Post Exploitation Adversary Simulations – Network Data Exfiltration Techniques

Course Description

As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense in depth strategy. We will also go slightly (with live examples OFC!) through the importance of network baselining, memory forensics, automated malware analysis systems and finally the real threat simulation tactics which are the key important aspects of this training.

Next, we will deep dive into the individual network protocols, services and techniques commonly in use by adversaries in corporate networks and discuss the characteristic security detection features. Using available set of tools (more than 50 different tools and frameworks – check the Keywords section list below), the student will play one by one with well prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern attacker behavior.

We will explore in details how to:

  • run a different types of TCP/UDP reverse and bind shells acrossWindows and Linux systems, pivot to the next subnets, configure a port forwarding & proxying and find what are the network traffic artifacts of such actions
  • manually generate a single malicious packets, ex. to saturate a DHCP server using Python, flood the network service from C code or start a BF by using hydra or medusa
  • generate your own malicious payloads and raw TCP/UDP custom encrypted traffic channels undetectable by security products
  • simulate DNS DGA traffic, run a DNS TXT tunnels and remote shells, exfiltrate data using DNS MX and how to gain the Internet connection on the plane or in the hotel for free!
  • clone, armor and phish popular websites
  • create domain fronting setup
  • achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
  • use a different HTTP headers and methods for stealing the data also with combination of web application injection techniques and walk through the world of webshells
  • detect and understand a TLS/SSL-based anomalies and exfiltration methods
  • run a Powershell scripts in post-exploitation stage for leaking the data and bypass AV/EDR
  • cheat a security platforms by running internal WMI, Websockets, VOIP or P2P covert channels
  • hide a stolen data in binary file, WAV file, Image file or exfiltrate data from air-gapped system using hops
  • configure the station to connect to anonymizers like external VPN, TOR, Open proxy and ‘ping’ to the IP/domains tagged on the globally recognized security feeds, rules or phishy lists
  • use a popular cloud-based services for C2 communication and data stealing, ex. Pastebin, Twitter, AWS and many more
  • replay a malicious PCAP files and in terms of network behaviour and analyze the malware samples using Cuckoo
  • the syntax of signature-based rules works, how Suricata or Bro IDS can help you detect adversary tactics and what are the differences between this two IDS engines
  • and a combination of many, many more.Through hands-on lab exfiltration, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.All the above training description is based on pure hands-on laboratory where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network. This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments.In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your network security really works!

Course contents

Introduction:

  • ATT&CK Framework API.
  • TTP, Kill chain & Defense in depth.
  • The importance of:
    • network traffic baseline profiling
    • memory forensics
    • real threat simulations != penetration tests
    • log correlation

Modern RAT’s implementation and popular APT&C2 malware communication design – real use cases:

  • The review of the latest APT campaigns
  • Multi-Staging
  • Network Link chaining
  • Hiding
  • Data Obfuscation
  • Transfer/protocol limits
  • Timing channels / scheduled jobs / packet dripping

TCP/UDP bind and reverse shells:

  • Meterpreter + Veil Framework:
    • bypassing payloads
    • common and exotic ports
    • routing, pivoting & port forwarding
  • CLI tips & tricks:
    • netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync
    • /dev/tcp
    • PTY
    • PHP / Perl / Python / Ruby / Java / ASP shellz
  • TCP/UDP raw socket tunnels
  • Generate your own network shellcode & analyze the Exploit-db

Shellcode Archive

General bypassing, exfiltration, tunneling, pivoting, proxying and C2 techniques:

