DURATION: 2 DAYS
CAPACITY: 20 pax
SEATS AVAILABLE: CLASS IS FULL
USD2299 (early bird)
USD3299 (normal)
Early bird registration rate ends on the 30th of September
Overview
The In&Out Network Exfiltration Techniques training class has been designed to present students the modern and emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.
As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense in depth strategy. We will also go slightly(with live examples OFC!) through the importance of network baselining, memory forensics, automated malware analysis systems and finally the real threat simulation tactics which are the key important aspects of this training.
Next, we will deep dive into the individual network protocols, services and techniques commonly in use by adversaries in corporate networks and discuss the characteristic security detection features. Using available set of tools (more than 50 different tools and frameworks – check the Keywords section list below), the student will play one by one with well prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern attacker behavior.
Who Should Attend
● Red and Blue team members
● Security / Data Analytics
● CIRT / Incident Response Specialists
● Network Security Engineers
● SOC members and SIEM Engineers
● AI / Machine Learning Developers
● Chief Security Officers and IT Security Directors
Key Learning Objectives
run a different types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure a port forwarding & proxying and what are the network traffic artifacts of such actions
● manually generate a single malicious packets, ex. to saturate a DHCP server using Python, flood the network service from C code or start a BF by using hydra or medusa
● generate your own malicious payloads and raw TCP/UDP custom encrypted traffic channels undetectable by security products
● simulate DNS DGA traffic, run a DNS TXT tunnels and remote shells, exfiltrate data using DNS MX and how to gain the Internet connection on the plane or in the hotel for free!
● clone, armor and phish popular websites
● achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
● use a different HTTP headers and methods for stealing the data also with
combination of web application injection techniques and walk through the world of
webshells
● detect and understand a TLS/SSL-based anomalies and exfiltration techniques
● run a Powershell scripts in post-exploitation stage for leaking the data and bypass
AV/EDR
● cheat a security platforms by running internal WMI, Websockets, VOIP or P2P covert
channels
● hide a stolen data in binary file, WAV file, Image file or exfiltrate data from air-gapped
system using hops
● configure the station to connect to anonymizers like external VPN, TOR, Open proxy
and ‘ping’ to the IP/domains tagged on the globally recognized security feeds, rules
or phishy lists
● use a popular cloud-based services for C2 communication and data stealing, ex.
Pastebin, Twitter and many more
● replay a malicious PCAP files and in terms of network behaviour and analyze the
malware samples using Cuckoo
● the syntax of signature-based rules works, how Suricata or Bro IDS can help you
detect adversary tactics and what are the differences between this two IDS engines
● and a combination of many, many more.
Through hands-on lab exfiltration, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.
All the above training description is based on pure hands-on laboratory where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network. This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments.
In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your network security really works!
Preequisite Knowledge
● An intermediate level of command line syntax experience using Linux and Windows
● Fundament knowledge of TCP/IP network protocols
● Penetration testing experience performing enumeration, exploiting, and lateral
movement is beneficial, but not required
● Basic programming skills is a plus, but not essential
Hardware / Software Requirements
● At least 20GB of free disk space
● At least 8GB of RAM
● Students should have the latest Virtualbox installed on their machine
● Full Admin access on your laptop
Agenda
1. Introduction:
a. ATT&CK Framework API. b. Caldera.
c. MAEC.
Kill chain & Defense in depth.
The importance of:i. network traffic baseline profiling ii. memory forensicsiii. real threat simulations != penetration tests iv. log correlation
Modern RAT’s implementation and popular APT&C2 malware communication design – real use cases:
The review of the latest APT campaigns
Multi-Staging
Network Link chaining
Hiding
Data Obfuscation
Transfer/protocol limits
Timing channels / scheduled jobs / packet dripping
TCP/UDP bind and reverse shells:
a. Meterpreter + Veil Framework:
bypassing payloads
common and exotic ports
routing, pivoting & port forwarding
CLI
netcat/nc/telnet/socat/curl/wget/xxd/rsync
/dev/tcp
PTY
PHP / Perl / Python / Ruby / Java / ASP shellz
TCP/UDP raw socket tunnels
Generate your own network shellcode & analyze the Exploit-db ShellcodeArchive
4. General bypassing, exfiltration, tunneling, pivoting and proxying techniques:
ICMP
DNS:
Authoritative vs recursive
CDN theory
Fast-flux domains
Dictionary and random characters DGA
DNS proxy
DNS anomalies
HTTP/S & web application exploitation techniques combo:
tips & tricks:
HTTP 404
HTTP headers:1. Etag
2. Cookies
3. User-agent
4. Accept
5. If-None-match
GET/POST
Website cloning and armoring
Certificate exfiltration & TLS/SSL anomalies
*Injections + exfiltration
HTTP redirects
Webshells
HTTP anomalies
Websockets
WMI / PS-remote
Proxy / Socks
SSH/SFTP/SCP
FTP / TFTP
SMB / NFS
RDP
Anonymizers:
VPN
TOR
Open Proxy
POP3 / SMTP / IMAP
VOIP
P2P
IRC
IPv6
+ chaining of aboves and many more.
5. Cloud-based exfiltration and C2 channels:
Twitter
Pastebin
Github
Slack
Youtube
Gmail / Google Docs
AWS / Google Cloud
Skype
Dropbox
j. Soundcloud k. Tumblr
Windows & Powershell exfiltration tools.
Just a Browser Exfiltration:
a. audio/video exfil b. keylogging
Hoping from air-gapped networks.
USB attacks and network exfiltration combo.
The art of data hiding → steganography examples:
Binary
WAV
Image
VOIP
Routing Protocol
Screen
Signature-based event analytics, rule bypassing & malicious network traffic generation:
Suricata ET / VRT rules vs attacker → the syntax rules of the rules
Bro IDS log “features” for deep low-level network baselining
Threat Intelligence feeds, lists and 3rd party APIs:i. IP reputation lists ii. Malware feeds iii. Phishing feedsiv. C2 lists
v. Open Proxy listsvi. Tor exit-nodes
vii. Censys / VT / Passive Totalviii. Shodan
Replaying and analysing malicious PCAP files.
Adversary simulation moves, actions, tools & automated platforms:
In&Out Simulated Network Exfiltration Platform
APT simulator
Dumpster Fire
Firebolt
Flightsim
Armoring:
Nmap NSE scripts
MiTM/Spoofing/TCP flooding
Port Knocking
Brute force
DHCP starvation
Info disclosure on SMB/CIFS shares
13. Summary → recommended defensive/protection tactics, tools and platforms.