Windows Red-Team Techniques Training

Windows Red-Team Techniques

Description

As the defensive capabilities of the Windows platform evolve, attackers must continue to improve their tradecraft to circumvent them and defenders must understand these techniques to further improve their detection and prevention capabilities.

Attackers avoid touching the disk by using the live-off-the-land approach which takes full advantage of the tools and scripting languages that are built into the system to execute in-memory fileless attacks. While there are multiple publicly available offensive tools and frameworks that facilitate script-based attacks, many of them get flagged by endpoint security solutions. Understanding the inner workings of these tools and techniques enables red teamers to create unique implementations and variants that fly right past these defenses.

This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by modern fileless attacks at every stage of their execution.

Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training, will help attendees with real-world red teaming engagements and in defending against fileless attacks. Attendees learn about modern fileless attacks that uses scripting languages, executes in memory, avoids touching the disk, and evades endpoint security solutions.

Hands-on Labs

In the hands-on labs, attendees implement various techniques used by modern adversaries, test them, observe their noise level in logs, and understand their forensic footprint. All labs are performed on the latest version of Windows 10 64-bit so attendees can observe the impact of ETW, SysMon, PowerShell Logging, AMSI, etc., and learn about techniques to evade such logging.

Prerequisites

Attendees must have a good understanding of the Windows operating system and familiarity with the attack life cycle. Attendees are expected to have prior experience with using PowerShell on Windows 10.

Learning Objectives

  • Understand the stages of fileless attacks.
  • Achieve initial execution through documents.
  • Leverage whitelisted executables.
  • Develop scripts to achieve offensive goals.
  • Perform in-memory execution.
  • Configure various forms of event logging and bypass them.
  • Configure the system to improve the detection of modern threats.
  • Executing commands on remote systems.
  • Perform local system enumeration and discovery.

Topics

  • Malicious documents
  • Living off the land
  • CMD and PowerShell
  • Offensive PowerShell
  • System defenses and evasion
  • Fileless attack techniques
  • Offensive WMI

Course Details

Introduction

The objective of this section is to introduce attendees to the Windows fileless attack landscape. It covers topics such as the different stages of fileless attacks and how they map to the MITRE ATT&CK framework, living off the land tools (LOLBins), initial access vectors, and system defenses based on Virtualization Based Security (VBS).

  • Tools overview
  • Adversary simulation
  • Initial access
  • Fileless attacks
  • Living off the land
  • Ecosystem review

Malicious Documents

The objective of this section is to learn about the usage of malicious documents to get an initial foothold on the system. It covers topics such as legacy and XML based office file formats, Office DDE attacks and mitigations, social engineering techniques to run document macros, developing offices macros in VBA, VBA subroutines, VBA obfuscation, interfacing with Win32 APIs, public available document macro analysis tools.

  • Office document formats
  • Office DDE
  • Office macros
  • Visual basic for automation (VBA)
  • VBA stomping
  • Document analysis tools

Living off the Land

The objective of this section is to learn about the system's built-in whitelisted binaries and execution hosts that can be leveraged to execute attacks. It covers topics such as Windows scripting Host object model, capabilities of VBScript and JScript, using MSHTA and CHM and execution vectors, running .NET assemblies using MSBuild, using RunDLL32 to execute JavaScript, and using various other built-in tools to stage attacks.

  • Windows scripting hosts
  • WSH object model
  • VBScript and JScript
  • MSHTA & CHM
  • Abusing RunDLL32
  • RegSvr32, BITSAdmin, Certutil etc.

CMD & PowerShell

The objective of this section is to learn about the scripting in the CMD.exe command execution shell and the power of PowerShell. It covers topics such as command-line flags to CMD.exe, CMD batch file scripting techniques, built-in and external commands, different ways of spawning PowerShell, processing and emitting PowerShell objects, PowerShell execution policies and bypasses, restrictions imposed by Constrained Language Mode (CLM), and Just Enough Administration (JEA).

  • Commands and batch files
  • Batch file programming techniques
  • PowerShell command line
  • PowerShell execution policies
  • PowerShell command pipeline
  • PowerShell constrained language mode

Offensive PowerShell

The objective of this section is to learn about leveraging PowerShell capabilities to implement the building blocks of fileless attacks. It covers topics such as various PowerShell Invoke-* commands, using .NET classes and COM objects, converting between PowerShell strings and binary arrays, PowerShell command encoding and obfuscation, usage of memory and I/O streams for payload compression, calling Win32 and native APIs and data structure marshaling.

  • Invoke commands
  • .NET and COM object access
  • Data type conversion
  • Payload compression
  • PowerShell droppers
  • Win32 and P/Invoke

System Defenses & Evasion

The objective of this section is to learn about the various logging and defensive mechanisms in the system and how to evade some of them. It covers topics such as security-related events in the Windows Event Logs, ETW trace sessions, script block/transcription/module logging in PowerShell, defeating AMSI, SysMon events and filters, application whitelisting bypasses.

  • Windows event logs
  • Event tracking for windows (ETW)
  • SysMon
  • PowerShell logging
  • Anti-malware scan interface (AMSI)
  • AppLocker

Fileless Attack Techniques

The objective of this section is to learn about executing key phases of fileless attacks such - privilege escalation, persistence, discovery, exfiltration, lateral movement, etc. It covers topics such as persistence using task scheduler, storing encrypted payloads and configuration data in registry blobs, leveraging .NET for data collection, privilege escalation using service control manager, and lateral movement mechanisms.

  • Task scheduler
  • Registry persistence
  • Data collection
  • Services
  • Network enumeration
  • SMB/DCOM/RDP

Offensive WMI

The objective of this section is to learn about the offensive use of WMI for enumeration, execution, and persistence. It covers topics such as WMI classes for system/software/runtime enumeration, using WMI Events as persistence and execution vectors, WSMAN Protocol, WinRM Configuration, and remote PowerShell sessions.

  • WMI architecture
  • WMI enumeration
  • WMI persistence
  • WMI and WinRM
  • WMI execution tools
  • PS remoting