ＨｉｄｅＺｅｒｏＯｎｅ

SEC575 will prepare you to effectively evaluate the security of iOS and Android mobile devices, assess and identify flaws in mobile applications, and conduct a mobile device penetration test, which are all critical skills required to protect and defend mobile device deployments. You will learn how to pen test the biggest attack surface in your organization; dive deep into evaluating mobile apps and operating systems and their associated infrastructure; and better defend your organization against the onslaught of mobile device attacks.

SEC575.1: iOS
SEC575.2: Android
SEC575.3: Static Application Analysis
SEC575.4: Dynamic Mobile Application Analysis and Manipulation
SEC575.5: Penetration Testing
SEC575.6: Hands-on Capture-the-Flag Event

SEC575: iOS and Android Application Security Analysis and Penetration Testing

“Security” is arguably one of the most challenging disciplines to move from being an individual contributor (IC) to being a manager. While security ICs can perform most tasks in isolation, a manager needs to regularly interact with people both inside and outside of the team. Further, “security” has its own language which can be completely foreign to people outside of the discipline. How do you take security concerns and convert them into a language that senior leaders and “C” levels can understand? Honing these skills will be the primary objective of this course. In this course, we will cover all of the steps needed to stand up and lead a security team within an organization. We start with a clean slate so that every aspect gets covered. If you are in an environment that already has a security team, this can help fill in the gaps. This course will have a heavy focus on how to integrate the security team with the rest of the business units. We’ll look at strategies for increasing funding, as well as converting “security risks” into “business risks” so they are better understood by the organization’s leadership. The course includes a lot of collateral like a full set of pre-written security policies. The goal is to help you build an effective security team in as little time as possible.

Antisyphon: Security Leadership and Management w/ Chris Brenton

As penetration testers, we all have a need to establish command and control channels in our customer environments. This can be done under the guise of an “assumed compromise” context or in a more adversarial Red Team context. The age of endpoint detection and response (EDR) solutions and application whitelisting has created significant barriers to commodity/well known malware deployment for adversarial exercises. This class focuses on the demonstration of an Open Command Channel framework called “OpenC2RAT”, and then developing, enhancing, and deploying the “OpenC2RAT” command channel software into a target environment. Students will learn about the internal details of a command channel architecture and methods to deploy in an application-whitelisted context. The class will introduce students to blocks of code written in C#, GoLang, and Python to achieve these goals. In addition, the class will introduce some ideas to deploy existing shellcode such as Cobalt Strike Beacon or Meterpreter within a programmed wrapper to enhance success in the age of modern endpoint defense. Many of the techniques introduced in this class can be used to evade modern defensive technologies.

Antisyphon: Enterprise Attacker Emulation and C2 Implant Development w/ Joff Thyer

Attack Emulation tools help you measure, monitor, and improve your security controls by executing scripted attacks. Atomic Red Team is a community developed open-source library of these scripted attacks that are mapped directly to the MITRE ATT&CK Framework. There are several frameworks available for executing these scripted attacks including MITRE CALDERA and VECTR.

This class will provide an overview of the MITRE ATT&CK framework and give you in-depth, hands-on knowledge of how to execute scripted attacks that exercise many of the techniques defined in MITRE ATT&CK. You will be provided with hands-on lab instructions for emulating a variety of attacks and creating visualizations using the MITRE ATT&CK Navigator. At the end of this class, you will have the knowledge and tools to begin executing simulated attacks within your own test environment, allowing you to create and validate detections in a script-able and consistent way.

Antisyphon: Attack Emulation Tools: Atomic Red Team, CALDERA and More w/ Carrie Roberts

This is an advanced course that focuses on setting up secure and resilient C2 infrastructure using Azure/AWS, creating custom Cobalt Strike profiles, hunting for Active Directory Certificate Services misconfigurations in mature enterprise environments. Learn current post-exploitation techniques that White Knight Labs (WKL) has used during real-life engagements to dump credentials, move laterally, escalate to Domain Admin, and capture the client’s crown jewels. We will cover EDR bypass briefly, but AV/EDR bypass will be assumed knowledge for this course. Although this course is designed to be a deep dive into hunting for ADCS misconfigurations and setting up C2 infrastructure, an apex attacker must also know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind. On the second day, students will be led through a real-life red team operation.

Syllabus

Day 1: Red Team Fundamentals

• Cobalt Strike/Guacamole walkthrough
• Terraform for infrastructure automation
• Redirectors and CDNs
• Custom malleable C2 profile
• Protecting your C2 server (mod rewrite and proxy pass)
• Touch and go AV/EDR Bypasses

Day 2: Red Team Operation Attack Paths

• Advanced payload creation
• Windows lateral movement
  • SOCKS proxies
  • Service controller
  • WMI
  • COM/DCOM
• Abusing AD misconfigurations via C2 channels (ADCS)
• Advanced credential dumping techniques
• SQL misconfigurations for lateral movement and code execution

Antisyphon: Advanced Red Team Operations