This is an advanced course that focuses on setting up secure and resilient C2 infrastructure using Azure/AWS, creating custom Cobalt Strike profiles, hunting for Active Directory Certificate Services misconfigurations in mature enterprise environments. Learn current post-exploitation techniques that White Knight Labs (WKL) has used during real-life engagements to dump credentials, move laterally, escalate to Domain Admin, and capture the client’s crown jewels. We will cover EDR bypass briefly, but AV/EDR bypass will be assumed knowledge for this course. Although this course is designed to be a deep dive into hunting for ADCS misconfigurations and setting up C2 infrastructure, an apex attacker must also know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind. On the second day, students will be led through a real-life red team operation.
Syllabus
Day 1: Red Team Fundamentals
- Cobalt Strike/Guacamole walkthrough
- Terraform for infrastructure automation
- Redirectors and CDNs
- Custom malleable C2 profile
- Protecting your C2 server (mod rewrite and proxy pass)
- Touch and go AV/EDR Bypasses
Day 2: Red Team Operation Attack Paths
- Advanced payload creation
- Windows lateral movement
- SOCKS proxies
- Service controller
- WMI
- COM/DCOM
- Abusing AD misconfigurations via C2 channels (ADCS)
- Advanced credential dumping techniques
- SQL misconfigurations for lateral movement and code execution