Windows Post Exploitation w/ Kyle Avery
Instructor: Kyle Avery
Includes: Six months of complimentary access to the BHIS Antisyphon Cyber Range, certificate of participation
So you popped a shell, now what?
Windows Post Exploitation focuses on four major components of any adversary simulation or red team exercise: enumeration, persistence, privilege escalation, and lateral movement. Each of these steps will be covered in detail with hands-on labs in a custom Active Directory environment. In addition, students will learn several modern techniques to minimize opportunities for detection.
This course goes beyond teaching popular tactics, techniques, and procedures. Instead, students will learn how to covertly gather and leverage information about a target environment to achieve their objectives efficiently.
A review of each post-ex capability will include discussion on the OPSEC implications and publicly documented detection recommendations. Open-source SIEM rules from Sigma and Elastic will be used as a starting point for avoiding alert generation. No technique is undetectable; the key is understanding an environment’s detection capabilities and choosing the best course of action.
After taking this course, students will have:
- Insight into modern post-exploitation techniques for Windows environments
- An enhanced ability to make informed decisions to achieve objectives in a target environment
The ability to create new tools that implement specific capabilities from larger projects
WHO SHOULD TAKE THIS COURSE
- Red teamers
- Penetration testers
- Anyone interested in the thought processes and techniques of adversaries
AUDIENCE SKILL LEVEL
Beginners will do well in this course if they are self-motivated and willing to ask questions.
Intermediate and experienced students may find that they were not familiar with some techniques or had not considered some OPSEC implications.
Basic programming knowledge and an understanding of core security concepts are all students need in order to follow along with the course material. Students would benefit from penetration testing experience, but it is not required.
WHAT EACH STUDENT SHOULD BRING
- High-speed Internet connectivity
- A computer that can run a Windows 10 virtual machine—a minimum of 35 GB storage, 4 GB memory, and 2 vCPUs is recommended for the VM
WHAT STUDENTS WILL BE PROVIDED WITH
Students will receive a copy of the slides for the course and a script with instructions to create their own virtual machine.
TRAINER & AUTHOR
- Cyber Attack Lifecycle Overview
- Operational Security (OPSEC) Introduction
- Defender Tools and Log Sources
- Types of Malware Implants
- Understanding the Environment
- Stage-2 Implant Functionality
- Selecting Sacrificial Processes for Post-Ex Jobs
- Lab: .Net Obfuscation with ConfuserEx and ThreatCheck
- PowerShell OPSEC
- Network Enumeration
- Lab: Initial Enumeration and Execution Wrappers
- Building a Stage-1 Implant
- Lab: Building Stage-1 Implant Enumeration Components
- Local and Remote File Enumeration
- Payload Storage
- Methods of Execution
- Lab: Creating an LNK Backdoor Tool
- Introduction to COM
- Introduction to WMI
- Lab: DLL Hijacking
- Domain-Level Persistence
- OPSEC Considerations for Persistence
- User Hunting
- Lab: Modifying and Using SharpHound
- Local Privilege Escalation Opportunities
- Credential Gathering
- Lab: Accessing Saved Browser Credentials
- Kerberos Abuse
- Lab: Delegation Abuse
- Domain Privilege Escalation Opportunities
- On-Endpoint vs. Proxied Execution
- Lab: Writing a C# WinRS Lateral Movement Tool
- Lab: Writing a C# DCOM Lateral Movement Tool
- Lab: Writing a C# WMI Lateral Movement Tool
- Low Privilege Lateral Movement