ＨｉｄｅＺｅｒｏＯｎｅ

Getting a foothold is the first step in a successful breach—be it in the form of user credentials, email access, or code execution on a target system. This course will provide students with the fundamental skills and know-how to perform the most common attacks used to get an initial foothold during a red team exercise. Since Microsoft products and services are the most widespread platform in use by organizations, Office 365 and Microsoft Windows will be the primary targets of student exercises. Core concepts will also be discussed so that students can apply the lessons learned to other platforms in the future.

Antisyphon: Red Team: Getting Access w/ Michael Allen

Regular expressions are universally embedded in the world of information technology. They are a part of many programming languages, databases, search engines, and command-line tools. As an information security professional, you are continuously analyzing textual data for indicators of compromise, juicy data morsels to exfiltrate, forensic artifacts, supporting evidence in threat hunting, and so much more. Familiarity with regular expressions is a skill, a very life-enhancing essence if you like, to take your information security analysis capabilities from “just ok” to “wizard level.” They are applicable in so many places that you really cannot afford to not have this knowledge.Join me for a four-hour session that takes you on a journey through regular expression POSIX, BRE, ERE, and PCRE syntax and explores various tools that you probably use daily through the lens of regular expressions. Your life will be forever changed when you can apply the power of regular expressions to your professional duties.

Antisyphon: Regular Expressions, Your New Lifestyle w/ Joff Thyer

So you popped a shell, now what? Windows Post Exploitation focuses on four major components of any adversary simulation or red team exercise: enumeration, persistence, privilege escalation, and lateral movement. Each of these steps will be covered in detail with hands-on labs in a custom Active Directory environment. In addition, students will learn several modern techniques to minimize opportunities for detection. This course goes beyond teaching popular tactics, techniques, and procedures. Instead, students will learn how to covertly gather and leverage information about a target environment to achieve their objectives efficiently. A review of each post-ex capability will include discussion on the OPSEC implications and publicly documented detection recommendations. Open-source SIEM rules from Sigma and Elastic will be used as a starting point for avoiding alert generation. No technique is undetectable; the key is understanding an environment’s detection capabilities and choosing the best course of action.

Antisyphon: Windows Post Exploitation w/ Kyle Avery

This class is a distillation of what I’ve learned in my pentesting career about how to create a report that is both easy to read and hard to misunderstand. I will help you develop habits and support materials that simplify the work of reporting so you can get better results with less effort. Ask anyone who signs the checks which is worth more: a clear and actionable report from a tester with average technical skills, detailing how vulnerabilities were found and exploited, showing the impact of those exploits, and making concrete recommendations for improvement? Or a hastily-assembled list of compromised systems, thrown together by an elite hacker in the last hour of the contract after running a rampage through your networks? If you want to set yourself apart, work on your reporting skills. The hacks are ephemeral. The report lives forever. The hacks are fun – and they require your constant effort to keep current. The reporting is what makes this all a viable career – and once you know how to produce a good one, you can apply that skill endlessly as the computing world changes around you. This course helps you know what makes a good report good. It discusses the reporting mindset, and the foundational principles that always lead to a report you can be proud of, regardless of the tools you use for the test or for writing the report. We will look at some real reports as examples, and work together on ways to improve in the areas that are most important, as well as those that are most commonly neglected.

Antisyphon: Reporting for Pentesters w/ BB King

As a cyber security defender and investigator, we often just get to analyze an environment that suffered a ransomware attack after the ransomware execution, where we are trying to make our way back in time to understand the scope and initial infection vectors of a breach. However, knowing how attackers operate and having an understanding of their tools can help tremendously to conduct a more effective analysis and response and ultimately lower the impact of such attacks. This is why in this workshop we will teach you how to perform the common steps of every phase in a ransomware attack scenario as the attacker, from initial infection to impact.

We will set up a basic C2 infrastructure with PowerShell Empire, and execute attack phases such as initial access and reconnaissance, persistence mechanisms, privilege escalation, credential dumping, lateral movement, defense evasion, data exfiltration, and encryption with ransomware. In every step you will also learn about the fundamental concepts that are required to conduct the attack and defend against those including hands-on analysis using Splunk, Velociraptor and forensic tools as needed. In the last part of the workshop, you will learn best practices on how to effectively conduct investigations of the attacked environment using various tools that are part of the lab setup. Upon completion of the workshop, participants will have a better understanding of the steps ransomware threat actors take to achieve their objectives, as well as the best practices for detecting and ultimately preventing ransomware attacks.

Antisyphon: Ransomware Attack Simulation and Investigation for Blue Teamers

For most security teams, high operational tempo (measured in dumpster fire lumens) incentivizes analysts to stick to well-tailored playbooks that prioritize remediation at the expense of proper incident scoping and root cause analysis. Though modern endpoint security products have significantly improved host visibility, most critical incidents will require the acquisition and analysis of additional endpoint data. This course focuses on four core investigative competencies: endpoint data collection, investigative triage, incident response pivots, and root cause analysis.

Antisyphon: Advanced Endpoint Investigations