve the goals of your test. We will immerse students in an environment based on real-world defenses and require the application of techniques taught throughout the class. You’re going to learn methods to capture information about your target before even gaining access, write custom malware to evade detection, execute the latest application whitelisting bypasses to compromise protected systems, develop strategies for persisting within the target environment, and accomplish the goals of your assessment.

We are pulling back the curtain! The methods we teach are based upon past-experience in real world assessments that FortyNorth Security has used to compromise and maintain access while avoiding detection by the target’s blue team. Upon completion of the class, you will have an arsenal of new techniques that can be utilized to yield highly successful assessments. If attending while in a blue team capacity, you will have the ability to see what tools and techniques modern attackers are using to compromise hardened environments and develop techniques to help protect your organization.

Outline

The course is broken up into thirteen (13) different modules. Each module contains tactics, techniques, and procedures that students are able to use immediately for their assessments and for the course’s featured CTF event. A description of each module and the goals are as follows:

Introduction - The introduction will cover the agenda of the course, so students understand what to expect each day. This will include covering the requirements for the course (and providing students the necessary files, virtual machines, etc. where possible), the agenda for each day of the course, define what red teaming really is (dispelling misconceptions of its meaning), provide final notes before beginning the class, and discuss the goals and targets of the course’s featured CTF events which begins the minute the class starts.

Command and Control Configuration - Part 1 - The command and control configuration module will discuss different advanced configuration options that red teams have to help conduct their assessments. Every offensive security tool has strengths and weaknesses, along with different technological requirements. This module will help students choose offensive tools based on the goals of each assessment.

Malleable Profiles - Multiple red team command and control tools have allowed operators to create malleable profiles. Malleable profiles allow red team operators to modify different indicators of compromise used on their assessment to help avoid detection. The malleable profiles module will describe different network, host, and in-memory based indicators that can be modified and the different malleable profile configurations that allow our team to succeed.

Command and Control Configuration – Part 2 - When a red team’s C2 infrastructure is improperly configured, it can quickly lead to a failed assessment. The command and control configuration module will discuss best practices that should be followed by all teams. This section will cover purchasing domains, establishing domain reputation, and domain fronting with high reputation domains. We’ll discuss using redirectors via simple “iptables” based redirectors as well as smart redirectors via mod_rewrite. An important practice when configuring your command and control systems is to establish redundant infrastructure and separate the roles of each C2 server. You’re not going to conduct post-exploitation action from every server in use, and you’re not going to use the same protocol from each server. We will provide students with strategies for deploying redundant C2 servers and separating functionality to help prevent detection. Finally, we will cover specific functionality of different tools that can be used to fine tune malware staging strategies, such as Cobalt Strike’s Resource Kit.

Aggressor Scripting - Cobalt Strike allows operators to extend its functionality by exposing a scripting language called Aggressor. Aggressor can be thought of as a force multiplier for red team operations. The Aggressor Scripting module will teach students both basic and advanced usage of Aggressor to help augment the capabilities of their respective red teams. While covering sample Aggressor usage, we will walk through code samples, discuss scenarios where Aggressor scripts could help various red team tasks, and then work with students to help develop new Aggressor scripts to fill the void.

OSINT - Open Source Intelligence Gathering is an important phase of a red team assessment because it allows red teams to capture information about their targets without ever interacting with their target’s systems. When conducting OSINT properly, red teams can tailor social engineering scenarios and malware to operate seamlessly in their target’s environment. The OSINT module will teach students the type of information to target and how to do so without touching the target’s information systems. Students learn to capture domain information, network ranges, hosting providers, DNS records, metadata information about live systems, active service information, employee information, employee e-mails, and more. If performed properly, it’s possible to break into your target’s environment without ever needing active reconnaissance.

Active Recon – During the active recon module we will discuss the detailed information that red teams can gather when they choose to directly interact with the target company/organization’s information systems. When red teams conduct active recon, they have to assume the worst-case scenario, meaning that their actions have been noticed. We’ll discuss strategies on how to conduct active recon knowing that it could be discovered, without burning the overall operation. Additionally, students will learn to minimize their footprint during live host identification, subdomain enumeration, e-mail address validation, and sweeping active web servers for information.

Phishing - The phishing section will be one of the primary sections of the course. Phishing is typically the best opportunity for red teams to gain some sort of access into their target’s environment, but it is simultaneously the best chance for the operation to be detected. The phishing section will begin by discussing how to properly stand up phishing infrastructure, which is separate from the infrastructure used for command and control, including strategies to protect the phishing infrastructure from manual (IR Teams) and automated (AV companies) analysis. The next step includes developing different social engineering scenarios and determining the goal(s) of each scenario (usually either credential harvesting or obtaining access into the target’s environment). Finally, we will spend a considerable amount of time on developing different malware that red teams can use when phishing target employees. We will open up our internal playbook to share the code FortyNorth Security uses to help aid the phishing process.

