Instructor: John Stigerwalt
Course Length: 16 Hours
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
This is an advanced course that focuses on setting up secure and resilient C2 infrastructure using Azure/AWS, creating custom Cobalt Strike profiles, hunting for Active Directory Certificate Services misconfigurations in mature enterprise environments. Learn current post-exploitation techniques that White Knight Labs (WKL) has used during real-life engagements to dump credentials, move laterally, escalate to Domain Admin, and capture the client’s crown jewels. We will cover EDR bypass briefly, but AV/EDR bypass will be assumed knowledge for this course.
Although this course is designed to be a deep dive into hunting for ADCS misconfigurations and setting up C2 infrastructure, an apex attacker must also know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind. On the second day, students will be led through a real-life red team operation.
Students will learn how to configure resilient C2 infrastructure, abuse AD misconfigurations, and bypass AV/EDR. The majority of this course is focused on configuring exploiting Active Directory misconfigurations using hyper current techniques that WKL has seen in mature networks during red team engagements within the last year.
Who Should Attend?
We recommend this course If you’ve been working in offensive or defensive cyber operations for 1-2 years. Are you a penetration tester or red teamer that wants to hone their AD skills and have more options during engagements? This course is for you.
This is an advanced course. We recommend this course if you’ve already taken WKL’s Offensive Development course and/or have an in-depth understanding of bypassing AV/EDR. Common Active Directory attacks like pass-the-hash, golden/silver ticket, etc, will be assumed knowledge.
Students will be given a Terraform script to spin up their own lab environment in AWS that consists of the following:
- Windows Sophos Intercept X EDR VM
- Windows Crowdstrike EDR VM
- Ubuntu Cobalt Strike Team Server
- Windows 10 Development Machine
- Kali Linux
- Fully Patched Windows 10 Machine
- Windows Server 2022 (Domain Controller)
- Windows Serer 2022 (PKI Server)
Students must have an active AWS admin account with programmatic access.
Students must have an active Azure admin account
Day 1: Red Team Fundamentals
- Cobalt Strike/Guacamole walkthrough
- Terraform for infrastructure automation
- Redirectors and CDNs
- Custom malleable C2 profile
- Protecting your C2 server (mod rewrite and proxy pass)
- Touch and go AV/EDR Bypasses
Day 2: Red Team Operation Attack Paths
- Advanced payload creation
- Windows lateral movement
- SOCKS proxies
- Service controller
- Abusing AD misconfigurations via C2 channels (ADCS)
- Advanced credential dumping techniques
- SQL misconfigurations for lateral movement and code execution
Trainer & Author
During the last 10 years John Stigerwalt has worked in the following roles: blue team lead, developer, senior penetration tester, and red team lead. Focused mostly on exploit development and offensive cyber operations, he has led red team engagements in highly complex Fortune 500 companies. He has worked hand-in-hand with Microsoft to increase kernel security for the Windows 10 operating system. He has led training at BlackHat and DerbyCon. When not pwning boxes, you can find him harvesting maple syrup or spending time with his family.
Live Training Events
This class will be taught as part of
the Antisyphon Most Offensive Con that Ever Offensived! Summit,
March 1-3, 2023.