Course Description
This hands-on training connects red and blue in a series of live attack-defense exercises and demos. The group of participants will work as one team against a simulated threat actor, APT 0x00, with full disclosure of the attacker’s progress and technical insights on the executed techniques. The adversary’s capability and stealth will steadily improve over the course of the training.
Participants are dropped in a simulated corporate network environment, which they must defend from a threat actor over the course of the training. The attacker is simulated by a red team specialist, who will share valuable insights about commonly used threat actor techniques used in the attack. Together with a blue team instructor, you will learn how to hunt for these techniques, build detections that can help defend your organization and eradicate the attacker. Examples of covered techniques we will learn how to hunt for:
- Webshells.
- Process Injection.
- Credential dumping from LSASS.
- Lateral Movement via Service Execution.
- In-memory C# assembly execution.
- Persistence.
- Kerberoasting.
- AD Enumeration via BloodHound.
- Resource-Based Constrained Delegation Attacks.
- Headless RDP.
The first day focuses on threat hunting and detection engineering. APT 0x00 kicks off a campaign to breach the corporate Active Directory environment. The attacker relies on a mix of Metasploit (https://www.metasploit.com) and Sliver Command and Control https://github.com/BishopFox/sliver) to infiltrate the environment. Participants will learn how to collect telemetry on specific techniques and build detections.
The red team instructor will provide insights on the red team side during regular purple team meetings. This input enables the detection engineering process, where new detection rules are created in collaboration with the training participants. The blue team will use defensive security tools such as Elastic stack with security (EDR) (https://www.elastic.co), with additional log sources from Sysmon (https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) and Velociraptor (https://github.com/Velocidex/velociraptor) for incident response.
Day two adds a live incident response component to the training. APT 0x00 becomes more advanced and initiates a new campaign against the lab environment overnight. Students join the blue team side during the aftermath of the attack. Students retrace the attacker’s steps and learn to eradicate the attacker from the environment.
On the final day, the threat actor reaches its peak performance with maximum stealth. The threat actor added a new Command and Control framework to the mix (Havoc) and focused on more complex implementations of some of the previously identified attacker techniques. The attacker has a solid presence in the network. Access to the same defensive tooling (Elastic incl. Security, Velociraptor) will be granted to the students to identify and stop the attacks as the threat actor progresses through the environment. The defenders will have to use their knowledge from the previous two days to detect the attacker and eradicate his footholds. Can the adversary be stopped before it reaches its goals?
Throughout all days, the red team specialist discloses technical details about the executed techniques. The attack can also be followed via Vectr (https://docs.vectr.io) to make it easier to hunt for certain activities. All days culminate in a lessons-learned moment. Every day, there are B33R objectives where participants can earn some top-quality Belgian beers.
During the evenings, participants have the option to continue playing around in the lab.
Course contents
Students will be guided by a Red Team and Blue Team instructor during the exercise. This training does NOT cover the latest attacker techniques but aims to provide a mix of stealthy and less-stealthy attack techniques and propose detection strategies to augment your organization’s defensive capability.
Day 1
The red team instructor simulates APT 0x00 and provides technical insights in the attacker techniques. The blue team instructor provides insight in detection. The goal of this day is to learn how to detect specific attack techniques. Topics covered include:
- Introduction to the lab environment.
- Machines.
- Networks.
- Elastic (SIEM) with security detection rules and additional log sources:
- Sysmon.
- PowerShell logs.
- Application logs.
- Elastic Agent with Security in detection mode (Free EDR).
- Velociraptor for artifact collection and live incident response.
- Testing VPN connection.
- Preparation and introduction to the exercise.
- Introduction to red teaming.
- Introduction to Command and Control.
- Purple Teaming: Attacker techniques, threat hunting & detection engineering:
- Establishing a foothold in the lab via exploitation.
- BloodHound and active directory attacks.
- Process Injection.
- In-memory C# assembly execution.
- Credential dumping.
- Persistence.
- Lateral movement.
- …
- Lessons learned.
