Red Team Training
Course Synopsis
The training is divided into six sections: initial foothold, payload crafting, gaining access, internal reconnaissance, lateral movement, and lab & reporting. Each section is covered in depth with technical evidence of how the techniques work. Red team exercises are performed throughout to assess responsiveness and detection capability.
As a red teamer, it is important to understand what each tool and command is doing behind the curtain to provide proper guidance. Expect to perform code review, network analysis, behavior analysis, and write code to improve your red team capabilities.
Module 01
Initial Foothold
Reconnaissance
- Identifying external assets
- Identifying technologies used internally
- Identifying sensitive information publicly exposed
- Identifying vectors for attacks and phishing
Phishing
- Choosing your payload
- Evasion and tricks
- Context and pretext
- Finding new execution vectors
- R&D approach
Compromising the External Perimeter
- Choosing a valuable asset
- Is it worth it?
- Detecting the detection in place
- Password spraying
Compromising the Client Azure Tenant
- Entra ID: enumeration and reconnaissance
- Extended scope
- Graph API
Module 02
Payload Crafting
EDR Bypass
- Unhooking APIs in usermode
- Direct syscall
- Simple stage 0
- AMSI, ETW, and ETW Ti
- Trusted Installer abuse
- Dealing with kernel callback
- Kernel exploit to defeat EDR
- C# obfuscation ideas
Module 03
Gaining Access
Identifying patterns to avoid detection
- Fingerprinting EDR / AV solutions
- Adapting your toolset
- Evasion tricks
Writing custom payloads
- Which language?
- Why use one technique versus another
- Unmanaged PowerShell
- Unmanaged .NET
- Raw command execution
Building your infrastructure
- Abusing cloud services
- What a good profile looks like
- Guardrails
- Redirectors
- Cobalt Strike Artifact Kit
- Considerations when building your own C2
Module 04
Internal Reconnaissance
Identifying valuable users and assets
- How to scan for assets and users
Stealth enumeration techniques
- LDAP
- Public toolsets
- RPC
- Hunting AD misconfigurations
- SDDL and permission abuse
Identifying targets that help achieve your goals
- Identifying computers
- Identifying services
- Identifying users and software
- Bypassing LDAP detection and using Lsar* APIs
Vulnerable systems that can be used
- Citrix escape
- Java deserialization issues
Default credentials
- Printers with AD credentials
- Management portals such as Jenkins, Tomcat, and more
Defeating MFA internally
- RSA pin backdoor
- Browser pivot
- Reusing an already established connection
First steps when you gain access
- Reconnaissance on the target
- Monitoring
- What to run
New vulnerabilities
- PetitPotam & ADCS case
- Abusing misconfigurations
- The power of RPC
Module 05
Lateral Movement
Capturing credentials
- NetBIOS
- MITM
- Kerberoasting
- GPP
- Exposed shares
- Password spraying
- Browser is the new LSASS
How to perform lateral movement
- WMI
- WMI — the stealth way
- DCOM
- SMB / DCERPC / SVCCTL
Customizing toolset to avoid detection
- Application whitelisting
- EDR / AV
- Understanding the underlying concepts of the impacket suite
- Cobalt Strike sleepmask problem
- Cobalt Strike Artifact Kit overview
Lateral movement techniques
- Pass the hash
- Kerberos tickets
- Password reuse
- Relaying credentials and hashes
Crossing boundaries
- Domain trusts
- Domain hopping
- Moving to systems that don't have Internet access
Tunneling
- Running tools locally
- SOCKS proxy
- Tunneling to a Windows system
- Tunneling to a Linux system
- SSH tunneling
Module 06
Lab & Reporting
Building your lab
- Playing with RPC
- Auditing Active Directory
- Playing with Windows features
Reporting
- What to report
- How to report
- Structure of your report