Adversary Tactics: Red Team Operators Course Review
Last April, I attended the Red Teaming Operation training from the top infosec specialists with SpecterOps. The course was given by 6 instructors (Lee Christensen, Richie Cyrus, @carloalcan, SPARTaN, Steven F and @cmaddalena). I already knew about SpecterOps team members, they are very known with their research and talks in different infosec conferences.
The training was going for 4 days and the way how they were running the training was great. They were explaining each topic and giving the participants time to try it on the labs and ask questions if they did not understand certain points.
Labs
I’m not going to spoil the actual labs, but they did a great job in this. They built-up a simulated company which is part of a bigger company and the participants were given “Rules of Engagements” document to follow. There were many attacks to be done in the labs during the training, the instructors were very helpful in case someone is in need of help.
Cerberus
This was one of the interesting parts of the training. Cerberus is their custom solution that will alert the participants to tradecraft mistakes. Each team has their RocketChat’s channel and Cerberus is sending them alerts once they get caught with some tips and tricks to know how to avoid it.
In the beginning, we were provided with USB sticks which contain the PDF materials and Lab explanations.
Day 1
We started with getting access to the labs and setting up our own Covert Attack infrastructure (Team Servers, Redirectors, etc.). They were giving more tips and tricks on setting up the infrastructure and how to protect it against the defensive teams and other attackers. This part was rich with a lot of information, it was including some techniques to use such as using legitimate expired domains, in order to use as our redirectors.
The exercise was deployed based on CTF-style, each host machine was containing a flag which can be submitted to the CTF platform.
Once we got everything set up and gained access to the materials, labs, etc. we started with some concepts about the Red Teaming Operations and the main objectives. We moved then to the Red Team tooling, assume breach and MITRE ATT&CK Framework.
The training was mainly focusing on Cobalt Strike, they moved into a quick introduction to the tool and some of its features including the logging the features which allow the red-teamer to keep track of their activities during the engagements.
In the second half of the day, we started with the actual exercise. We started with some basic OSINT and then moved forward with Spear-Phishing attacks in order to gain an initial foothold on the employee’s system.
Day 2
On day 2, we started with assessing the organizations’ security posture and some high-level descriptions on this topic (i.e. checks on Windows Event Logs, usage of WMI for basic enumeration). Next, we started getting introduced to Beacon’s features (i.e. screenshot, keylogging, etc.).
Blue Team perspective
So, we started getting more insights about the blue team perspective. The command line logging, List of common commands used by attackers attempting to gather information after access, etc. which was great so that we understand how the blue teams see our activities.
After that, we got more into other topics such as hunting methodologies in the organizations, TTPs, etc.
Going to the offensive side, after we have been provided with very rich content about hunting and detection methodologies. We started with PowerShell Weaponizing and how we can make use of Powershell with different options in Cobalt Strike, then we dived into AMSI and common bypassed for it with some nice tips and tricks.
Next, we started with the privilege escalations techniques, they started with explaining some concepts such as UAC and the Integrity levels, the common bypassed for UAC bypass and then we moved into some tools for enumeration and getting more info to do the privilege escalations.
Day 3
We started in the 3rd day with the OPSEC considerations and indicators for the beacons usage. The usage of Malleable PE on Cobalt and how to create one. Additionally, we moved into offence-in-depth and how we can make use of the Legit admin tools for our purposes.
Active Directory
What I liked here, that they started with explaining the concepts for everyone (in case someone missing it) by explaining the domains, the forests and the domain trusts, some other related concepts (i.e. GPOs, regular permissions, etc.) We started by getting more hands-on with PowerView to do enumeration in the domain which helped us to do the lateral movement in a more stealthy and better way. Trust attack strategy was an interesting topic as well.
Next, they started with explaining Kerberos authentication and good Kerberos attack mapping, for example, what we can do with user hash, krbtgt hash, machine account hash, etc.
I really liked the way how they were explaining things from the offensive security perspective and then jump into the blue team to show what they usually look for and monitor.
Day 4
Last day, we were almost done and we learnt different techniques during the first 3 days and compromised most of the machines and jumped from a domain to the other, we started with some different topics. First, we started with visualizing attack paths with BloodHound and the way how it works and then we moved into some other topics like SQL abuse and making use of PowerUPSQL and how to do the escalations.
We ended up with a nice presentation from Richie Cyrus, explaining things from Blue team perspective and how it works.
Conclusion
The training was amazing, I really liked it. The only comment I have that I was expecting some more labs on the spear-phishing part and learning some techniques from there.
