3-DAY TRAINING 3 – In & Out: Network Data Exfiltration Techniques
DURATION: 3 DAYS
CAPACITY: 20 pax
SEATS AVAILABLE: 20
SGD2999 (early bird)
Early bird registration rate ends on the 31st of May
The In & Out – Network Data Exfiltration Techniques [RED edition] training class has been designed to present students modern, emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.
This is a 3-day long, extended edition of training that has been previously delivered in Dubai and AMS. Extended time means more digging into the details, more lab scenarios and deeper look into the techniques and tools in use -> from database structure and internals, geo-distributed reverse proxy setup to low-level beacon/implant behavior modification and others like mod_security as C2 WAF protection or a DBX as a cloud channel for chained lateral movement actions.
As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense/offense in depth strategy. We will also learn through the importance of network baselining, memory forensics, automated malware analysis solutions. Then, we will focus on the real threat simulation tactics that are the key important aspect of this training.
We will deep dive into the individual network protocols, services and post exploitation techniques commonly in use by adversaries in corporate networks and discuss the security detection features. Using available set of tools, the student will play one by one with well prepared exfiltration, pivoting, tunneling and protocol anomalies use-cases to generate the true network symptoms of modern attacker behavior.
If you are looking to:
Learn ways to validate the effectiveness of SIEM solutions and SOC environments
Learn current trends, techniques, and tools for exfiltration and data stealing as well as opponent tactics and behaviors after accessing the network
Understand and run techniques of testing and bypassing DLP / IDS / IPS / FW / WAF systems
Understand values from an automated approach to simulating attackers
Run structured, verification techniques for IT security products and providers during PoC / PoV
Identify blind spots in your network security posture
then this training is for you!
Who Should Attend
Red and Blue team members
Security / Data Analytics
CIRT / Incident Response Specialists
Network Security Engineers
SOC members and SIEM Engineers
AI / Machine Learning Developers
Chief Security Officers and IT Security Directors
Key Learning Objectives
Learn how to bypass Linux and Windows local security restrictions and command line arguments detections by using obfuscation and Living Off The Land Binaries And Scripts
Generate and run different, encrypted types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure port forwarding & proxying, change a transport on the fly and find what the network traffic artifacts of such actions are.
Manually generate suspicious network events from Python, ex. saturate a DHCP Server, establish a C2 connection by using QUIC, HTTP2, NTP, flood the network service, run a brute force attack, etc.
Simulate DNS DGA traffic, run a DNS tunnels and remote shells, exfiltrate and hide data transfer using DNS-over-HTTPS and explain how to gain the Internet connection on the plane or in the hotel for free through captive portal bypassing.
Use different HTTP techniques, headers and methods for stealing the data with combination of web application injection techniques (OOB) + walk through the world of web shells
Run, detect and understand a TLS/SSL-based anomalies and exfiltration methods
Run a cmd.exe and deliver compressed and encrypted, in-memory offensive Powershell scripts during a post-exploitation stage for leaking the data and bypassing AV / EDR / AMSI
Clone, armor and phish popular websites and use them for covert channel
Create CDN domain fronting setup and punch holes in the NAT
Achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
Cheat security platforms by running internal WMI, Websockets, WinRM or P2P covert channels
Hide a stolen data in binary file, WAV file, Image file or exfiltrate data from the air-gapped system using hops and bad USB
Configure the station to connect to anonymizers like external VPN, TOR, Open proxy and ‘ping’ to the IP/domains tagged on the globally recognized security feeds, rules or phishy lists
Use a popular cloud-based services for C2 communication and data stealing, ex. Pastebin, Twitter, AWS, Dropbox, etc.
Replay malicious PCAP files and in terms of network behaviour and analyze the malware samples using Cuckoo
Describe the syntax of signature-based rules works, how Suricata or Bro IDS can help you detect suspicious events and what are the differences between these two IDS engines
Understand values of automated attackers simulations
Run verification actions for IT security products and providers during PoC / PoV
And a combination of many more.
Through hands-on labs, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.
All the below training exercises are based on pure hands-on approach where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network. This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments.
Log patterns for critical network services -> generating unseen network events -> log entries based on CVE-2018-15473, CVE-2016-2776, ns-slapd OOM killer DOS and more.
One-liners for bind / reverse shells.
Network hops chaining and hiding behind open proxies.
Tunneling traffic into internal networks.
Hiding and tunneling traffic to external hosts – Domain fronting / web categorization.
Obfuscation techniques for Linux, cmd. exe and Powershell.
Cool examples of LOLbins + GTFOs.
Bypassing and generating WAF alerts / Out-of-band SQL Injections and more.
Malware network patterns – dumping and analyzing malicious PCAP dumps, grabbing IOCs and diving into the sandbox environment.
The importance of egress filtering – getting outbound-filtering rules ready for your shellz!
Generating stageless and staged payloads in different formats + whitelist bypassing + armoring exe files + sandbox detection.
Network and OS artifacts for upgrading the shells and changing the transport on the fly.
Request throttling, behavior tunning and profile customization of beacon / shell connections.
Local network scanning from the pwned OS / browser through XSS.
Looping, port forwarding, pivoting and routing tricks through Meterpreter / Empire sessions.
Linux ELF in-memory code execution for generating network events.
Setup reverse proxy & valid TLS / SSL certificates for your C2.
Desktop and camera capturing live.
Powershell file compression / encryption for stolen data.
Data exfiltration and tunneling over ICMP.
Handy tcpdump / Wireshark tips and tricks during malware investigation.
DLP validation through data exfiltration using multiple network channels at once.
C2 hidden channels over the clouds.
Probing for valid DNS RR, DNS security checks, DNS anomalies, exfiltration, tunneling and port forwarding.
Customizing your own instance of dnscat2.
Using emerging network protocols for data leak testing: QUIC, HTTP2, DoH.
DGA generators and network traffic artifacts.
NTLM Multi-relaying and command execution + BadPDF.
Socat tips and tricks.
Playing with LDAP as C2 and payload delivery channel.
Simulated, automated browser exploitation
Ship your Empire and Metasploit with Docker +
Using post-exploitation modules for lateral movements: smbexec, pth, wmiexec
Auditing and exfiltrating data against layer 7 inspection rules on NG-firewalls.
HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies, QUIC, HTTP2, WebDAV, WebSockets
A combo of text-based steganography and hiding in images.
Overview of automated, ready to use detection tests based on MITRE’s ATT&CK.