The In & Out – Network Data Exfiltration Techniques [RED-edition] training class has been designed to present students the modern and emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.
As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense/offense in depth strategy. We will also learn through the importance of network baselining, memory forensics, automated malware analysis solutions and finally the real threat simulation tactics that are the key important aspects of this training.
Next, we will deep dive into the individual network protocols, services and post exploitation techniques commonly in use by adversaries in corporate networks and discuss the security detection features. Using available set of tools, the student will play one by one with well prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern attacker behavior.
Who Should Attend
- Red and Blue team members
- Security/Data Analytics
- CIRT/Incident Response Specialists
- Network Security Engineers
- SOC members and SIEM Engineers
- AI/Machine Learning Developers
- Chief Security Officers and IT Security Directors
Key Learning Objectives
- Learn how to bypass Linux and Windows local security restrictions and command line arguments detections by using obfuscation and Living Off The Land Binaries And Scripts
- Generate and run different, encrypted types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure port forwarding & proxying, change a transport on the fly and find what the network traffic artifacts of such actions are.
- Manually generate suspicious network events from Python, ex. saturate a DHCP Server, establish a C2 connection by using QUIC, HTTP2, NTP, flood the network service, run a brute force attack, etc.
- Simulate DNS DGA traffic, run a DNS tunnels and remote shells, exfiltrate and hide data transfer using DNS-over-HTTPS and explain how to gain the Internet connection on the plane or in the hotel for free through captive portal bypassing.
- Use different HTTP techniques, headers and methods for stealing the data with combination of web application injection techniques (OOB) + walk through the world of web shells
- Run, detect and understand a TLS/SSL-based anomalies and exfiltration methods
- Run a cmd.exe and deliver compressed and encrypted, in-memory offensive Powershell scripts during a post-exploitation stage for leaking the data and bypassing AV/EDR/AMSI
- Clone, armor and phish popular websites and use them for covert channel
- Create CDN domain fronting setup and punch holes in the NAT
- Achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
- Cheat security platforms by running internal WMI, Websockets, WinRM or P2P covert channels
- Hide a stolen data in binary file, WAV file, Image file or exfiltrate data from the air-gapped system using hops and bad USB
- Configure the station to connect to anonymizers like external VPN, TOR, Open proxy and ‘ping’ to the IP/domains tagged on the globally recognized security feeds, rules or phishy lists
- Use a popular cloud-based services for C2 communication and data stealing, ex. Pastebin, Twitter, AWS, Dropbox, etc.
- Replay malicious PCAP files and in terms of network behaviour and analyze the malware samples using Cuckoo
- Describe the syntax of signature-based rules works, how Suricata or Bro IDS can help you detect suspicious events and what are the differences between these two IDS engines
- Understand values of automated attackers simulations
- Run verification actions for IT security products and providers during PoC/PoV
- And a combination of many more.
Through hands-on lab exfiltration, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.
All the above training description is based on pure hands-on laboratory where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network. This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments.
In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your SOC/network security really works!
I guarantee, that your overall Linux, Windows and “feeling the network security” skills will also increase significantly.
- An intermediate level of command line syntax experience using Linux and Windows
- Fundament knowledge of TCP/IP network protocols
- Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
- Basic programming skills is a plus, but not essential
- At least 20GB of free disk space
- At least 8GB of RAM
- Students should have the latest Virtualbox installed on their machine
- Full Admin access on your laptop
Agenda Day 1 & 2
a. ATT&CK Framework.
b. TTP, Kill chain & Defense and Offense in depth.
c. The importance of:
- Network traffic baseline profiling
- Memory forensics
- Real threat simulations != penetration tests
- Data sources and log correlation
2. Modern RAT’s implementation and popular APT/C2 malware communication design – real use cases based on the malware Zoo:
a. The review of the latest APT campaigns
b. Multi-Staging and Network Link chaining
c. Data Hiding/obfuscation
d. Transfer/protocol customization
e. Timing channels/scheduled jobs/packet dripping
3. TCP/UDP bind and reverse shells:
a. Meterpreter + Veil Framework + Shellter + Sharpshooter:
- Generating staged/stageless exotic payloads
- Powershell & cmd.exe obfuscation
- Auditing and bypassing firewallsiv.
- Routing, relaying, pivoting & port forwarding
b. CLI tips & tricks:
- /dev/tcp & /dev/udp
- PHP/Perl/Python/Ruby/JSP/ASP/LUA/awk shellz
c. TCP/UDP raw socket tunnels.
d. Generate your own network shellcode & analyze the Exploit-db Shellcode Archive.
4. General bypassing, exfiltration, tunneling, pivoting, proxying and C2 techniques:
- Authoritative vs recursive
- CDN theory & domain fronting
- Fast-flux domains
- Dictionary and random characters DGA
- DNS proxy, DNS over HTTPS, DNS over TLS
- DNS Rebinding and other DNS anomalies
c. HTTP/S & web application exploitation techniques combo:
- HTTP methods/headers/cookies/redirects/error codes
- Chunked Transfer Encoding
- Website cloning and armoring
- WebDAV and Websockets C2
- Certificate exfiltration & TLS/SSL anomalies
- *Injections + exfiltration ? OOB
- HTTP anomalies
d. AD/LDAP/RDP covert channels and Offensive Powershell Frameworks:
- Golden/Silver Ticket/Kerberoasting
- NTLM relaying and redirects
- UNC paths
e. Storage protocols: FTP/TFTP/SMB/NFS/iSCSI
g. Forward/Reverse/SOCKS Proxy
i. VPN/TOR/Open Proxy
m. + chaining of aboves and many more.
5. Cloud-based exfiltration techniques and C2 channels.
6. Just a Browser Exfiltration:
a. Local network scanning and hidden network enumeration through XSS
b. Audio/video exfil
7. Hoping from air-gapped networks? how to create your own Bad USB using RPI.
8. Signature-based event analytics, rule bypassing & malicious network traffic generation:
a. Suricata ET/VRT rules vs attacker ? the syntax of the rules
b. Bro IDS log “features” for deep low-level network baselining and “weird” findings
c. Threat Intelligence feeds, lists and 3rd party APIs:
- IP reputation lists
- Malware/Phishing feeds
- C2/Open Proxy lists/TOR exit-nodes
- Censys/VT/Passive Total/Shodan
9. Adversary simulation detection tests and automated platforms based on MITRE’s ATT&CK:
a. Atomic Red Team
b. APT simulator
c. Dumpster Fire
i. and many more
10. Summary - recommended defensive/protection tactics, tools, and commercial platforms.
Leszek Mis Founder, Defensive Security
Leszek Mis is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.
Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.
Author of many IT Security training:
- Open Source Defensive Security - The Trinity of Tactics for Defenders
- In & Out - Network Data Exfiltration Techniques [RED EDITION]
- In & Out - Detection of Network Data Exfiltration Techniques [BLUE EDITION]
- System Internals – Network, OS and Memory Forensics
- SELinux - Development & Administration of Mandatory Access Control Policy
- Advanced RHEL/CentOS Defensive Security & Hardening
- ModSecurity - Development and Management of Web Application Firewall rules
- FreeIPA - Identity Management for Linux Domain Environments & Trusts
Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.
His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out “what da **ck” the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.
Still learning hard every single day.
Venue to be announced shortly.