Course Overview

Enterprise Attack: Initial Access

Enterprises have been working tirelessly to improve their security postures through defense-in-depth approaches. Offensive teams have also been diligently researching ways to bypass the toughest defenses. Long gone, hopefully, are the days of tossing an HTA payload laced with a PowerShell download cradle at an organization with a “Free iPad” ruse and watching the computer screen fill with incoming agents.

An offense-in-depth approach may be applied to offensive practitioners looking for success against organizations well-versed in defending a large enterprise. Today’s organizations have assets in multiple geo regions, networks, cloud services, and border hosts while many of them are tied to the internal network in some way.

This course aims to help offensive practitioners successfully exercise their client’s environments from a multi-faceted approach using the latest TTPs blended with esoteric practices to gain the upper-hand on offensive assessments.

Course Overview

This exciting course focuses on using the latest offensive attack methodology against an enterprise spanning cloud and on-premise targets with an Azure-centric focus.

Beginning from an unprivileged external adversary, students will use cutting-edge techniques to gain access via cloud services and phishing.

Students will learn various password spraying techniques to access target services while attempting to avoid detection.

Students will build infrastructure to host various payloads using unique services to bypass common proxy configurations and network restrictions.

Students will also utilize Command and Control frameworks and payloads for compromising target hosts with both common and obscure communications channels for implants.

Students will simulate gaining entry to an enterprise through various ingress channels using novel techniques.

Students will utilize Elastic EDR to exercise offensive payloads.

Skill level for students

The course is a beginning to intermediate level course designed to introduce new topics and techniques to both offensive security newcomers and professionals alike. The course is structured to walk students through the different phases of an attack against an enterprise with a hybrid cloud and on-premise environment. The labs are simple in design and are created for students to reproduce in the environment they’ve created during the course.

Expectations:

Familiar with basic command operation from a terminal interface or command line.
Familiar with using a Linux or Windows environment.
Familiar with using a virtual machine environment.
A strong desire to learn exciting and unique offensive TTPs.

Prerequisites

It is suggested to complete the setup 48 hours prior to the first day of class as some components may take up to 24 hours to enable.

Required:

Computer capable of running 1 or 2 Windows VMs.
Subscription to Azure (Free subscriptions will work and may be available from Microsoft)
Elastic 14 day trial (Free No CC required).
Free edg.io account.
Amazon AWS Account (Optional for IP rotation).

Credit Card Required and Personal Information Required to sign up.
For using Amazon API Gateway.

Communications

In-course communications utilize the course channels in Antisyphon discord.

Day 1

🏔️Introduction & Course Overview

💡

This module will cover the course overview and introduction to the learning objectives.

🧪The Labs

💡

This module covers the lab environment overview and requirements. Students will host their own labs throughout the course. This allows students to recreate the scenarios after the course.

🛣️Infrastructure

💡

This module covers an overview of various offensive infrastructures implementations and how to build them.

🥸Recon

💡

Students will learn to enumerate details about a target organization. Students will learn key objectives when performing recon. Microsoft 365 will be the target of choice for enumerating details about hybrid or cloud based enterprises.

Day 2

🚿Password Spraying

💡

Students will utilize various methods for spraying passwords against target services and attempt to avoid detection. Students view first hand how various methods affect sign-in logs that may tip off defenders and how to manipulate traffic to blend in or poison logs.

🐞Command and Control

💡

Students will learn how to strategically design their infrastructure tailored for the target enterprise. Students may bring their own C2 or follow along as the course will be utilizing the open source Mythic project. Additionally, this module will cover how to setup Azure C2 redirection and C2 hardening.

🤖Payload Generation

💡

The “How do I bypass X product?” question is arguably the most often posed question in infosec discord channels. There is no one bypass to rule them all. Students learn to use a combination of open source tools and custom code compilations to create effective payloads that can auto-deploy persistence as well. Students see first-hand how EDR plays a role and what detections may need to be avoided.

Day 3

🪱Payload Delivery

💡

With several code execution payloads prepared and ready for deployment, students will learn to host them on reputable domain services and even proxy payloads direct from their own VM to the target’s internal network.

🧪Setup Elastic EDR Agent

💡

Students will install an EDR agent on their Windows VM for testing.

Day 4

🎣Phishing

💡

Students will setup infrastructure and templates for phishing campaigns. Students will learn how to abuse the target enterprise’s own email protections against them. With minimal effort, students will be spoofing emails and payloads into the target enterprise. This module will also focus heavily on phishing with Microsoft Device Codes. Students will learn how to use legitimate Microsoft.com websites to harvest sessions for them and stay persistent in their cloud environment.

☁️Using Microsoft 365

💡

Students will use Azure and Microsoft 365 attack scenarios to abuse access to Microsoft 365 for profit.

🧹Course Cleanup