Day 2
The red team instructor simulates a more advanced version of APT 0x00 and provides technical insights in the attacker techniques. During the day, students are guided by the blue team instructor to reconstruct the timeline of a pre-executed attack. The goal of this day is to identify and eradicate the attacker based on knowledge from day 1.
- Preparation and introduction to the exercise.
- Anomaly detection in the lab environment.
- Investigating alerts and IoCs to discover underlying techniques.
- Purple Teaming: More advanced attacker techniques, threat hunting & detection engineering.
- Live response to the ongoing attack.
- Eradication of the threat actor in the environment.
- Lessons learned.
Final Day Schedule
The red team instructor simulates the stealthiest version of APT 0x00 and provides technical insights in the attacker techniques. During the day, students are guided by the blue team instructor to track and stop the live ongoing threat actor campaign. The goal of this day is to stop the threat actor before it reaches its goals.
- Preparation and introduction to the exercise.
- Identification and elimination of attacker footholds.
- Identifying anomalies in the lab environment.
- Investigating alerts and IoCs to discover underlying techniques.
- Purple Teaming: More advanced attacker techniques, threat hunting & detection engineering.
- Live response to the ongoing attack.
- Eradication of the threat actor in the environment.
- Lessons learned
We hope after this training you will be able to:
- Better understand attacker techniques.
- Build custom threat hunt queries and detection rules to identify attackers hiding in the shadows.
- Trigger more interaction between red and blue teamers in your organization.
- Identify how red and blue can work together to identify and close the gaps in your defense, improving detection and response capability.
- Better understand how both sides operate.
Who should take this course?
This technical training is intended for IT professionals who want to expand their knowledge on red teaming, threat hunting and detection engineering. Students will combat a live ongoing cyberattack and experience hands-on how a meaningful collaboration between offensive and defensive security teams can improve an organization’s defensive capabilities against real threat actors. The target audience includes:
- Cyber Security Professionals
- Threat Hunters
- Incident Handlers
- SOC Analysts
- Detection Engineers
- IT Professionals with an interest in technical cyber security
Hardware Requirements
Students should be able to participate with their own OS, if it supports Wireguard VPN and has a web browser on board. It is recommended to use a Linux virtual machine with a desktop environment to participate in the training.
Trainer Biography
Dennis Van Elst Dennis Van Elst is a red team operator, infosec lecturer and purple team advocate. At DXC, he actively promotes collaboration between the Strikeforce Red Team and internal Blue Teams, such as Threat Hunting, Digital Forensics, Incident Response and Threat Intel. This resulted in several internal workshops focusing topics like defense evasion, active directory attacks and edge attacks, where the Red Team mimics various threat actor techniques and the Blue Team validates and improves detection.
At Thomas More Belgium, he teaches second-bachelor students the basics of Ethical Hacking & Penetration Testing. Third-bachelor students are pitted against each other in red team – blue team exercises, where one side of the class attacks a simulated corporate environment and the other side defends, using free and open-source software.
His view on information security is that the practical approach results in a better understanding of both the offensive and defensive perspective, ultimately improving both sides. The best way to completely understand a technical topic is by doing it!
- LinkedIn: https://be.linkedin.com/in/dennis-van-elst
- Twitter: @0xbad53c
- GitHub: https://github.com/0xbad53c
- Blog: https://red.0xbad53c.com
Thomas Eugène is the Incident Response Manager in the CSIRT of Zetes. He works to increase the maturity of the incident response process and prepare the organization to face future security challenges. In the past, Thomas was part of the CERT.be Team, supporting and coordinating the incident response team, publishing, and providing advisories to improve security for Belgian citizens and companies.
After that, he joined DXC Technology as a threat hunter and incident responder. He actively hunted for new threats in large customer environments and supported the incident response cases. He also worked in the DXC Threat and Vulnerability Management team. This experience resulted in a good overview of the differences and the needs of both the offensive and the defensive side. He is a strong believer in the importance of the collaboration between blue and red teams. He will deliver the training from the blue team’s point of view.