ＨｉｄｅＺｅｒｏＯｎｅ

The Mandiant – Hunt Mission Workshop, also known as the Practical Threat Hunting course, is a comprehensive three-day training program designed to equip threat hunters and incident responders with the core concepts of developing and executing threat hunts.

The course aims to enable students to:

• Apply cyber threat intelligence concepts to hunt for adversary activity in their environment.
• Establish a repeatable hunt methodology and develop hunt use cases.
• Leverage endpoint data to hunt.
• Establish measures of effectiveness for a hunt program.

Mandiat – Hunt Mission Workshop

Mandiant red teams have conducted hundreds of covert red team operations. This course draws on that knowledge to help learners improve their ability to prevent, detect, and respond to threats in an enterprise network.

Learners will better understand advanced threat actor behavior that Mandiant experts have observed through incident response investigations. Learners will also see how Mandiant red teams refine advanced attacker tactics, techniques and procedures (TTPs) for use by red teams in their attempts to emulate advanced threat actors. Learners will develop the ability to think like an attacker and creatively use these TTPs to accomplish response goals while avoiding detection.

Mandiant red team leads conduct this fast-paced technical course with presentations and scenario-based labs based on frontline expertise and intelligence-based security research. Learners receive hands-on experience conducting covert cyber attack simulations that mimic real-world threat actors. They will learn how to bypass advanced network segmentation, multi-factor authentication and application whitelisting, abuse web applications, escalate privileges and steal data while circumventing detection methods.

Incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on EDR or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a cleanup operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful.

In our training you will be introduced to the free, open-source scoutware tool Bitscout developed by Vitaly Kamluk from Kaspersky GReAT in collaboration with INTERPOL, that has been successfully used by Kaspersky researchers for years. The cases demonstrated in the training were developed by Vitaly Kamluk and Nicolas Collery, Executive Director at DBS Bank, primary incident responder. During the training you will create your own remote analysis tool and practice it right away in the provided virtual lab!

The Offensive Tool Development is the first course which is dedicated to Windows API exploitation to build your own tools for Red Team Engagements. If you have completed the Malware On Steroids course, then you can merge the capabilities you build during this course with the Command & Control built during the MOS course. This helps you to build your own CnC modules, all of which can be run in memory for detection evasion. There are a lot of courses which focus on exploitation, reversing and other offensive stuff, but none of them focus on writing your own tools and brining your own toolkit during an engagement.

This course is highly technical in nature, involving a lot of coding and all the tools will be written in either C or C++, sometimes PowerShell (maybe 5%) to make sure the user has capabilitiy to load every tool in memory and evade memory artefacts or detections. During the course, you will build your own reflective tools and shellcode for Host Enumeration, Lateral Movement, Domain Enumeration and Domain Privilege Escalation. You will learn to build different types of remote access tools running over different protocols including RPC, SMB, and HTTP and use exploit Windows Security Tokens for lateral movement within a Domain Environment.

Dark Vortex: Offensive Tool Development

The Corelan “BOOTCAMP” is a truly unique opportunity to learn both basic & advanced techniques from an experienced exploit developer, at a conference. During this (typically 3 ‘long’ day) course, students will be able to learn all ins and outs about writing reliable exploits for the Windows platform.  The trainer will share his “notes from the field” and various tips & tricks to become more effective at writing exploits.

We believe it is important to start the course by explaining the basics of stack buffer overflows and exploit writing, but this is most certainly not “your average” entry level course. In fact, this is a true bootcamp and one of the finest and most advanced courses you will find on Win32 stack based exploit development.

This hardcore hands-on course will provide students with solid understanding of current x86 (stack based) exploitation techniques and memory protection bypass techniques.  We make sure the course material is kept updated with current techniques, includes previously undocumented tricks and techniques, and details about research we performed ourselves.  Combined with the way the course is built up, this will turn this class into a truly unique experience.

Syllabus

• The x86 environment

  • System Architecture
  • Windows Memory Management
  • Registers
  • Introduction to Assembly
  • The stack
  • Running 32bit applications on a 64bit OS (wow64)

• The exploit development lab environment

  • Setting up the exploit developer lab
  • Using debuggers and debugger plugins to gather primitives

• Stack Buffer Overflows

  • Stack Buffers
  • Functions
  • Saved return pointer overwrites
  • Stack cookies
  • Structured Exception Handlers
  • etc

• Egg hunters

  • Using egghunters
  • Egg hunters in a WoW64 environment

• Reliability++ & Reusability++

  • Finding and avoiding bad characters
  • Creative ways to deal with character set limitations

• Metasploit framework Exploit Modules

  • Writing exploits for the Metasploit Framework
  • Porting exploits to the Metasploit Framework

• ASLR

  • Bypassing ASLR

  DEP

  • Bypassing NX/DEP
  • Return Oriented Programming / Code Reuse (ROP)

  Intro to x64 exploitation

  • x64 processes, memory map, registers
  • Functions & calling conventions
  • Structured Exception Handling
  • Stack buffer overflows
  • ROP
  • Shellcode

Corelan Win32 Exploit Development Bootcamp

Android Userland & Kernel Fuzzing and Exploitation Step into the realm of comprehensive Android security with our integrated “Android Userland and Kernel Fuzzing and Exploitation” course. Designed for both novices and seasoned professionals, this course offers an extensive curriculum that covers the spectrum of Android vulnerabilities and their exploitation.

Starting with the Userland component, learners will grasp how to detect bugs in Android Userland Applications and exploit memory corruptions. The course provides a deep understanding of ARM assembly, reverse engineering, and the development of robust exploits, bypassing exploit mitigations like NX and ASLR. With 43 labs across 9 modules, students will employ advanced fuzzing techniques to pinpoint exploitable vulnerabilities.

The journey continues as we pivot to the Android kernel on the second day, where the intricacies of kernel internals, such as memory allocators and driver programming, are unraveled. Students will learn to discover bugs using kernel fuzzing techniques, including the use of sanitizers and Syzkaller. The course will guide attendees through the construction of kernel exploits crucial for sandbox escape, examining real-world vulnerabilities and the art of kernel debugging.