Post-Exploitation & Evasion Techniques

There is a huge opportunity for defenders to understand the spectrum of offensive capabilities, behaviors, generated IoC’s, and leftover artifacts of modern C2 Frameworks execution. Knowing your enemy is critical. Simultaneously, attackers do the same exercise, but in the opposite direction. They analyze the detection capabilities of blue team tools against their C2 / post-exploitation arsenal tooling. Based on that, adversaries constantly find new evasion techniques to stay hidden and undetected during post-exploitation activities. And again, defenders should continue doing offensive research to stay updated and gain better detection coverage.

This hands-on training will introduce students to the world of C2 Frameworks and related offensive projects, their functionalities, post-exploitation modules, different kinds of network communication channels, extensions, and chaining capabilities. We will go through different programming languages to achieve the attacker's goals. Expect C2 customization, generating undetected loaders and payloads, using obfuscation methods, in-memory payload execution, domain fronting, redirectors, UAC / AMSI / Defender bypassing just to name a few.

Each of the steps: enumeration, privilege escalation, persistence, pivoting, and lateral movement will be covered as hands-on instructions compatible with PurpleLabs - a cloud-based Cyber Range Playground that includes:

• Sysmon
• Windows Event Logs
• Zeek IDS
• Suricata IDS
• Moloch FPC
• Netflow ElastiFlow
• Velociraptor DFIR
• Falco
• Wazuh 
• OSquery
• Splunk
• Hunting ELK
• Sigma rules

Saying that, in addition to the offensive part, you will have the opportunity to run hunting and detection activities, thus achieving a bigger picture about adversary tradecraft.

Highly technical content and only a hands-on practical approach guarantee that the usage of this transferred knowledge in real production environments will be easy, smooth, and repeatable.

Agenda

• Introduction to C2 Matrix
• The current state of APT campaigns in terms of popular C2 usage
• Distributed / multi-node C2 Architectures
• Staging / stageless payloads
• Generating different types of implants and in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies 
• Implants execution in different formats: HTA, MSI, JS, VBS, WSF, ZipExec, ISO, binjection
• Beacon intervals, jitter, padding, and expiration/kill dates
• Malleable C2 profiles / Blending into the normal traffic
• Cloning and armoring popular websites
• CDN domain fronting for C2
• Domain categorization for C2
• LOLbins / one-liners for TCP/UDP bind, reverse shells, and data transfer
• SSH Tunneling, SMB pivoting, Socat relaying, IPtables port forwarding HTTP and proxying
• Execute-shellcode, execute-assembly
• Process migration and different types of process/shellcode injections
• C2 extensions loading and tooling customizations
• Dumping credentials at scale and user impersonation
• ICMP C2 and exfiltration
• C2 over HTTP/1.1, HTTP/2, and HTTP/3 protocols
• Web shells as SOCKS proxy
• DNS Tunneling / DNS-over-HTTPS C2 and payload delivery
• Pwning Docker API over DNS Rebinding
• P2P Named pipe C2
• AD / LDAP as hidden storage
• Outlook as C2
• Word / Excel document weaponization
• Browser pivoting
• Data exfiltration using X509 digital certificates
• mTLS/SSL-based C2 communication channels
• VPN-based C2 communication channels
• Cloud-based exfiltration techniques and C2 channels: 
• Slack as C2
• SSH over Google Drive
• Pastebin as C2
• Youtube Comments as payload delivery channel
• Telegram as C2
• Discord as C2
• Lateral movement over psexec, atexec, wmiexec, dcomexec 
• Active Directory enumeration methods: RPC / LDAP
• Active Directory and Kerberos attacks:
• Golden Tickets
• Silver Tickets
• Kerberoasting
• Pass The Hash
• Pass The Ticket
• DCSync
• Skeleton Key
• Password spraying
• NTLM Relay to AD CS

• Bypassing UAC
• Evading AV/EDR by using direct system calls
• BloodHound - attack paths visualization
• Playing with different persistence methods (user space / kernel space)
• Hunting laterally for data
• Securing your C2 infrastructure (FW, port-knocking, WAF)

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

• CSIRT / Incident Response Specialists / Threat Hunters
• Red and Blue team members
• Penetration testers
• Security / Data Analytics Engineers
• IT Security Professionals, Experts & Consultants
• SOC Analysts and SIEM Engineers
• AI / Machine Learning Developers

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 20 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.