Locked Advanced Red Team Operations

[itsMe]

This is the hidden content, please

• Sign In
• or
• Sign Up

Course Description

This is an advanced course that focuses on setting up secure and resilient C2 infrastructure using Azure/AWS, creating custom Cobalt Strike profiles, hunting for Active Directory Certificate Services misconfigurations in mature enterprise environments. Learn current post-exploitation techniques that White Knight Labs (WKL) has used during real-life engagements to dump credentials, move laterally, escalate to Domain Admin, and capture the client’s crown jewels. We will cover EDR bypass briefly, but AV/EDR bypass will be assumed knowledge for this course.

Although this course is designed to be a deep dive into hunting for ADCS misconfigurations and setting up C2 infrastructure, an apex attacker must also know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind. On the second day, students will be led through a real-life red team operation.

Key Takeaways

Students will learn how to configure resilient C2 infrastructure, abuse AD misconfigurations, and bypass AV/EDR. The majority of this course is focused on configuring exploiting Active Directory misconfigurations using hyper current techniques that WKL has seen in mature networks during red team engagements within the last year.

Who Should Attend?

We recommend this course If you’ve been working in offensive or defensive cyber operations for 1-2 years. Are you a penetration tester or red teamer that wants to hone their AD skills and have more options during engagements? This course is for you.

Prerequisite Knowledge

This is an advanced course. We recommend this course if you’ve already taken WKL’s Offensive Development course and/or have an in-depth understanding of bypassing AV/EDR. Common Active Directory attacks like pass-the-hash, golden/silver ticket, etc, will be assumed knowledge.

Lab Environment

Students will be given a Terraform script to spin up their own lab environment in AWS that consists of the following:

    Windows Sophos Intercept X EDR VM
    Windows Crowdstrike EDR VM
    Ubuntu Cobalt Strike Team Server
    Windows 10 Development Machine
    Kali Linux
    Fully Patched Windows 10 Machine
    Windows Server 2022 (Domain Controller)
    Windows Serer 2022 (PKI Server)

Hardware/Software Requirement

Students must have an active AWS admin account with programmatic access.
Students must have an active Azure admin account

Syllabus

Day 1: Red Team Fundamentals

    Cobalt Strike/Guacamole walkthrough
    Terraform for infrastructure automation
    Redirectors and CDNs
    Custom malleable C2 profile
    Protecting your C2 server (mod rewrite and proxy pass)
    Touch and go AV/EDR Bypasses

Day 2: Red Team Operation Attack Paths

    Advanced payload creation
    Windows lateral movement
        SOCKS proxies
        Service controller
        WMI
        COM/DCOM
    Abusing AD misconfigurations via C2 channels (ADCS)
    Advanced credential dumping techniques
    SQL misconfigurations for lateral movement and code execution

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up