Adversary Simulation and Red Team Tactics


This intense course covers the skills required to conduct a simulation of a sophisticated adversary, including the latest tradecraft and offensive tactics. During the training you will gain insight in to planning and conducting a red team operation including all the steps required to perform efficient opensource intelligence, design and automate the deployment of operational infrastructure, gain initial access and perform post-exploitation and lateral movement. You will learn how to bypass defensive controls including anti-virus, EDR, AMSI and application whitelisting that will leave you equipped to target even the most mature environments.

Red teams are continually sharpening their tradecraft to evade ever evolving defensive countermeasures. This challenging 4-day training course provides in-depth opportunity to learn the latest in advanced tradecraft from seasoned red team operators from the comfort of your own cloud-based lab environment, in the browser! This course is not just about learning how to run tools, students will learn how the tools work under the hood as well as how to develop and customise their own; an essential skill for any red teamer.

Our advanced and fast-paced course provides attendees with all the necessary skills to conduct a simulation of a sophisticated adversary. We deep dive in to the latest tradecraft and offensive techniques required to target mature environments with modern defences, up-to-date operating systems and finely-honed blue teams. You will learn how to write your own advanced initial access payloads, equipped with strategies to bypass modern EDP/EDR solutions including PPID spoofing, argument confusion, blocking of third-party DLLs, AMSI bypasses and how to remove userland hooks.

During this training, you will be equipped with the necessary knowledge provided by recognised industry red team experts to plan, manage and perform an advanced red team operation.

These steps include the essential knowledge to perform efficient and targeted opensource intelligence, design and automate the deployment of operation infrastructure, gain initial access to a target using sophisticated payloads with defensive evasion techniques, perform host triage, persistence and privilege escalation and move laterally whilst exploiting common Active Directory misconfigurations.

At the end of the training students will walk away equipped to target even the most mature environments and budding with knowledge about the indicators they didn’t know their tools were emitting, but the blue team did!

Topics covered during the training include:

Day 1:

  • Introduction to red team operations: We will detail how to plan a red team operation, absorb threat intelligence and adapt your methodology accordingly for the TTPs of the adversary you need to simulate.
  • Active and passive reconnaissance: This module will cover how to find out all the essential actionable intelligence about your target and use it to better inform your initial access payloads.
  • Infrastructure design concepts: In this module we will deep-dive in how to build effective and efficient red team infrastructure with automation, as well as important topics such as redirectors, reputation/categorisation and domain fronting
  • Cobalt Strike and malleable profiles: Knowing how to get the best out of your implant can be the difference between flying under the radar and banging on the blue team’s door; in this module we will show you how to configure and use Cobalt Strike such that it can become a needle in blue team’s very big haystack of a Windows estate
  • Initial access techniques: Getting a foothold is often one of the most complex components of a red team engagement, in this module we will explain the basics of creating initial access payloads using execution cradles, office exploits, windows script host, HTML applications, shortcuts and more.
  • Defensive evasion: While your PowerShell one-liner macro probably worked wonders in 2014, in a modern and mature environment it just won’t make the cut! In this module we will up your game and learn how to create advanced payloads using AMSI bypasses, application whitelisting bypasses, VBA stomping, HTML smuggling, keying, PPID spoofing, argument confusion, execution decoupling, blockdlls and ACG.

Day 2:

  • Process Injection: You’ll start the day with a deep-dive in to process injection techniques, learning how to slide under the radar of the latest and greatest EDR solutions. We’ll cover createremotethread, ALPC, early bird and setthreadcontext techniques, examining the pros and cons of each.
  • Custom Tooling: Next you’ll put everything you learned so far in to practice and develop your own custom tools to bypass anti-virus and EDR defences. You’ll start by building a custom loader that performs process injection, PPID spoofing and evades the common EDR and anti-virus defences.
  • Host triage: You’ve got your foothold, what’s next? This module will cover off some of the opsec steps you can take to avoid burning your precious foothold including detecting EDR and defensive solutions which may dictate tradecraft, and triaging the host to understand what you can recover to advance the operation.
  • Persistence: Effective persistence is an art form and we will teach you how to paint the Mona Lisa, covering both userland and administrative privilege techniques that can fly under the blue teams radar.
  • Privilege escalation: This module deep dives in to common privilege escalation techniques including through OS exploitation and misconfigurations, as well as learning how UAC works and how to find your own UAC bypasses.

