OUR TRAINING

EXPERT LEVEL

OFFENSIVE ADVERSARY
OPERATIONS

  • DURATION 8 Days
  • PRACTICE 95%
  • TRAINEES max 10 ppl
  • LANGUAGE FR
  • CERTIFIED DIATEAM

Offensive Adversary Operations training (OAO) is essential to understand how to simulate real threat and to mimic malicious offensive actors to be the ideal sparring-partner for red team vs blue team exercises. This practical training course (95% “hands-on”) teaches you the principles, tools and techniques involved in offensive operations, and is tailored for professionals willing to soak in Red Teaming.

LEARNING OBJECTIVES

The Offensive Adversary Operations course is designed to help the candidates build the capabilities to mimic a modern adversary. This course will take you through the different stages of an Attacker kill chain. DIATEAM has conducted hundreds of adversary simulation exercises over the years: we will leverage our knowledge and experience to give you the best know-how to conduct efficient red team operations. This adversarial training goes through the foundation of Red Teaming and, by simulating advanced threat actors, provides defensive staff with visibility on how an adversary would manoeuvreagainst him. Students will learn the Tactics, Techniques, and Procedures (TTPs) used by the adversaries to create a comprehensive cyber kill chain. Actual and advanced techniques will be set up to emulate the adversary during multiple highly realistic labs. The initial intrusion phase will give you access to an Active Directory Domain Environment Lab where you will execute your implant to compromise a host. From thereon, you will perform different types of local and Active Directory enumerations to finally gain full Administrator privileges.

Who Should Attend ?

  • Security professionals looking to further expand their knowledge of Red Team exercises in order to understand how they are different from other types of security tests Penetration testers and Red Team members wanting to train, enhance or challenge their skills on advanced scenarios
  • Blue Team members, defenders, and forensic specialists: the understanding of offensive methodologies, tools, tactics, techniques, and procedures during adversarial exercises will contribute to improving their ability to defend better, smarter and faster
  • Auditors who need to gain deeper technical skills on actual threat vectors and/or meet regulatory requirements

PREREQUISITES

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid foundation upon which to build Offensive Adversary Operations concepts.Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

SYLLABUS

1

INFRASTRUCTURE / TRAINING OVERVIEW

  • Command and control
  • Proxy
  • OPSEC Considerations
  • Phishing platform

ENTRY POINT (1/2)

  • Malicious document (APT34 loader)​
  • HTML Application (HTA)​
  • Microsoft Excel Add-in Files (XLL) / Managed Object Format Files (MOF) / Control Panel Files (CPL)​
  • CVE-2021-40444 (Remote code execution vulnerability in MSHTML / ActiveX – Exploit Development)​
2

ENTRY POINT (2/2)

  • Password Spraying (https://attack.mitre.org/techniques/T1110/003/)
  • ProxyLogon(CVE-2021-26855 -Exploit Development Lab)
  • ProxyShell(CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 –Exploit Development Lab)
3

USERLAND PERSISTENCE

  • Registry Run Keys / Startup Folder (https://attack.mitre.org/techniques/T1547/001/)
  • Word Add-ins Persistence (https://attack.mitre.org/techniques/T1137/006/)
  • Component Object Model Hijacking (https://attack.mitre.org/techniques/T1546/015/)
  • DLL Side-Loading (https://attack.mitre.org/techniques/T1574/002/)
  • Screensaver (https://attack.mitre.org/techniques/T1546/002/)
  • Shortcuts (https://attack.mitre.org/techniques/T1547/009/)

ADMINLAND PERSISTENCE (1/2)

  • Modified Services
  • Application Shimming (https://attack.mitre.org/techniques/T1546/011/)
4

ADMINLAND PERSISTENCE (2/2)

  • AppcertDLL (https://attack.mitre.org/techniques/T1546/009/)
  • NetshHelper DLL (https://attack.mitre.org/techniques/T1546/007/)
  • Local Security Authority Subsystem Service (https://attack.mitre.org/techniques/T1547/008/)

LONG TERM COMMAND & CONTROL

  • Outlook VBA Backdoor (Backdoor Development Lab)
  • Exchange Transport Plugin (Backdoor Development Lab)
5

RECONNAISSANCE

  • Execute Assembly (run .NET Assemblies from memory)​
  • BloodHound/SharpHound​
  • Classical Enum

ELEVATION/LATERALISATION (1/2)

  • Kerberoasting (https://attack.mitre.org/techniques/T1558/003/)
  • Windows Remote Management aka WinRM
6

ELEVATION/LATERALISATION (2/2)

  • Malicious document (APT34 loader)​
  • HTML Application (HTA)​
  • Microsoft Excel Add-in Files (XLL) / Managed Object Format Files (MOF) / Control Panel Files (CPL)​
  • CVE-2021-40444 (Remote code execution vulnerability in MSHTML / ActiveX – Exploit Development)​
7

ANTIVIRUS & ENDPOINT DETECTION & RESPONSE EVASION (1/2)

  • Understanding AV/EDR​
  • .NET Code obfuscation with ConfuserEX – UserLand​
  • Bypass Windows Defender heuristic – Userland​
  • Bypass Windows Defender behaviour – Userland
8

ANTIVIRUS & ENDPOINT DETECTION & RESPONSE EVASION (2/2)

  • Shutting Down Sysmon – AdminLand​
  • Unload Driver – AdminLand​
  • Silencing Event Threading for Windows (ETW) – Userland

KEY TARGETS

Mimic a modern adversary

Conduct Efficient Red Team Operations

CERTIFIED TRAINING

DIATEAM provides Certificate Of Completion for every completed course. This certificate may be verified by contacting training@diateam.net using the enrolment ID from the given certificate.

CONTACT US