Empire Operations: Tactics (Turla)

Description:

Empire Operations: Tactics is an intermediate-level course series that focuses on executing Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) using Empire. This practical, hands-on course dives into Turla's 2020 campaign, providing an in-depth analysis of their strategy to deploy backdoors and siphon off sensitive documents from high-profile targets in a cyber-espionage operation and steal sensitive documents in a targeted cyber-espionage campaign against high-profile targets. Students will learn to execute specially crafted emulation plans to gain initial access using a Microsoft Office Remote Code Execution (RCE) Vulnerability - Follina (CVE-2022-30190), Reflectively Load DLLs, and Dropbox C2 Communications. Students will learn the basics of IronNetInjector, Turla’s .NET injector built-in IronPython, and deploy Empire’s ultra-modern IronPython agent for emulation. Finally, attendees will master the individual components of Empire and apply them to executing a red team operation. The Turla TTPs learned throughout the course will be tested on a comprehensive range using a provided emulation plan.

Trainer(s) bio:

Anthony "Coin" Rose, CISSP, is a Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Kevin Clark is a Security Consultant with TrustedSec and Red Team Instructor with BC Security. His previous work includes Penetration Testing and Red Team Operator, focusing on initial access and active directory exploitation. Kevin contributes to open-source tools such as PowerShell Empire and publishes custom security toolkits such as Badrats and WindowsBinaryReplacements. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog.

Trainer(s) social media links:

https://www.bc-security.org/blog/.

https://twitter.com/BCSecurity1 : @BCSecurity1

https://twitter.com/_Hubbl3 : @_Hubbl3

https://twitter.com/Cx01N_ : @Cx01N_

https://twitter.com/GuhnooPlusLinux : @GuhnooPlusLinux

Detailed Outline:

Technical difficulty:

Intermediate

Prerequisites:

A basic understanding of Empire or another C2 framework is preferred.

What will be provided:

What students should bring:

- Laptop with 8GB of RAM
- Modern Web Browser (Chrome, Firefox, etc)