Modern day attackers are relentlessly developing new tradecraft and methodologies that allow them to successfully compromise hardened targets for a variety of motivations. While it may look easy from the outside, there are many latent steps that attackers take to ensure their success. Our job as red teamers is emulate this attack life cycle in an effort to identify and remedy these vulnerabilities.

Attackers bring unique perspectives, tools, and resources to the table in their efforts to accomplish their goals, requiring organizations to do the same by consistently applying new defensive technologies and procedures to prevent their environment from being breached. When conducting a red team assessment against organizations with mature security programs, you need to ensure you are using the latest tradecraft and techniques to help avoid detection. That’s where we come in!

Step by step, we will take you through the attacker lifecycle and capture best practices that you can follow to protect your access. You will start with no information, build a profile on your target, persist within their environment, bypass modern defenses, and achieve the goals of your test. We will immerse students in a new environment and require the application of techniques taught throughout the class. You’re going to learn methods to capture information about your target before even gaining access, writing custom malware to evade detection, use the latest application whitelisting bypasses to survive and compromise protected systems, develop strategies for persisting within the target environment, and accomplishing the goals of your assessment.

We are pulling back the curtain! The methods we teach are based upon past-experience in real world scenarios that FortyNorth Security has used to compromise and maintain access while avoiding detection by the target’s blue team. Upon completion of the class, you will have an arsenal of new techniques that can be utilized to yield highly successful assessments. If attending while in a blue team capacity, you will have the ability to see what tools and techniques modern attackers are using to compromise hardened environments and develop techniques to help protect your organization. All students will have the ability to join the Veil Framework Beta team, if requested, to have access to the latest techniques and code prior to becoming public.

Who Should Take This Course

This course is designed for attendees who have experience performing red team assessments and want to take their skillset to the next level. You will learn cutting-edge techniques modern attackers are using today and test yourself in an environment that is based off real-world networks and defenses.

Student Requirements

Students should be comfortable with general penetration testing and red teaming concepts, operating in a Windows domain environment, and have the ability to gain a general understanding of how a tool works when reviewing the source code.

What Students Should Bring

Students will need a bring a laptop with virtualization technology installed (preferably VMWare). The laptop should have at least 8 gigs of RAM, a wireless network adapter, and wired network adapter.

What Students Will Be Provided With

Students will be provided with class materials and a virtual machine that will be used for the course. Additionally, all students will be included (if they would like) within the Veil Framework’s Beta team. This will give students access to the latest private code which will contain new code and techniques, which will help students generate malware that isn’t detected, that can be used immediately on their assessments. Finally, students are given access to a private repository which contains custom developed code that we use on our red team assessments that help prevent us from getting caught and allow us to successfully break into our customer’s environment.

Trainers

Christopher Truncer (@ChrisTruncer) is a co-founder and Offensive Security Lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing tools that are not only designed for the offensive community, but can enhance the defensive community’s ability to defend their network as well.

One of the most critical aspects of any red team assessment is obtaining initial access into your target’s environment. The ability to capture valid credentials or execute code within your target’s environment is the first step toward accomplishing the rest of your assessment goals.

In this course, students will learn a variety of techniques used by attackers to phish companies and then write their own malware in a hands-on environment.

This class will cover a wide range of topics over a two-day period:

• Development Environment Prep – We start by building multiple development environments (within virtual machines) for writing malware. We discuss the different tools, languages, and operating system configurations that our malware developers use when writing code and then set them up in our virtual machines.
• Malware/Campaign Goals – When writing phishing malware, we typically have one of two goals: harvest credentials from our victim or execute arbitrary code on their workstation.

For our intro class, we explore how we can accomplish both goals:

• Credential Harvesting – Harvesting account credentials can be very dependent upon the type of services your target has publicly available. Is there a VPN portal, outlook web access, HR self-service portal, Citrix access? Ultimately, your goal is to entice the user to enter their credentials into a web form that securely saves their information and possibly their multi-factor token. We’ll look at both custom code and existing open source tooling which helps to accomplish this objective.
• Arbitrary Code Execution – Code execution typically will result in a Meterpreter or Cobalt Strike Beacon connecting back to your command and control servers when your attack vector is executed by the targeted employee. To accomplish the code execution objective, we discuss and customize browser-based attacks that attackers use to accomplish this objective.
• Code Execution Deep Dive – After looking at examples of how attackers can leverage web browsers to execute code on their target’s systems, we do a deep-dive into different methods of customizing code execution malware.
• Process Injection Techniques – There are many ways that an attacker can inject code not only into its current process, but also other processes that are running on the targeted system. We discuss the pros and cons of injecting into remote processes and walk through the different API calls that enable these capabilities.
• DotNetToJScript – The tool DotNetToJScript has changed how the industry writes phishing malware. It has extended the functionality of “low capability” browser-compatible languages to match that of fully functional development languages. We walk through how you can use different process injection techniques within a browser-based attack with DotNetToJScript.

At the conclusion of the class, students will have a strong understanding of different techniques used by modern attackers in phishing attacks. Additionally, all students will have learned various methods to extend basic phishing attacks to include process injection techniques that are used to avoid detection.

Note: While this is an introductory class, attendees should have an understanding of basic programming concepts to get the most out of this class. Experience with .NET would be extremely beneficial. This course is geared toward attacking Window’s environments and all malware written during class will be for Window’s targets.