
DEF CON Training
Aaron Turner - Automating hybrid M365 attacks and detection - Modern Purple Teaming - $1250
Outline:
· [All] Introductions & Agenda
· Module 1: Attacker ROI Analysis – Aaron Turner
o (15 minutes) [AT] Lecture: Understanding M365 market share on a global basis
o (15 minutes) [AT] Lecture: Attacker open source intel techniques
· Module 2: The history of automated M365 hybrid attacks
o (30 minutes) [AT] Lecture: From Dark Halo to the latest APT29 activities
o (30 minutes) [AT] Lecture: Understanding 2023 hybrid attack patterns
o (30 minutes) [AT] Lecture:Lessons learned from the LastPass hack that can be applied
· Module 3: M365 Internals & Lay of the land – Connor Peoples
o (30 minutes) [CP] Lecture: Overview for configuration grabbing
o (15 Minutes) [CP] Lab: Installing Neo4j, setting up M365 Tenant
o (30 minutes) [CP] Lecture: Graph DB Modeling
o (60 Minutes) [CP] Lab: Students model nodes and edges based on M365 data
o (30 Minutes) [CP] Lecture: Creating a PowerShell system to automatically pull nodes
o (60 Minutes) [CP] Lab: Students implement the PowerShell step for all nodes
o (15 Minutes) [CP] Lecture: Enhancing PowerShell system to automatically pull edges
o (30 Minutes) [CP] Lab: Students importing all the edges into the PowerShell tool
o (30 Minutes) [CP] Lecture: Exporting the data into cypher language
o (30 Minutes) [CP] Lab: Students complete the export into their tools
o (30 Minutes) [CP] Lecture: How to query data within Neo4j
o (30 Minutes) [CP] Lab: Students go on easter egg hunt for malicious configurations
· Module 4: Leveraging the Microsoft Azure AD Attack Framework
o (30 minutes) [AS] Lecture: MAAD-AF Overview
o (15 minutes) [AS] Lecture: MAAD-AF Decoding (Design/Architecture)
o (15 minutes) [AS] Lecture: Using MAAD-AF
o (45 minutes) [AS] Lab: Hands on with MAAD-AF
o (15 minutes) [AS] Lecture: Designing a effective testing process
o (15 minutes) [AS] Lecture: Outcomes of Simple, Fast & Effective Security Testing
· Module 5: Designing Hybrid Attack Scenarios with ./Havoc
o (15 minutes) [TD] Lecture: ./HAVOC Overview
o (15 minutes) [TD] Lecture: ./HAVOC Architecture
o (15 minutes) [TD] Lecture: Review of Deployment Settings
o (45 minutes) [TD] Lab: Students Deploy ./HAVOC in Their AWS Account
o (15 minutes) [TD] Lecture: Introduction to Playbooks
o (15 minutes) [TD] Lecture: Custom MAAD-AF Playbook Walkthrough
o (30 minutes) [TD] Lab: Students Create a Custom MAAD-AF Playbook
o (30 minutes) [TD] Lab: Students Execute and Monitor Their Custom MAAD-AF Playbook
· Module 6: Building Purple Team Capabilities for M365 Hybrid Environments & Wrap Up
o (30 minutes) [All] Lecture: Enabling security teams to be successful long term in M365
o (30 minutes) [All] Q&A: Experts’ opinions of the future of M365 attacks
o Arpan Sarkar has an expertise in threat hunting and security investigations with having consulted several enterprise teams on building & developing their security and insider threat programs. Arpan is currently the Technical Marketing Engineer for Threat Hunting at Vectra.
o Connor Peoples brings a variety of background experiences to the table with development, architectural, and engineering expertise across multiple industries including healthcare, utilities, and retail. He focuses on creating custom fit solutions to unique problems and enjoys the challenge.
o Tom D’Aquino is Director of Security Validation at Vectra AI. His experience developing, deploying, and supporting enterprise threat detection and response platforms spans more than 20 years. In addition to his role at Vectra, Tom is the founder and lead developer of ./HAVOC, an open source, cloud-native adversary emulation platform. He also produces and hosts the ./HAVOC podcast where he reviews cybersecurity research and opensource cybersecurity tools.
· Arpan Sarkar
o https://www.linkedin.com/in/arpan-sarkar
o https://github.com/vectra-ai-research/MAAD-AF
· M365 Administration
· Azure AD Administration
· AWS Tenant Configuration
· Nice to have but not required
https://github.com/vectra-ai-research/MAAD-AF/blob/main/README.md
Students should bring:
· Neo4j for Desktop installed
· Access to a M365 Developer Sandbox (or other non-production tenant)
· AWS Tenant with permissions to deploy workloads
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Aaron Turner
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
DEF CON Communications, Inc.
1100 Bellevue way NE
8A-85
Bellevue, WA 98004