ＨｉｄｅＺｅｒｏＯｎｅ

The RTFM Video Library is an invaluable resource for serious Red Team members who find themselves on critical missions. Led by a seasoned Red Team operator, this high-quality video series delves into various aspects of offensive security, providing practical guidance and insights.

Syllabus

1: Infrastructure Setup
2: Initial Access
3: Situational Awareness
4: User Level Persistence
5: Escalation
6: Lateral Movement
7: Active Directory Enumeration
8: Domain Fortification
9: Hunting for User Workstations
10: Active Directory Forest Compromise
11: Secret Enclave Compromise
12: Pivoting through Tunnels

RTFM – Red Team Field Manual

Enterprises have been working tirelessly to improve their security postures through defense-in-depth approaches. Offensive teams have also been putting in long hours of research into bypassing the latest EDR’s and defensive products that keep them on their toes. Long gone “hopefully” are the days of hurdling an HTA file laced with a download cradle at a mature organization with a “Free iPad” ruse and watching your screen fill with incoming agents. An offense-in-depth approach may be applied to offensive practitioner’s looking for success against organizations well-versed in defending a large enterprise. Today’s organizations have assets in multiple geo regions, networks, cloud services, border hosts, and many of them are tied to the internal network in some way. This course aims to help offensive practitioners successfully exercise their client environments from a multi-faceted approach using the latest TTPs blended with esoteric practices to gain the upper hand on your assessments.

Antisyphon: Enterprise Attack Initial Access w/ Steve Borosh

As penetration testers, we all have a need to establish command and control channels in our customer environments. This can be done under the guise of an “assumed compromise” context or in a more adversarial Red Team context. The age of endpoint detection and response (EDR) solutions and application whitelisting has created significant barriers to commodity/well known malware deployment for adversarial exercises. This class focuses on the demonstration of an Open Command Channel framework called “OpenC2RAT”, and then developing, enhancing, and deploying the “OpenC2RAT” command channel software into a target environment. Students will learn about the internal details of a command channel architecture and methods to deploy in an application-whitelisted context. The class will introduce students to blocks of code written in C#, GoLang, and Python to achieve these goals. In addition, the class will introduce some ideas to deploy existing shellcode such as Cobalt Strike Beacon or Meterpreter within a programmed wrapper to enhance success in the age of modern endpoint defense. Many of the techniques introduced in this class can be used to evade modern defensive technologies.

Antisyphon: Enterprise Attacker Emulation and C2 Implant Development w/ Joff Thyer

This is an advanced course that focuses on setting up secure and resilient C2 infrastructure using Azure/AWS, creating custom Cobalt Strike profiles, hunting for Active Directory Certificate Services misconfigurations in mature enterprise environments. Learn current post-exploitation techniques that White Knight Labs (WKL) has used during real-life engagements to dump credentials, move laterally, escalate to Domain Admin, and capture the client’s crown jewels. We will cover EDR bypass briefly, but AV/EDR bypass will be assumed knowledge for this course. Although this course is designed to be a deep dive into hunting for ADCS misconfigurations and setting up C2 infrastructure, an apex attacker must also know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind. On the second day, students will be led through a real-life red team operation.

Syllabus

Day 1: Red Team Fundamentals

• Cobalt Strike/Guacamole walkthrough
• Terraform for infrastructure automation
• Redirectors and CDNs
• Custom malleable C2 profile
• Protecting your C2 server (mod rewrite and proxy pass)
• Touch and go AV/EDR Bypasses

Day 2: Red Team Operation Attack Paths

• Advanced payload creation
• Windows lateral movement
  • SOCKS proxies
  • Service controller
  • WMI
  • COM/DCOM
• Abusing AD misconfigurations via C2 channels (ADCS)
• Advanced credential dumping techniques
• SQL misconfigurations for lateral movement and code execution

Antisyphon: Advanced Red Team Operations

Learn how to design, build and maintain your own C2 Framework codebase from scratch.  Build a RESTful API-driven Team Server, and a .NET Framework Implant with a variety of post-exploitation capabilities. Design and build Unit Tests to automatically test your code and prevent regression bugs.

Red Team Ops is an online, self-study course that teaches the basic principles, tools and techniques synonymous with red teaming. Students will first cover the core concepts of adversary simulation, command & control, engagement planning and reporting. They will then go through each stage of the attack lifecycle – from initial compromise to full domain takeover, data hunting and exfiltration.  Students will learn how common “OPSEC failures” can lead to detection by defenders, and how to carry out those attacks in a stealthier way. Finally, they will learn how to bypass defences such as Windows Defender, AMSI and AppLocker.