{"id":2429,"date":"2020-08-14T15:22:02","date_gmt":"2020-08-14T13:22:02","guid":{"rendered":"https:\/\/archive.brucon.org\/2020\/?page_id=2429"},"modified":"2020-08-17T22:32:49","modified_gmt":"2020-08-17T20:32:49","slug":"advanced-windows-tradecraft","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2020\/brucon-2020-training\/advanced-windows-tradecraft\/","title":{"rendered":"Advanced Windows Tradecraft"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course Description<\/h2>\n<p>Organizations with a mature security model want to test their security controls against sophisticated adversaries. Red teams that want to simulate such adversaries need an advanced tradecraft. Such a tradecraft must include the ability to adapt to the target environment, modify existing tactics and techniques to avoid detection, swiftly switch between tools written in different languages supported on Windows, break out of restrictions, utilize functionality abuse and keep up with the game of bypassing countermeasures. If you want to take your Windows tradecraft to the next level then this is the course for you.<\/p>\n<p>This training takes you through a tradecraft for Red Teaming a Windows environment with nothing but trusted OS resources and languages. We will cover multiple phases of a Red Team operation like initial foothold, enumeration, privilege escalation, persistence, lateral movement, exfiltration etc. in a fully updated and patched lab with countermeasures enabled.<\/p>\n<p>Some of the topics covered in the class:<\/p>\n<ul>\n<li>Offensive C#, PowerShell, Jscript\/VBScript<\/li>\n<li>Bypassing Application Whitelisting<\/li>\n<li>Bypassing host countermeasure<\/li>\n<li>Evading process tree based detection<\/li>\n<li>Evading advanced logging (Command line, PowerShellv5, Sysmon etc.)<\/li>\n<li>In-memory assembly and shellcode execution<\/li>\n<li>Offensive WMI COM hijacking<\/li>\n<li>Advanced Client Side Attacks on restricted and secure environments<\/li>\n<li>Local and domain privilege escalation<\/li>\n<\/ul>\n<p><em>Attendees will get free one month access to a lab configured like an enterprise environment during and after the training.<\/em>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course contents<\/h2>\n<h4>Day 1<\/h4>\n<ul>\n<li>Introduction to the methodology<\/li>\n<li>Windows as an attack platform<\/li>\n<li>Offensive PowerShell<\/li>\n<li>PowerShell without powershell.exe<\/li>\n<li>Offensive C#<\/li>\n<li>Offensive Jscript\/VBScript Offensive WMI<\/li>\n<\/ul>\n<h4>Day 2<\/h4>\n<ul>\n<li>COM Hijacking<\/li>\n<li>Bypassing application whitelisting<\/li>\n<li>Bypassing host countermeasures<\/li>\n<li>Evading process tree based detection<\/li>\n<li>Evading advanced logging (Command line, PowerShellv5, Sysmon etc.)<\/li>\n<li>Advanced Client Side Attacks in restricted environment (AWL and ASR enabled)<\/li>\n<\/ul>\n<h4>Day 3<\/h4>\n<ul>\n<li>Local and Domain privilege escalation<\/li>\n<li>Persistence (on host, domain and forest)<\/li>\n<li>Advanced Lateral Movement<\/li>\n<li>Defenses and Detection<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][vc_column][vc_column_text]<\/p>\n<h2>Who should take this course?<\/h2>\n<p>Red teamers and penetration testers who want to take their Windows tradecraft to the next level will find this course very useful. Blue teamers and security professionals who want to understand the how sophisticated adversaries target their organization should take this course.[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Requirements<\/h2>\n<ul>\n<li>Prior experience with Red Teaming or penetration testing.<\/li>\n<li>Prior experience with using Windows as an attack platform will be helpful.<\/li>\n<\/ul>\n<h4>What students should bring<\/h4>\n<ul>\n<li>System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.<\/li>\n<li>Privileges to disable\/change any antivirus or firewall.<\/li>\n<li>Ability to connect to remote machines using web browser (for browser based access)<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]<\/p>\n<h2>Trainer Biography<\/h2>\n<p><strong>Nikhil Mittal<\/strong> is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 11+ years of experience in red teaming. He specializes in assessing security risks at secure environments that require novel attack vectors and &#8220;out of the box&#8221; approach. He has worked extensively on Active Directory attacks, defense and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of multiple tools like Nishang, a post exploitation framework in PowerShell and Deploy-Deception a framework for deploying Active Directory deception. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.<\/p>\n<p>Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world\u2019s top information security conferences. He has spoken\/trained at conferences like DEF CON, BlackHat, BruCON and more.[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243; css=&#8221;.vc_custom_1597411551164{padding-top: 50% !important;}&#8221;][vc_single_image image=&#8221;2432&#8243;][\/vc_column][vc_column][vc_column_text]<\/p>\n<h2>Social Media<\/h2>\n<p>Twitter: <a href=\"https:\/\/twitter.com\/nikhil_mitt\">@nikhil_mitt<\/a><\/p>\n<p>Blog: <a href=\"https:\/\/www.labofapenetrationtester.com\/\">https:\/\/www.labofapenetrationtester.com\/<\/a>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<style type=\"text\/css\">.thegem-button-6a28f49bf2f063138 .gem-button svg {fill: #ffffff;}.thegem-button-6a28f49bf2f063138 .gem-button:hover svg {fill: #ffffff;}<\/style><div class=\"gem-button-container gem-button-position-fullwidth thegem-button-6a28f49bf2f063138    \"  ><a class=\"gem-button gem-button-size-giant gem-button-style-flat gem-button-text-weight-normal\" data-ll-effect=\"drop-right-without-wrap\" style=\"border-radius: 3px;background-color: #b43836;color: #ffffff;\" onmouseleave=\"this.style.backgroundColor='#b43836';this.style.color='#ffffff';\" onmouseenter=\"this.style.backgroundColor='#ef5047';this.style.color='#ffffff';\" href=\"https:\/\/brucon0x0c-training.eventbrite.co.uk\" target=\"_self\">Buy Training Ticket<\/a><\/div> [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text] Course Description Organizations with a mature security model want to test their security controls against sophisticated adversaries. Red teams that want to simulate such adversaries need an advanced tradecraft. Such a tradecraft must include the ability to adapt to the target environment, modify existing tactics and techniques to avoid detection, swiftly switch between tools written in different languages supported on Windows, break out of restrictions, utilize functionality abuse and keep up with the game&#8230;<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":75,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-2429","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/2429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/comments?post=2429"}],"version-history":[{"count":7,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/2429\/revisions"}],"predecessor-version":[{"id":2482,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/2429\/revisions\/2482"}],"up":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/75"}],"wp:attachment":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/media?parent=2429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}