Application Whitelisting - The application whitelisting module will teach students about the latest application whitelisting techniques that attackers are leveraging in real world attacks. We will explore how companies deploy application whitelisting as well as weaponize modern application whitelisting bypasses to allow students to remain effective in a highly restrictive domain environment. We’ll provide code and show students how to leverage application whitelisting for lateral movement which will extend the stock functionality of most C2 toolsets.

Antivirus Evasion - When attempting to evade antivirus software, red team operators leverage a variety of techniques to avoid detection. In the class, we teach students alternate Windows API calls that can be used to inject into memory and run malware, how to capture ordinal values of API calls that help achieve the same malware execution goals, and techniques for developing custom malware to avoid existing virus signatures. Additionally, this module will discuss previous test cases in which antivirus companies have developed signatures for specific malware only to be defeated by modifications to the original malware code. Finally, we’ll discuss different techniques that operators can use to create highly targeted malware that only runs on the environment targeted by the red team.

EDR Evasion - There are multiple options that attackers can use to bypass different EDR solutions that are available on the market today. This section will highlight how EDRs attempt to identify malicious behavior, how you can try to circumvent detection, and provide links to useful code for performing this task. We will walk through a highly used EDR configuration rule by rule and discuss evasions methods for bypassing any form of detection based on the publicly promoted EDR configuration.

Persistence - The persistence module’s goal is to provide students with more techniques to persist on hosts, and within networks, than will ever be needed on an assessment. This will allow students to choose the specific persistence technique that would work best in their target’s environment. We will teach students how to persist at various permission levels, when to drop custom malware vs. living off the land, how to use “fileless” techniques, and how to target the right systems to persist on.

Initial Access, Recon, and Lateral Movement - The initial steps taken by a red team operator will help shape the actions that the red team takes for the rest of the assessment. We’ll cover how to determine if you’re under investigation, and strategies for maintaining that initial access. The domain reconnaissance section of this module will document domain information that should be captured for offline analysis, including domain computers, user accounts, groups, trust relationships, and more. The next step in performing domain recon includes identifying locally mapped network drives, network shares that are available to users within the target’s internal domain, highly valuable processes that are running on domain systems, and additional information. Finally, the lateral movement section will describe the process we use to analyze the previously gathered information to determine not only where to move laterally within a domain, but also the method that is used to remotely compromise a system. After discussing this process, we will share highly effective methods to remotely compromise systems that might be protected with a wide range of defensive technologies.

Attacking the Cloud - The attacking the cloud section will focus on different cloud assets that teams may encounter during a red team assessment. The section will cover various cloud providers (AWS and Azure) along with different tools and techniques that can be used to identify misconfigurations and exploit them within a cloud environment. We’ll look at persistence techniques within Azure, methods of accessing and compromising their VPN connections, and a novel method of using Azure functionality for C2 that’s not yet been publicly released!

Finalizing the Assessment - The final module of the class will discuss methods to target the goals of a red team assessment. Typically, attackers don’t always hack companies for the lulz, there is often a much greater motivation behind their actions, which includes specific data that attackers are attempting to acquire. However, red teams need to take real world consequences into consideration. When data is too sensitive to actually egress from your customer’s boundary, how do you emulate performing this action to demonstrate impact to your customer? This module will show how to do exactly this. Finally, we’ll end with everyone’s favorite topic: customer management techniques.

CTF Review - Upon completion of the class, we will show students the CTF environment that they have been targeting during the entire course. We’ll review how the techniques during the course would allow them avoid detection and bypass defensive controls to achieve the goals of the CTF.

Who Should Attend

This course is designed for attendees who have experience performing red team assessments and want to take their skillset to the next level. You will learn cutting-edge techniques modern attackers are using today and test yourself in an environment that is based off real-world networks and defenses. Everything that students encounter in the class and lab are 100% based on defenses and configurations seen in customer environments. None of this lab is a contrived scenario designed to frustrate students. Every challenge within the lab is based on what we have encountered on assessments.

What You Need

Students will need to bring a laptop with virtualization technology installed (preferably VMWare). The laptop should have at least 8 gigs of RAM, a wireless network adapter, and wired network adapter. You will also need to be able to use an OpenVPN profile that will be provided to you (so have an OpenVPN client pre-installed on your system).

Bio

Chris Truncer Co-Founder and Offensive Security Lead, FortyNorth

Christopher Truncer (@ChrisTruncer) is a co-founder and Offensive Security Lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing tools that are not only designed for the offensive community, but can enhance the defensive community's ability to defend their network as well.

Matt Grandy Sr. Offensive Security Engineer, FortyNorth

Matthew Grandy is a senior offensive security engineer with extensive experience leading penetration testing and red team engagements across various industries. He is an offensive security certified expert (OSCE) as well as an offensive security certified professional (OSCP) and contributes regularly to the open source community, as he believes very strongly in elevating the security industry as a whole. Most notably, Matthew has contributed to the C# EyeWitness project as well as created MiddleOut, a C# compression utility. Matthew is also a previous Black Hat and Wild West Hackin' Fest instructor.

Return to training sessions