DEF CON Training
Aaron Turner - Automating hybrid M365 attacks and detection - Modern Purple Teaming - $1250
Automating hybrid M365 attacks and detection - Modern Purple Teaming
Training description:
Understanding attackers Return on Investment (ROI) analysis is critical for security teams. Attackers follow where herds of victims migrate, and the Microsoft 365 ecosystem is now home to over 300 million users a month. Attackers also value their time and have developed automated toolsets to make them more effective. This course will focus on how Red Teams can automate attacks, security testing, and configuration analysis for M365 hybrid environments. It is designed as an intermediate course meant to support purple team activities. Students will learn about Attacker ROI analysis, how the M365 attacker reconnaissance, how to deploy the open source ./HAVOC platform with Vectra’s MAAD-AF open source attack tool to simulate the latest TTPs from the wild and how to design hybrid attacks that mimic the latest threats observed by Vectra’s global security teams. Additionally, students will learn how to configure their own Neo4j and PowerShell tool to grab critical configurations from M365 for analysis of their environment.
Outline:
· [All] Introductions & Agenda
· Module 1: Attacker ROI Analysis – Aaron Turner
o (15 minutes) [AT] Lecture: Understanding M365 market share on a global basis
o (15 minutes) [AT] Lecture: Attacker open source intel techniques
· Module 2: The history of automated M365 hybrid attacks
o (30 minutes) [AT] Lecture: From Dark Halo to the latest APT29 activities
o (30 minutes) [AT] Lecture: Understanding 2023 hybrid attack patterns
o (30 minutes) [AT] Lecture:Lessons learned from the LastPass hack that can be applied
· Module 3: M365 Internals & Lay of the land – Connor Peoples
o (30 minutes) [CP] Lecture: Overview for configuration grabbing
o (15 Minutes) [CP] Lab: Installing Neo4j, setting up M365 Tenant
o (30 minutes) [CP] Lecture: Graph DB Modeling
o (60 Minutes) [CP] Lab: Students model nodes and edges based on M365 data
o (30 Minutes) [CP] Lecture: Creating a PowerShell system to automatically pull nodes
o (60 Minutes) [CP] Lab: Students implement the PowerShell step for all nodes
o (15 Minutes) [CP] Lecture: Enhancing PowerShell system to automatically pull edges
o (30 Minutes) [CP] Lab: Students importing all the edges into the PowerShell tool
o (30 Minutes) [CP] Lecture: Exporting the data into cypher language
o (30 Minutes) [CP] Lab: Students complete the export into their tools
o (30 Minutes) [CP] Lecture: How to query data within Neo4j
o (30 Minutes) [CP] Lab: Students go on easter egg hunt for malicious configurations
· Module 4: Leveraging the Microsoft Azure AD Attack Framework
o (30 minutes) [AS] Lecture: MAAD-AF Overview
o (15 minutes) [AS] Lecture: MAAD-AF Decoding (Design/Architecture)
o (15 minutes) [AS] Lecture: Using MAAD-AF
o (45 minutes) [AS] Lab: Hands on with MAAD-AF
o (15 minutes) [AS] Lecture: Designing a effective testing process
o (15 minutes) [AS] Lecture: Outcomes of Simple, Fast & Effective Security Testing
· Module 5: Designing Hybrid Attack Scenarios with ./Havoc
o (15 minutes) [TD] Lecture: ./HAVOC Overview
o (15 minutes) [TD] Lecture: ./HAVOC Architecture
o (15 minutes) [TD] Lecture: Review of Deployment Settings
o (45 minutes) [TD] Lab: Students Deploy ./HAVOC in Their AWS Account
o (15 minutes) [TD] Lecture: Introduction to Playbooks
o (15 minutes) [TD] Lecture: Custom MAAD-AF Playbook Walkthrough
o (30 minutes) [TD] Lab: Students Create a Custom MAAD-AF Playbook
o (30 minutes) [TD] Lab: Students Execute and Monitor Their Custom MAAD-AF Playbook
· Module 6: Building Purple Team Capabilities for M365 Hybrid Environments & Wrap Up
o (30 minutes) [All] Lecture: Enabling security teams to be successful long term in M365
o (30 minutes) [All] Q&A: Experts’ opinions of the future of M365 attacks
Trainer(s) bio:
o Aaron Turner is a multi-decade cybersecurity community leader. He helped found many of Microsoft’s security teams in the late 90’s and in 8 years there collaborated with the teams that developed threat models and attack tools to improve Microsoft’s products and services. He then worked at the US Government’s INL cyber research facility on critical infrastructure attack and defense strategies. He has trained over 15,000 cybersecurity professionals at SANS, IANS Research, RSA Conference and regional conference events over the past 30 years.
o Arpan Sarkar has an expertise in threat hunting and security investigations with having consulted several enterprise teams on building & developing their security and insider threat programs. Arpan is currently the Technical Marketing Engineer for Threat Hunting at Vectra.
o Arpan Sarkar has an expertise in threat hunting and security investigations with having consulted several enterprise teams on building & developing their security and insider threat programs. Arpan is currently the Technical Marketing Engineer for Threat Hunting at Vectra.
o Connor Peoples brings a variety of background experiences to the table with development, architectural, and engineering expertise across multiple industries including healthcare, utilities, and retail. He focuses on creating custom fit solutions to unique problems and enjoys the challenge.
o Tom D’Aquino is Director of Security Validation at Vectra AI. His experience developing, deploying, and supporting enterprise threat detection and response platforms spans more than 20 years. In addition to his role at Vectra, Tom is the founder and lead developer of ./HAVOC, an open source, cloud-native adversary emulation platform. He also produces and hosts the ./HAVOC podcast where he reviews cybersecurity research and opensource cybersecurity tools.
Trainer(s) social media links:
· Arpan Sarkar
o https://www.linkedin.com/in/arpan-sarkar
o https://github.com/vectra-ai-research/MAAD-AF
Technical difficulty:
Intermediate
· PowerShell
· M365 Administration
· Azure AD Administration
· AWS Tenant Configuration
· Nice to have but not required
· M365 Administration
· Azure AD Administration
· AWS Tenant Configuration
· Nice to have but not required
o Experience with Terraform and Hashicorp Configuration Language
Prerequisites:
https://havoc.readme.io/docs
https://github.com/vectra-ai-research/MAAD-AF/blob/main/README.md
Students should bring:
https://github.com/vectra-ai-research/MAAD-AF/blob/main/README.md
Students should bring:
· Laptop with PowerShell installed
· Neo4j for Desktop installed
· Access to a M365 Developer Sandbox (or other non-production tenant)
· AWS Tenant with permissions to deploy workloads
· Neo4j for Desktop installed
· Access to a M365 Developer Sandbox (or other non-production tenant)
· AWS Tenant with permissions to deploy workloads
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Aaron Turner
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
$1,250.00