Anthony Rose - Empire Operations: Tactics (Lazarus) $1,800

Trainer bio:

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Anthony "Coin" Rose, CISSP, is a Lead Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, HackMiami, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Trainer social media links:

@bcsecurity

Full description of the training:

Empire Operations: Tactics (Lazarus) is an intermediate-level course designed to immerse students in the Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) utilized by the notorious Lazarus Group, using the Empire framework. This practical course offers a deep dive into the group's infamous campaigns, including the global WannaCry ransomware attack and the SWIFT banking system breach. Participants will gain hands-on experience in crafting and emulating complex cyber-attacks, focusing particularly on ransomware deployment strategies. The course emphasizes mastering Empire's components, enabling attendees to execute comprehensive red team operations. Participants will apply their knowledge in a simulated environment, testing the Lazarus Group TTPs against a range of scenarios based on a carefully designed emulation plan. This approach ensures a thorough understanding of both offensive and defensive aspects of modern cybersecurity challenges.

Short description of what the student will know how to do, after completing the class:
- Advanced Persistent Threat (APT) Tactics: Understanding the strategies and methodologies used by high-level threat actors, particularly the Lazarus Group.

- Cyber-Attack Emulation: Hands-on experience in replicating complex cyber-attacks using the Empire framework, focusing on ransomware deployment strategies.

- Red Team Operations: Developing skills to perform comprehensive red team operations, including crafting and deploying offensive security measures.

-Use of Empire Framework: Mastery over the Empire framework's components, enabling the execution of sophisticated cyber-attacks.

Outline of the class:

1. Introduction
   a. Instructor Introductions
    b. Course Objectives and Expectations
    c. Overview of Lazarus Group and Empire Framework
2. Background
    a. Baseline Knowledge
    b. Red vs. Blue Teams
    c. What are APTs?
    d. Walkthrough of Red's Killchain
    e. What is a C2?
    f. C2 Theory
3. Lazarus Group
    a. In-depth Analysis of WannaCry Ransomware Attack
    b. Study of the SWIFT Banking System Breach
    c. Other Notable Campaigns and their Techniques
4. Empire Framework
    a. Creating Listeners and Stagers
    b. Deploying and Managing Agents
    c. Exercise: Agent Deployment
5. Initial Access Techniques
    a. Techniques for Gaining Initial Access
    b. Analyzing Lazarus Group's Initial Access Strategies
    c. Exercise: Simulating an Initial Access Attack using Empire
6. Simulated Ransomware Deployment
    a. Overview of Ransomware Tactics
    b. Case Study: Lazarus Group's Ransomware Attacks
    c. Exercise: Creating and Deploying a Simulated Ransomware Attack
7. Privilege Escalation Tactics
    a. Understanding Privilege Escalation
    b. Techniques Used by the Lazarus Group
    c. Exercise: Executing a Privilege Escalation Scenario
8. Lateral Movement Strategies
    a. Lateral Movement Concepts
    b. Lazarus Group’s Lateral Movement Techniques
    c. Exercise: Implementing Lateral Movement in a Network Simulation
9. Advanced Empire Techniques
    a. Advanced Listeners and Stagers
    b. Customizing Agents for Specific Tasks
    c. Exercise: Custom Agent Deployment and Command Execution
10. Emulating Lazarus Group's TTPs
    a. Scenario Introduction and Setup
    b. Simulating a Complex Lazarus Group Attack
    c. Exercise: Full-Scale Emulation of a Lazarus Group Campaign
11. Course Conclusion and Debrief
    a. Key Takeaways
    b. Feedback and Course Evaluation

Technical difficulty of the class (Beginner, Intermediate, Advanced):
Intermediate

Suggested prerequisites for the class:

Basic understanding of Empire or another C2 framework is preferred

Items students will need to provide:

- Laptop with 8GB of RAM

- Modern Web Browser (Chrome, Firefox, etc.)