Adversary Tactics: Red Team Operators Course Review

tl;dr:

Take this course for the love of Red! Beginner to advanced, you will pick up some skills with the huge amount of knowledge drop and battle stories from experienced Red Team’ers and experienced instructors from all backgrounds. You’ll learn about tools like Cobalt Strike, Empire, BloodHound, PowerUpSql, PowerView, PowerUp, PowerSploit as well as attack techniques such as Kerberoasting, Golden Tickets, Silver Tickets, Trustpocalypse, and other advanced red team tradecraft.

Nearly two months ago I took a 4 day course with some of the sharpest minds in the infosec field and my mind is still blown. I had the privilege of attending @SpecterOps first public offering of their 4 day Adversary Tactics: Red Team Operations course in McLean, VA in September 2017. SpecterOps has put together a really talented and experienced team with some of the best minds in infosec right now. They all contribute to either invaluable open-source projects (Empire, BloodHound, PowerSploit, Armitage, Cobalt Strike) or deliver ground breaking research at tech conferences, so I knew this course was going to be information watering hose! 4 days later and over 500 slides reviewed in a complex lab environment, I wasn’t wrong. The course was primarily taught by @harmj0y, @enigma0x3, @_wald0, and @brian_psu. However, there were guest appearances by @armitagehacker, @jasonfrank, @cptjesus, and @mattifestation. Of course the lovely Kelly organized delicious breakfast and lunch each day and a fantastic happy hour at a nearby bar. We all also received some sweet SpecterOps branded swag including a journal, pen, trendy thermos, t-shirt, USB drive, and a ton of stickers!

Lab:

Over a dozen live machines, several domains in different trust models, a few hundred joined workstations and accounts in various states all configured in Azure and connected to via OpenVPN. There was even some bleed over to the internet for an exercise in OSINT as well as domain searching. What I really liked about the lab was the fact we did an exercise in finding a legitimate domain to use as our redirectors to hide our real C2 server.

The capstone of the entire lab only had 3 objectives, but took most teams the full 4 days to achieve in its entirety:

Find and exfiltrate data from sensitive databases in a mock company subsidiary
Gain commit-level access to a mock company subsidiary source code
Test the separation between two specific companies (parent and subsidiary)

Day 1:

The first day was all about getting acquainted, setup, identifying and configuring covert infrastructure and some initial OSINT. We made use of several internal domains such as http://materials.lab and http://dns.lab to download appropriate materials and configure DNS. Throughout the course there were several lectures on different primary topics as well as a defensive lecture on how a skilled blue team/defender may go “hunting” for this type of offense. The goal was to enable the red team to perfect their craft and go deeper without getting caught. We also reviewed some quick ways to initially triage hosts. The first exercise was identifying legitimate expired domains to use as our redirectors for both short and long term beacons back to our masked Cobalt Strike C2 server. There was a great amount of details centered around protecting the C2 including several methods to protect it from the redirectors themselves. There was a really great discussion about leveraging LinkedIn to identify various employees, companies, and technologies related to your target. We utilized this in an exercise as well to identify our spear-phishing targets. We leveraged client side exploitation to get an initial foothold from an extremely believable and targeted spear-phishing email. The instructors manually reviewed this emails posing as users of this company, the spearphish had to be believable so winning $1,000,000 from a Nigerian prince wasn’t going to cut it. There was a lot of discussion about web categorization as well and the importance of using a domain that has a category to prevent things from being blocked. Some good explanations on domain fronting too, that is a fascinating technique that is extremely successful. All of these lead back to a common website which can be used to identify a great resource to host your C2 behind, grab a recently expired domain which has already been web categorized! https://www.expireddomains.net is a fantastic resource for just that!

Day 2:

There were several lectures centered around situational awareness and methods to leverage beacons to pull back key data about a box. We discussed ways to have short and long term access over sustained persistent beacons as well as opsec considerations. The use of PowerView and PowerUp powershell scripts is key to helping enable privilege escalations via misconfigurations in multiple windows OS’s ranging from Windows 7 to Windows 10 and Sever 2012. We really got into the meat of the course on day 2, some teams quickly moved ahead of others by compromising multiple hosts and others took their time. All in all it was a great experience to learn how to use Cobalt Strike to move laterally through a network.

Day 3:

The third day was really focused more on lateral movement, even though day 2 touched on it. Utilizing credentials captured via mimikatz and session tokens copied from logged in users was a really cool exercise, and extremely effective at expanding access. We even used BloodHound to look at pre-built data (time saving) and look at viable attack paths to the domain controller (DC). The sheer knowledge drop on the 3rd day was incredible, so much Active Directory and Windows internal operations were discussed hear that made my head spin. I’m still going back and referencing the slides and additional references supplied. The blue team (@brian_psu) that was actively defending and working to mitigate the barrage of attacks the multiple red teams were throwing stepped it up a notch too. A lot of teams had their entire foothold in the network killed, booted most of us back to the initial box. Discussions later on revealed what he was looking for and how he discovered some of our attacks. This red vs. blue method of teaching was incredible useful, as a red team attacker knowing what blue team is looking for can only help to strengthen your tradecraft.

Day 4:

Gaining access to the DC is where it got really fun, we learned techniques for copying the active directory as well as Kerberoasting. After 4 days of hacking our way through multiple domain trusts and Windows servers and clients, what I enjoyed most about this course was the extremely hands on nature. There was technically only one lab (the capstone), but as we heard lectures about new techniques and tools we got to apply them in the lab. The tools, techniques, and procedures (TTP’s) that we learned in here are invaluable and have definitely helped expand my knowledge in this realm, something I can take back and apply immediately.

Debrief:

At the end of the course, we were given additional materials documenting out the solutions. This was a PDF document that had a detailed map on the different boxes and domains and the steps necessary to complete them. We were also given over a dozen MP4 video walkthroughs of all the steps and procedures necessary to compromise each and every box and domain. This is invaluable to go back and reference, I find that watching video tutorials like this only strengthen your tradecraft.

Useful Software:

RocketChat – Useful to chat amongst team members when saying it out loud would be to sensitive (other teams or defenders hearing you)
Etherpad – Useful for a shared word document between team members to share operational data and key information

Useful Cheat Sheets created by @harmj0y:

Useful Technical Resources:

https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki – Great resource for everything you need to setup red team infrastructure
https://www.expireddomains.net

Useful Blogs and Tutorials: