Skip to main content
Empire Operations: Tactics (Turla) $1,800 (Early $1,600)
Empire Operations: Tactics (Turla) $1,800 (Early $1,600)

Empire Operations: Tactics (Turla) $1,800 (Early $1,600)


Empire Operations: Tactics (Turla)


Empire Operations: Tactics is an intermediate-level course series that focuses on executing Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) using Empire. This practical, hands-on course dives into Turla's 2020 campaign, providing an in-depth analysis of their strategy to deploy backdoors and siphon off sensitive documents from high-profile targets in a cyber-espionage operation and steal sensitive documents in a targeted cyber-espionage campaign against high-profile targets. Students will learn to execute specially crafted emulation plans to gain initial access using a Microsoft Office Remote Code Execution (RCE) Vulnerability - Follina (CVE-2022-30190), Reflectively Load DLLs, and Dropbox C2 Communications. Students will learn the basics of IronNetInjector, Turla’s .NET injector built-in IronPython, and deploy Empire’s ultra-modern IronPython agent for emulation. Finally, attendees will master the individual components of Empire and apply them to executing a red team operation. The Turla TTPs learned throughout the course will be tested on a comprehensive range using a provided emulation plan.

Trainer(s) bio:

Anthony "Coin" Rose, CISSP, is a Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at

Kevin Clark is a Security Consultant with TrustedSec and Red Team Instructor with BC Security. His previous work includes Penetration Testing and Red Team Operator, focusing on initial access and active directory exploitation. Kevin contributes to open-source tools such as PowerShell Empire and publishes custom security toolkits such as Badrats and WindowsBinaryReplacements. Kevin authors a cybersecurity blog at

Trainer(s) social media links: : @BCSecurity1 : @GuhnooPlusLinux

Detailed Outline:

- Introduction
- Background
   - Red vs. Blue Teams
   - What is an APT?
Turla (Venomous Bear)
- C2 Theory
   - C2 Frameworks
   - C2 Threat Emulation
   - Empire
   - REST APIs
Turla (Venomous Bear)
   - European Government Spearphishing Campaign
   - Epic Turla and Uroburos Malware Campaign
   - Gazer Backdoor Campaign
   - Neuron and Nautilus Implant Campaigns
   - SolarWinds Attack
   - Exercise 1 - Turla Quiz
- Empire Basics
   - Listeners
   - HTTP Listener
   - HTTP Hop
   - Stagers
   - Exercise 2: Agent Deployment
   - Multi-Launcher
   - Shellcode
   - Empire Agents
   - Modules
   - Exercise 3: Module Execution
- Attack Infrastructure
   - Multi-Layer Infrastructure
   - C2 Communication Channels
   - Building Attack Infrastructure
   - Turla's Attack Infrastructure
   - Exercise 4: Dropbox C2
- Malicious Macros
   - Macro Staging
   - Payload Delivery Servers
   - Exercise 5: Embedding Malicious Macros
   - Follina (CVE-2022-30190)
   - Exercise 6: Demonstrating Follina RCE
- .NET Overview
   - .NET Framework
   - Common Language Runtime
   - Dynamic Language Runtime
   - Reflection
   - Bring Your Own Interpreter
   - IronPython
   - IronNetInjector
   - Exercise 7: Exploitation with IronPython Agent
- Lateral Movement
   - PsExec
   - Exercise 8: Building PsExec by hand
   - Remote Desktop Protocol (RDP)
   - DCOM
   - Exercise 9: Invoke-EXCEL4DCOM
- Capture the Flag
- Conclusion and Wrap Up

Technical difficulty:



A basic understanding of Empire or another C2 framework is preferred.

What will be provided:

- 30-day access to the course labs on ImmersiveLabs
- Course Swag and Coin

What students should bring:

- Laptop with 8GB of RAM
- Modern Web Browser (Chrome, Firefox, etc)

DATE: November 1st-2nd 2023
TIME: 8am to 5pm PDT
VENUE: Meydenbauer Center, Bellevue, WA
TRAINER: Anthony Rose, Kevin Clark, Jake Krasnov

- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included

Registration terms and conditions:

Trainings are refundable before September 16th, the processing fee is $250.

Trainings are non-refundable after September 26th, 2023.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.