Day 3:

  • Pivoting and lateral movement: In an EDR world, operating over a pivot is one of the most effective strategies for avoiding detection. This module will outline common techniques for lateral movement using DCOM, WMI, PSExec and WinRM and how to perform them both on-host and over your pivot, along with the opsec tradeoffs for each.
  • Exploiting Active Directory: Active Directory is the beast that underpins most organisations and understanding how to exploit it is vital for many red team operations. In this module we will cover the internals of Active Directory. As with the rest of the course, you won’t be running exploits here so leave metasploit and ms17-010 at home! Instead you will learn the internals and weaknesses of kerberos, access controls, group policy, constrained and unconstrained delegation, LAPS, SQL Server and more.

The course follows a theory, demonstration, lab and review model. The theory to each topic is first outlined including instructor-driven on-screen demonstrations to show the internals of the techniques. Students are then given the freedom to implement the techniques in their lab using their own c2 channel as if it were a real red team operation. A full lab guide walkthrough is also provided to keep everyone on track. Finally, the lab solutions are reviewed with Q and A to ensure full knowledge transfer takes place. Each module lasts approximately one hour thirty minutes, with around one hour of lab time.

Day 4:

  • MacOS and Linux: On the final day, students will learn how to operate in MacOS and Linux environments, demonstrating initial access payloads, command and control frameworks and the latest available tradecraft.
  • Open day to recap on the labs.

About the Lab:
The course lab simulates an end-to-end sophisticated cyber-attack against the Iron Bank of Braavos. Before kicking off the lab, you will review the threat intelligence report (courtesy of MITRE) on the adversary we intend to simulate; the Cobalt Group. After absorbing the TTPs used by this group, you will kick off the lab journey by performing reconnaissance against the bank to identify potential entry points. You will then proceed to deploying your red team infrastructure and conduct a spear phishing campaign using advanced initial access techniques to obtain a foothold on the bank’s internal network. You will then learn to privilege escalate, move laterally and exploit Active Directory weaknesses to achieve your “beyond domain admin” objectives. Our lab uses the latest Windows OS’, with anti-virus, AMSI and custom EDP solutions; if you think your PowerShell one-liner macros will cut it, think again!

Each student receives access to their own dedicated multi-tiered Active Directory environment hosted in the cloud. The lab is accessed through the web browser, providing full interactive use through a kali image with Cobalt Strike.

Learning Objectives:
Red teams are continually sharpening their tradecraft to evade ever evolving defensive countermeasures. This challenging 4-day training course provides in-depth opportunity to learn the latest in advanced tradecraft from seasoned red team operators.

During the course, you will learn how to plan and execute a sophisticated red team operation against a mature organisation, evading defensive countermeasures along the way. We will cover the full life cycle of a red team operation from reconnaissance, efficient infrastructure deployment, techniques for gaining initial access, performing post-exploitation, establishing persistence and moving laterally.

The training course is heavily focused on the use and extension of Cobalt Strike; during the course students will have access to the licensed copy of the implant and will learn how to extend it using features such as the resource kit.

Following the training students will be equipped to:

  • Perform in-depth opensource intelligence gathering,
  • Automate efficient infrastructure deployment,
  • Build sophisticated payloads for gaining initial access,
  • Evade security controls such as anti-virus, AMSI and application whitelisting,
  • Perform post-exploitation tasks such as host and network reconnaissance,
  • Pivot to n-tiered networks using SOCKS,
  • Establish persistence,
  • Perform Active Directory attacks such as kerberoasting, ASREP, abuse unconstrained delegation and exploit insecure ACLs,
  • Move laterally across a Windows estate.
written by

MDSec Research

Ready to engage
with MDSec?

Copyright 2021 MDSec