In & Out -

Network Exfiltration and Post-Exploitation Techniques - Red Edition.

Learn more


The In & Out - Network Exfiltration and Post-Exploitation Techniques [RED Edition] training class has been designed to present students modern and emerging TTPs available for network exfiltration and lateral movement phases. This highly technical content and only a hands-on practical approach guarantee that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.

Using an available set of tools, the student will play one by one with well-prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of a modern attacker’s behavior. Great content for SIEM / SOC team validation including verification methods and techniques for product and service providers from IT Security space → in terms of internal testing and PoC / PoV programs.


  1. Introduction to Adversary Simulations and Open Source Attack Emulation projects.
  2. Modern RAT’s implementation and popular APT/C2 malware communication design - the review of the latest APT campaigns mapped to MITRE ATT&CK Framework.
  3. Not just the basics of TCP/UDP bind and reverse shells.
  4. Covert channels and C2 techniques.
  5. Lateral movement and Offensive Frameworks.
  6. Cloud-based exfiltration techniques and C2 channels.
  7. FW / WAF protection for your C2 infrastructure.
  8. Signature-based event analytics, rule bypassing & malicious network traffic generation.
  9. Summary → recommended defensive/protection tactics, tools, and commercial platforms.


  • impacket, pyexfil, scapy, metasploit/meterpreter, Veil Framework, Sharpshooter, Shellter, proxychains, poshC2, dns2tcp, pupy, tcpreplay, suricata, bro IDS, sg1, nmap, DET, xfltreat, pytbull, wireshark, tcpdump, sysdig, hping, fruityC2, tuna, RATTE, Powersploit, PowerShell Empire, nishang, corkscrew, Egress-assess, pivoter, hydra, wondjina, Trevor C2, C3, Koadic, Apfell, sharpSocks, WSC2, Weasel, google_socks, sqlmap, BeeF Framework, twittor, torify, TheFatRat, cloakify,  WMIsploit, certreq, SSH, ngrep, nping, iptables, Faction C2, Merlin, ThunderShell, udp2raw, Volatility Framework, SILK, EvilURL, Katoolin, PowerLessShell, reGeorg, rpivot, WSC2, NativePayload_IP6DNS, dnsmasq, thc-flood, knockd, dnstwist, yersinia, DNSexfiltrator, SMBmap, testssl, firebolt, Sliver, dumpster fire, APT simulator, cuckoo, moloch, icmptunnel, Invoke-DOSfuscation, ChunkyTuna, transmission, openvswitch, ngrok and more.

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and DevOps through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL 2019.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.


Register at 44CON in London or Hack in The Box 2020 in Amsterdam on days 11-12 March 2020 or 20-22 April 2020 respectively. If interested in dedicated, closed training for your SOC team let us know too. We love delivering on-site training sessions!