Windows Red Team Techniques Training


Description

As the defensive capabilities of the Windows platform evolve, attackers must continue to improve their tradecraft to circumvent them and defenders must understand these techniques to further improve their detection and prevention capabilities.

Attackers avoid touching the disk by using the live-off-the-land approach which takes full advantage of the tools and scripting languages that are built into the system to execute in-memory fileless attacks. While there are multiple publicly available offensive tools and frameworks that facilitate script-based attacks, many of them get flagged by endpoint security solutions. Understanding the inner workings of these tools and techniques enables red teamers to create unique implementations and variants that fly right past these defenses.

This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by modern fileless attacks at every stage of their execution.

Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training, will help attendees with real-world red teaming engagements and in defending against fileless malware. Attendees learn about modern fileless malware which uses scripting languages, executes in memory, avoids touching the disk, and evades endpoint security solutions.

This training is a mix of theory, instructor-led demos, lab exercises, and source code walkthroughs. More than 50% of this course is focused on hands-on labs where attendees practice living-off-the-land (LoL) techniques using signed and whitelisted binaries in the system.

In the hands-on labs, attendees implement various techniques used by modern malware, test them, observe their noise level in logs, and understand their forensic footprint. All labs are performed on the latest version of Windows 10 64-bit so attendees can observe the impact of ETW, SysMon, PowerShell Logging, AMSI, etc. and learn about techniques to evade such logging.

Prerequisites

Attendees must have a good understanding of Window operating system and familiarity with the attack life cycle. Attendees are expected to have prior experience with using PowerShell on Windows 10.

Learning Objectives

Modules

Details

Introduction

  • Tools Overview
  • Malware Execution Stages
  • File-less Malware
  • Living off The Land
  • Downloaders & Droppers

Malicious Documents

  • Office Document Formats
  • Office Macros
  • Visual Basic for Automation (VBA)
  • VBA Stomping
  • Office DDE
  • Document Analysis Tools

Living off the Land

  • Windows Scripting Hosts
  • WSH Object Model
  • VBScript and JScript
  • MSHTA & CHM
  • Abusing RunDLL32
  • RegSvr32, BITSAdmin, Certutil etc.

CMD & PowerShell

  • Commands and Batch Files
  • Batch File Tricks
  • PowerShell Command Line
  • PowerShell Execution Policies
  • PowerShell Commands
  • PowerShell Command Pipeline

System Defenses & Evasion

  • Windows Event Logs
  • Event Tracking for Windows (ETW)
  • PowerShell Logging
  • Anti-Malware Scan Interface (AMSI)
  • SysMon
  • Application Whitelisting

Offensive PowerShell

  • Payload Obfuscation
  • Invoke Commands
  • Win32 and P/Invoke
  • .NET and COM Object Access
  • PowerShell Droppers
  • Payload Compression

Fileless Techniques

  • Privilege Escalation
  • Task Scheduler
  • Registry Persistence
  • System Enumeration
  • User Enumeration

Remote Execution

  • Remoting Methods
  • WMI Remoting
  • WSMAN & PS Remoting
  • Network Enumeration
  • Firewall Rules & Exceptions
  • WMI Persistence