  • ICMP
  • DNS:
    • Authoritative vs recursive
    • CDN theory & domain fronting
    • Fast-flux domains
    • Dictionary and random characters DGA
    • DNS proxy
    • DNS anomalies
  • HTTP/S & web application exploitation techniques combo:
    • HTTP 404
    • HTTP headers:
      • Etag
      • Cookies
      • User-agent
      • Accept
      • If-None-match
    • GET/POST
    • Website cloning and armoring
    • WebDAV
    • Websockets
    • Certificate exfiltration & TLS/SSL anomalies
    • *Injections + exfiltration
    • HTTP redirects
    • Webshells
    • HTTP anomalies
  • WMI / PS-remote
  • Proxy / Socks
  • SSH / SFTP / SCP
  • LDAP
  • FTP / TFTP
  • SMB / NFS
  • RDP
  •  Anonymizers:
    • VPN
    • TOR
    • Open Proxy
  • POP3 / SMTP / IMAP
  • VOIP
  • P2P
  • IRC
  • IPv6
  • + chaining of aboves and many more.

Cloud-based exfiltration and C2 channels:

  • Twitter
  • Pastebin
  • Github
  • Slack
  • Youtube
  • Office 365
  • Gmail / Google Docs
  • AWS / Google Cloud
  • Skype
  • Dropbox
  • Soundcloud
  • Tumblr

Windows & Powershell exfiltration tools:

  • AD / LDAP properties
  • Empire

Just a Browser Exfiltration:

  • audio/video exfil
  • keylogging

Hopping from air-gapped networks.

USB attacks and network exfiltration combo.

The art of data hiding → steganography examples:

  • Binary
  • WAV
  • Image
  • VOIP
  • Routing Protocol
  • Screen

Signature-based event analytics, rule bypassing & malicious network traffic generation:

  • Suricata ET / VRT rules vs attacker → the syntax rules of the rules
  • Bro IDS log “features” for deep low-level network baselining
  • Threat Intelligence feeds, lists and 3rd party APIs:
    • IP reputation lists
    • Malware feeds
    • Phishing feeds
    • C2 lists
    • Open Proxy lists
    • Tor exit-nodes
    • Censys / VT / Passive Total
    • Shodan
  • Replaying and analysing malicious PCAP files.

Adversary simulation moves, actions, tools & automated platforms:

  • In&Out Simulated Network Exfiltration Platform
  • APT simulator
  • Dumpster Fire
  • Firebolt
  • Flightsim
  • Armoring:
    • Nmap NSE scripts
    • MiTM/Spoofing/TCP flooding
    • Port Knocking
    • Brute force
    • DHCP starvation
    • Info disclosure on SMB/CIFS shares

Summary → recommended defensive/protection tactics, tools and platforms.

Target audience

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

Requirements

  • An intermediate level of command line syntax experience using Linux and Windows
  • Fundament knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills is a plus, but not essential

Hardware/Software Requirements

  • At least 20GB of free disk space
  • At least 8GB of RAM
  • Students should have the latest Virtualbox installed on their machine
  • Full Admin access on your laptop

Trainer Biography

Leszek Miś is the Founder of Defensive Security, Principal Trainer & ITSecurity Architect. Recently he was a VP, Head of Cyber Security in Collective Sense – a Machine Learning Network Security Startup from theU.S. where he was responsible for product security research, strategy, business analysis & technical feature implementation and recommendation. He has over 13 years of experience in the IT security market supporting the world’s largest customers in terms of exfiltration simulations and penetration tests, infrastructure hardening and general Open Source and IT Security consultancy services. In addition, he has 11 years of experience in teaching and transferring a deep technical knowledge and his own experience. He has trained 600+ students with the highest rank. He is an IT SecurityArchitect with offensive love and a recognized expert in the enterprise OSS market.

As a speaker, trainer or just a participant he has attended many conferences such as Brucon, OWASP Appsec USA, FloCon, SuriCon, HITB, AlligatorCon, Semafor, Exatel Security Days, Confidence, PLNOG, NGSEC, Open Source Day, SysDay, Confitura, Red Hat Roadshow, OWASP Chapter Poland, ISSA, InfoTrams.

The holder of many recognized certificates:

  • Offensive Security Certified Professional (OSCP)
  • Red Hat Certified Architect (RHCA)
  • Red Hat Certified Security Specialist (RHCSS)
  • Comptia Security+
  • Splunk Certified Architect