ＨｉｄｅＺｅｒｏＯｎｅ

For the luckiest of enterprises, the awareness of an insecure environment is proven not in public discord after a breach but instead by effective security penetration tests. Time and time again Jordan and Kent have witnessed organizations struggle with network management, Active Directory, organizational change, and an increasingly experienced adversary. For new and legacy enterprises alike, Defending the Enterprise explores the configuration practices and opportunities that secure networks, Windows, and Active Directory from the most common and effective adversarial techniques. Have the confidence that your organization is prepared for tomorrow’s security threats by learning how to defend against network poisoning, credential abuse, exploitable vulnerabilities, lateral movement, and privilege escalation. Learn cost-effective mitigations to contemporary adversarial attacks. The best defended networks are those which have matured from countless penetration tests and security incidents. Learn from Kent and Jordan, two seasoned offensive and defensive security experts, to shortcut your organization’s security posture into a well-fortified fortress.

Antisyphon: Defending the Enterprise w/ Kent Ickler and Jordan Drysdale

Attack Emulation tools help you measure, monitor, and improve your security controls by executing scripted attacks. Atomic Red Team is a community developed open-source library of these scripted attacks that are mapped directly to the MITRE ATT&CK Framework. There are several frameworks available for executing these scripted attacks including MITRE CALDERA and VECTR.

This class will provide an overview of the MITRE ATT&CK framework and give you in-depth, hands-on knowledge of how to execute scripted attacks that exercise many of the techniques defined in MITRE ATT&CK. You will be provided with hands-on lab instructions for emulating a variety of attacks and creating visualizations using the MITRE ATT&CK Navigator. At the end of this class, you will have the knowledge and tools to begin executing simulated attacks within your own test environment, allowing you to create and validate detections in a script-able and consistent way.

Antisyphon: Attack Emulation Tools: Atomic Red Team, CALDERA and More w/ Carrie Roberts

This is an advanced course that focuses on setting up secure and resilient C2 infrastructure using Azure/AWS, creating custom Cobalt Strike profiles, hunting for Active Directory Certificate Services misconfigurations in mature enterprise environments. Learn current post-exploitation techniques that White Knight Labs (WKL) has used during real-life engagements to dump credentials, move laterally, escalate to Domain Admin, and capture the client’s crown jewels. We will cover EDR bypass briefly, but AV/EDR bypass will be assumed knowledge for this course. Although this course is designed to be a deep dive into hunting for ADCS misconfigurations and setting up C2 infrastructure, an apex attacker must also know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind. On the second day, students will be led through a real-life red team operation.

Syllabus

Day 1: Red Team Fundamentals

• Cobalt Strike/Guacamole walkthrough
• Terraform for infrastructure automation
• Redirectors and CDNs
• Custom malleable C2 profile
• Protecting your C2 server (mod rewrite and proxy pass)
• Touch and go AV/EDR Bypasses

Day 2: Red Team Operation Attack Paths

• Advanced payload creation
• Windows lateral movement
  • SOCKS proxies
  • Service controller
  • WMI
  • COM/DCOM
• Abusing AD misconfigurations via C2 channels (ADCS)
• Advanced credential dumping techniques
• SQL misconfigurations for lateral movement and code execution

Antisyphon: Advanced Red Team Operations

Many publications exist documenting ways to attack Wi-Fi networks. Still, the gap between old methods that have become obsolete and the current state and outdated tools can be frustrating for someone who wants to learn or even update his knowledge in this field. This course aims to learn the modern ways of assessing the security of Wi-Fi networks and how to apply these attacks against organizations during a Red Team engagement. Indeed, during this course, we will be able to start from the very beginning by talking about old, current, and new attacks and opportunities to allow attendees to fulfill their pentest or Red Team engagements in the future based on our recent experiences.

Syllabus

Introduction

Network introspection

Attacks and risks

Completion

Hackademy: Red Team Wi-Fi

This course is geared for those interested in seeing how Security Onion is used practically to triage alerts, hunt for threats, as well as build new detections. This course consists of three case studies that briefly cover the 3 most common workflows used in Security Onion:

Case Study 1: Alert Triage & Case Creation – This case study walks through how to triage alerts within the alerts interface including escalation to TheHive.
Case Study 2: Threat Hunting – This case study focuses on threat hunting within Security Onion using the Hunt interface, targeting SSL & Sysmon logs.
Case Study 3: Detection Engineering – This case study covers ingesting Google Workspace audit logs into Security Onion and writing Sigma rules within Playbook targeting these new logs.

Practical Analysis with Security Onion 2.3