Anthony Rose & Jake Krasnov - APT Tactics: Lazarus, Ransomware, and Advanced Exploitation - DCTLV2025
Name of Training: APT Tactics: Lazarus, Ransomware, and Advanced Exploitation
Trainer(s): Anthony "Coin" Rose and Jake "Hubble" Krasnov
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $1500
Course Description:
APT Tactics: Lazarus, Ransomware, and Advanced Exploitation is an intermediate-level course designed to immerse participants in the sophisticated techniques and operations used by Advanced Persistent Threats (APTs) such as the Lazarus Group. This hands-on course provides deep insights into their tactics, including ransomware deployment, lateral movement, and data exfiltration, with a focus on real-world scenarios.
Students will learn to leverage tools and techniques like RDP, PSExec, and SMB for lateral movement across enterprise networks, exploit vulnerabilities like Log4J (CVE-2021-44228), and deploy ransomware not just on systems but also on enterprise backups. The course includes training on stealing high-value assets, such as cryptocurrency wallets, and crafting comprehensive campaigns against both Windows and Linux environments.
In addition to simulating ransomware attacks, participants will practice disabling Endpoint Detection and Response (EDR) systems, explore Bring Your Own Driver (BYOD) attack techniques, and emulate high-profile breaches, such as the WannaCry ransomware outbreak. Through engaging labs and carefully constructed emulation exercises, attendees will apply these techniques in realistic scenarios, gaining a thorough understanding of both offensive operations and the defensive strategies needed to counter them.
Students Will Be Provided With:
-
Lifetime Access to Course Material, plus 1-month Lab Access
-
Exclusive Course Swag
-
Certificate of Completion
Course Outline:
-
Introduction and Course Objectives
-
Focus of course is to emulate APT techniques, particularly Lazarus Group’s TTPs
-
Overview of Lazarus Group and Empire Framework
-
Baseline Knowledge
-
Red vs. Blue teams
-
What are APTs
-
Walkthrough of Red’s Kill Chain
-
What is C2? An overview of Command and Control servers
-
C2 Theory and Communications mechanisms
-
Lazarus Group
-
In-depth analysis of WannaCry Ransomware Attack
-
Study of the SWIFT Banking System Breach
-
Other Notable Campaigns and their Techniques
-
Command and Control
-
Creating Listeners and Stagers
-
Deploying and Managing Agents
-
Exercise: Agent Deployment
-
Initial Access Techniques
-
Techniques for Gaining Initial Access (Spear-phishing, exploitation of vulnerabilities and supply chain attacks)
-
Analyzing Lazarus Group’s Initial Access Strategies (real world examples)
-
Exercise: Initial Access Techniques
-
Exploiting Log4j Vulnerability (CVE-2021-44228)
-
Overview of Log4Shell exploit and it's real-world implications
-
Exercise: Exploiting Log4j for Initial Access
-
Overview of Ransomware Tactics
-
Encryption, ransom notes, and propagation techniques.
-
Case Study: Lazarus Group's Ransomware Attacks
-
Exercise: Creating and Deploying a Simulated Ransomware Attack
-
Privilege Escalation Tactics
-
Understanding Privilege Escalation (Common methods: bypassing UAC, abusing scheduled tasks, etc.)
-
Bring Your Own Vulnerable Driver Overview and implementation
-
Exercise: Executing a Privilege Escalation Scenario
-
Lateral Movement Strategies
-
Lateral Movement Concepts (RDP, PSExec, SMB, and other techniques)
-
Lazarus Group’s Lateral Movement Techniques
-
Exercise: Implementing Lateral Movement on a network
-
Advanced TTPs
-
Bring Your Own Driver (BYOD) Attack Techniques (Leveraging vulnerable drivers to disable Endpoint Detection and Response (EDR) systems)
-
Exercise: Implementing a BYOD Attack
-
Advanced Listeners and Stagers (Customizing Agents for Specific Tasks)
-
Exercise: Custom Agent Deployment and Command Execution
-
Emulating Lazarus Group's TTPs
-
Scenario Introduction and Setup
-
Simulating a Complex Lazarus Group Attack, Step-by-step emulation of Lazarus Group tactics.
-
Exercise: Full-Scale Emulation of a Lazarus Group Campaign
-
Course Conclusion and Debrief
-
Key Takeaways
-
Recap of the techniques and lessons learned.
Difficulty Level:
Intermediate/Advanced
-
Familiarity with Linux and Windows command-line interfaces for executing tools and scripts.
-
Basic understanding of offensive security tools
Suggested Prerequisites:
-
Long Live Empire: A C2 Workshop for Modern Red Teaming – DEFCON Workshop https://github.com/BC-SECURITY/Long-Live-The-Empire
-
Evading Detection: A Beginner's Guide to Obfuscation – DEFCON Workshop
https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation
What Students Should Bring:
-
Laptop with 8GB of RAM
-
Modern Web Browser (Chrome, Firefox, etc.)
Trainer(s) Bio:
Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security, with a distinguished career spanning engineering and cybersecurity. A U.S. Air Force veteran, Jake began his career as an Astronautical Engineer, overseeing rocket modifications, leading test and evaluation efforts for the F-22, and conducting red team operations with the 57th Information Aggressors. He later served as a Senior Manager at Boeing Phantom Works, where he focused on aviation and space defense projects. A seasoned speaker and trainer, Jake has presented at conferences including DEF CON, Black Hat, HackRedCon, HackSpaceCon, and HackMiami.
Dr. Anthony "Coin" Rose is the Director of Security Research and Chief Operating Officer at BC Security, as well as a professor at the Air Force Institute of Technology, where he serves as an officer in the United States Air Force. His doctorate in Electrical Engineering focused on building cyber defenses using machine learning and graph theory. Anthony specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. Anthony has presented at security conferences, including Black Hat, DEF CON, HackMiami, RSA, HackSpaceCon, Texas Cyber Summit, and HackRedCon. He also leads the development of offensive security tools, including Empire and Moriarty.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]