
DEF CON Training
Anthony Rose, Kevin Clark & Jake Krasnov - Empire Operations Tactics (APT28) $1,800
Training Description:
Empire Operations: Tactics (APT28) is an intermediate-level course that focuses on executing Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) using Empire. In this hands-on course, students will evaluate the 2021-2022 exploitation campaign from Fancy Bear (APT28) using MSHTML RCE (CVE-2021-40444) in macro-enabled docs, OneDrive C2 communications, and C# payloads. Next, attendees will learn the individual components of Empire and how to apply them to execute a red team operation. Key topics that will be taught are building C2 infrastructure, deploying customized payloads in C# and PowerShell, and creating tailored scripts for engagements. Finally, the Empire TTPs learned throughout the course will be tested on a comprehensive range using an emulation plan provided on APT 28.
Course Overview:
Day 1
- Introduction, Background, & C2 Theory
- Fancy Bear (APT 28)
- Empire Basics
- Attack Infrastructure
- Malicious Macros & CVE-2021-40444
Day 2
- .NET Tradecraft
- C# and DLL Exploitation
- Privilege Escalation, Lateral Movement, & Exfiltration
- Student Topics
- Debrief
- Conclusion
Student Skill Level:
Intermediate – Basic understanding of Empire or another C2 framework is preferred.
Students Will Be Provided With:
- 30-day access to the course labs on ImmersiveLabs
- Course Swag and Coin
What should students bring to the Training?:
- Laptop with 8GB of RAM
- Virtualization Software (VMware, VirtualBox, etc)
- Up-to-date Kali Linux Virtual Machine
- Modern Web Browser (Chrome, Firefox, etc)
- Microsoft Office (any version) or OpenOffice
Bios:
Anthony "Coin" Rose, CISSP, is a Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
Social Media: @ Cx01N_, @BCSecurity1
Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
Social Media: @ _Hubbl3, @BCSecurity1
Kevin Clark is a Security Consultant with TrustedSec and Red Team Instructor with BC Security. His previous work includes Penetration Testing and Red Team Operator, focusing on initial access and active directory exploitation. Kevin contributes to open-source tools such as PowerShell Empire and publishes custom security toolkits such as Badrats and WindowsBinaryReplacements. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog.
Social Media: @GuhnooPlusLinux
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Anthony Rose, Kevin Clark, Jake Krasnov
- 16 hours of training with a certificate of completion
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
DEF CON Communications, Inc.
1100 Bellevue way NE
8A-85
Bellevue, WA 98004