Course Description
Course contents
Introduction:
- ATT&CK Framework API.
- TTP, Kill chain & Defense in depth.
- The importance of:
- network traffic baseline profiling
- memory forensics
- real threat simulations != penetration tests
- log correlation
Modern RAT’s implementation and popular APT&C2 malware communication design – real use cases:
- The review of the latest APT campaigns
- Multi-Staging
- Network Link chaining
- Hiding
- Data Obfuscation
- Transfer/protocol limits
- Timing channels / scheduled jobs / packet dripping
TCP/UDP bind and reverse shells:
- Meterpreter + Veil Framework:
- bypassing payloads
- common and exotic ports
- routing, pivoting & port forwarding
- CLI tips & tricks:
- netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync
- /dev/tcp
- PTY
- PHP / Perl / Python / Ruby / Java / ASP shellz
- TCP/UDP raw socket tunnels
- Generate your own network shellcode & analyze the Exploit-db
Shellcode Archive
General bypassing, exfiltration, tunneling, pivoting, proxying and C2 techniques:
- ICMP
- DNS:
- Authoritative vs recursive
- CDN theory & domain fronting
- Fast-flux domains
- Dictionary and random characters DGA
- DNS proxy
- DNS anomalies
- HTTP/S & web application exploitation techniques combo:
- HTTP 404
- HTTP headers:
- Etag
- Cookies
- User-agent
- Accept
- If-None-match
- GET/POST
- Website cloning and armoring
- WebDAV
- Websockets
- Certificate exfiltration & TLS/SSL anomalies
- *Injections + exfiltration
- HTTP redirects
- Webshells
- HTTP anomalies
- WMI / PS-remote
- Proxy / Socks
- SSH / SFTP / SCP
- LDAP
- FTP / TFTP
- SMB / NFS
- RDP
- Anonymizers:
- VPN
- TOR
- Open Proxy
- POP3 / SMTP / IMAP
- VOIP
- P2P
- IRC
- IPv6
- + chaining of aboves and many more.
Cloud-based exfiltration and C2 channels:
- Pastebin
- Github
- Slack
- Youtube
- Office 365
- Gmail / Google Docs
- AWS / Google Cloud
- Skype
- Dropbox
- Soundcloud
- Tumblr
Windows & Powershell exfiltration tools:
- AD / LDAP properties
- Empire
Just a Browser Exfiltration:
- audio/video exfil
- keylogging
Hopping from air-gapped networks.
USB attacks and network exfiltration combo.
The art of data hiding → steganography examples:
- Binary
- WAV
- Image
- VOIP
- Routing Protocol
- Screen
Signature-based event analytics, rule bypassing & malicious network traffic generation:
- Suricata ET / VRT rules vs attacker → the syntax rules of the rules
- Bro IDS log “features” for deep low-level network baselining
- Threat Intelligence feeds, lists and 3rd party APIs:
- IP reputation lists
- Malware feeds
- Phishing feeds
- C2 lists
- Open Proxy lists
- Tor exit-nodes
- Censys / VT / Passive Total
- Shodan
- Replaying and analysing malicious PCAP files.
Adversary simulation moves, actions, tools & automated platforms:
- In&Out Simulated Network Exfiltration Platform
- APT simulator
- Dumpster Fire
- Firebolt
- Flightsim
- Armoring:
- Nmap NSE scripts
- MiTM/Spoofing/TCP flooding
- Port Knocking
- Brute force
- DHCP starvation
- Info disclosure on SMB/CIFS shares
Summary → recommended defensive/protection tactics, tools and platforms.
Target audience
- Red and Blue team members
- Security / Data Analytics
- CIRT / Incident Response Specialists
- Network Security Engineers
- SOC members and SIEM Engineers
- AI / Machine Learning Developers
- Chief Security Officers and IT Security Directors
Requirements
- An intermediate level of command line syntax experience using Linux and Windows
- Fundament knowledge of TCP/IP network protocols
- Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
- Basic programming skills is a plus, but not essential
Hardware/Software Requirements
- At least 20GB of free disk space
- At least 8GB of RAM
- Students should have the latest Virtualbox installed on their machine
- Full Admin access on your laptop
Trainer Biography
Leszek Miś is the Founder of Defensive Security, Principal Trainer & ITSecurity Architect. Recently he was a VP, Head of Cyber Security in Collective Sense – a Machine Learning Network Security Startup from theU.S. where he was responsible for product security research, strategy, business analysis & technical feature implementation and recommendation. He has over 13 years of experience in the IT security market supporting the world’s largest customers in terms of exfiltration simulations and penetration tests, infrastructure hardening and general Open Source and IT Security consultancy services. In addition, he has 11 years of experience in teaching and transferring a deep technical knowledge and his own experience. He has trained 600+ students with the highest rank. He is an IT SecurityArchitect with offensive love and a recognized expert in the enterprise OSS market.
As a speaker, trainer or just a participant he has attended many conferences such as Brucon, OWASP Appsec USA, FloCon, SuriCon, HITB, AlligatorCon, Semafor, Exatel Security Days, Confidence, PLNOG, NGSEC, Open Source Day, SysDay, Confitura, Red Hat Roadshow, OWASP Chapter Poland, ISSA, InfoTrams.
The holder of many recognized certificates:
- Offensive Security Certified Professional (OSCP)
- Red Hat Certified Architect (RHCA)
- Red Hat Certified Security Specialist (RHCSS)
- Comptia Security+
- Splunk Certified Architect