Anthony Rose, Kevin Clark & Jake Krasnov - Empire Operations Tactics (APT28)

DEF CON Training

Anthony Rose, Kevin Clark & Jake Krasnov - Empire Operations Tactics (APT28)

Trainer(s) bio:

Anthony "Coin" Rose, CISSP, is a Lead Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, HackMiami, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Kevin Clark is a Security Consultant with TrustedSec and Red Team Instructor with BC Security. His previous work includes Penetration Testing and Red Team Operator, focusing on initial access and active directory exploitation. Kevin contributes to open-source tools such as PowerShell Empire and publishes custom security toolkits such as Badrats and WindowsBinaryReplacements. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog.

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Trainer(s) social media links:

https://twitter.com/BCSecurity1

https://twitter.com/Cx01N_

https://twitter.com/GuhnooPlusLinux

https://twitter.com/_Hubbl3


Past Trainings:



https://www.blackhat.com/us-21/training/schedule/#advanced-threat-emulation-red-teams-21854

https://www.blackhat.com/us-22/training/schedule/#advanced-threat-emulation-evasion-25780

https://www.blackhat.com/eu-22/training/schedule/index.html#advanced-threat-emulation---red-teams-blackhat-edition-virtual-28058


Training description:


Empire Operations: Tactics (APT28) is an intermediate-level course that focuses on executing Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) using Empire. In this hands-on course, students will evaluate the 2021-2022 exploitation campaign from Fancy Bear (APT 28) using MSHTML RCE (CVE-2021-40444) in macro-enabled docs, OneDrive C2 communications, and C# payloads. Next, attendees will learn the individual components of Empire and how to apply them to execute a red team operation. Key topics that will be taught are building C2 infrastructure, deploying customized payloads in C# and PowerShell, and creating tailored scripts for engagements. Finally, the Empire TTPs learned throughout the course will be tested on a comprehensive range using an emulation plan provided on APT 28.

Course Schedule:

Day 1

·        Introduction and Background

·        Fancy Bear (APT 28)

·        Empire Basics

·        Attack Infrastructure

·        Malicious Macros

·        C# and DLL Exploitation

Day 2

·        Privilege Escalation

·        Lateral Movement

·        Exfiltration

·        Student Topics

·        Debrief

·        Conclusion

 

Class outline:

1.       Introduction

2.       Background

a.       Baseline Knowledge

b.       Red vs Blue teams

c.       What are APTs?

d.       Walkthrough of Red's Killchain

e.       What is a C2?

f.        C2 Theory

3.       Fancy Bear (APT 28)

a.       Breakdown of APT28's attacks using CVE-2021-40444, Onedrive, and Empire

b.       Exercise 1: Quiz on TTPs used by APT28 during their 2021-2022 campaign.

4.       Empire Basics

a.       Listeners

                                                               i.      HTTP

                                                             ii.      Hop

                                                           iii.      Malleable

b.       Stagers

                                                               i.      Multi-Launcher

                                                             ii.      Executables

                                                           iii.      Shellcode

c.       Agents

                                                               i.      PowerShell

                                                             ii.      C#

                                                           iii.      Python

                                                            iv.      IronPython

d.       Exercise 2: Students will deploy an agent using the HTTP launcher. This exercise is simple and is used as a way to test that students have working infrastructure and get hands-on activity early in the class.

e.       Modules

                                                               i.      Task Manager

                                                             ii.      Process Injection

                                                           iii.      Invoke-BoF

                                                            iv.      Mimikatz

f.        Plugins

g.       Reports

h.       Exercise 3: Agent Deployment using HTTP, Multi-launcher, Process Injection, and Privilege Escalation

5.       Attack Infrastructure

a.       Building Attack infrastructure

b.       OneDrive as a C2 channel

c.       Exercise 4: Configuration and walkthrough exercise creating a OneDrive listener with a stager and testing a payload.

6.       Malicious Macros

a.       What are malicious macros?

b.       Introduction to VBA

c.       Empire Macro Stager

d.       Exercise 5: Build a macro stager and deploy it on the test box.

e.       MSHTML RCE (CVE-2021-40444)

f.        Exercise 6: Walkthrough exercise adapting CVE-2021-40444 to Empire and using it as a modified macro stager.

7.       C# Stagers and DLLs

a.       Overview of .NET

b.       C# Agent and Stagers

c.       Reflective PE Injection and Reflective Pick

d.       Exercise 7: Walkthrough exercise using going over Reflective Pick and how to adapt it for a modern Windows environment.

8.       Privilege Escalation

a.       Credential harvesting using Mimikatz

b.       User Access Control Bypasses

c.       Token manipulation

d.       Exercise 8: Privilege escalation exercises where students will be provided with a box where they have low-level privileges and need to evaluate to a high-integrity process.

9.       Lateral Movement

a.       PowerShell Remoting

b.       SMB exploitation

c.       Pass the hash

d.       Exercise 9: Students will use one of the lateral movement techniques discussed in the class to test their abilities.

10.   Exfiltration

a.       Exfiltration across the C2 channel (download commands)

b.       Github exfiltration

c.       OneDrive exfiltration

11.   Student Topic

a.       We have implemented a student topic section in all of our courses, and it has received very positive feedback. We give students the opportunity to give the instructors any topic and we will go do research between Day 1 and 2 and will come back and discuss the topic with the students.

12.   Capstone Exercise

a.       Exercise 10: Use the tools and TTPs built throughout the course to execute against the APT28 emulation plan that we provide. Students will exploit the range to gain access and setup OneDrive C2 using Empire. Then they will move through the boxes to collect flags and exfiltrate information. Students who successfully capture the flags and exfiltrate the objective using the APT28 emulation plan will successfully complete the course.

13.   Debrief

a.       One of the most important aspects of any red team engagement is the debrief process.

b.       Exercise 11: We will perform a debrief with the class and have everyone share how they executed the engagement, what flags they found, and how they exfiltrated the objective.

14.   Conclusion / Wrap up

a.       End of Course Feedback

b.       Questions

Technical difficulty of the class:


Intermediate – Basic understanding of Empire or another C2 framework is preferred.

Suggested prerequisites for the class:


We recommend that students check out the following resources to give them a basic understanding of Empire and APT 28.

APT 28: https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html

Empire Quick Start: https://bc-security.gitbook.io/empire-wiki/quickstart

Empire YouTube Quick Start: https://www.youtube.com/playlist?list=PLiD01litCIcK0W1Z2WDvCfh_GCWIL2B_e

Items students will need to provide:
·        Laptop with 8GB of RAM

·        Virtualization Software (VMware, VirtualBox, etc)

·        Up-to-date Kali Linux Virtual Machine

·        Modern Web Browser (Chrome, Firefox, etc)

·        Microsoft Office (any version) or OpenOffice

 

DATE: April 13th-14th 2023
TIME: 8am to 5pm PDT
VENUE: Meydenbauer Center Bellevue, WA
TRAINER: Anthony Rose, Kevin Clark, Jake Krasnov 

- 16 hours of training with a certificate of completion.
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early.

- 2 coffee breaks are provided per day.
- Note: Food is not included.

 

Registration terms and conditions:

Trainings are refundable before March 1st, the processing fee is $250.

Trainings are non-refundable after March 10th, 2023.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

$2,500.00