Course taken 11 May 2020 - 14 May 2020
I think the information security community is pretty much in agreeance that if you'd like to know anything, you are likely a "google" away. From Adversary tactics to detections to courses, I feel like infosec professionals do an excellent job of documenting and sharing their experiences and knowledge. I've benefited from many course reviews and I'd like to return to at least someone else.
With that said, I thought I'd provide my review of the SpecterOps Red Team Operator Course. To explore their latest course offerings, you can check out their page.
I was looking forward to this course for a couple of months. I think it's safe to say that the contribution the SpecterOps team provides to the infosec community is admirable is appreciated. From their adversary tradecraft education to their strategic defensive outlook, their security professionals are amongst the best in the open source community. I say this because I like to keep in mind the reality that there are some extremely talented individuals within government entities that go unheard of. My background is heavy on the defensive side. I've been wanting to take this course to maintain my understanding of adversary tactics so I can better defend against and detect adversaries. I did not find the course "hard' so to speak. It's delivered at a great pace and with plenty of help and resources. Blue teamers, do not be intimidated by the bleeding red of this course. You will learn tons and they won't "leave you hanging".
This review will be split up in five parts:
- Prior to the course
- Day 1
- Day 2
- Day 3
- Day 4
Prior to the course
I included this within the review solely for those individuals that get a little bit of "test anxiety". I was contacted by the SpecterOps Team 6 days prior to the course starting. This initial email contained some general instructions and covered logistics. You are able to perform "functions checks" prior to starting the course. Due to the COVID19 pandemic, the entire course was virtual. You were allowed to test your zoom setup prior to starting the course. Additionally, they recommend some resources to include Cobalt Strike familiarization. I spent the Saturday before the course watching the videos and learning the basics to get the most out of the course. Since this post is written after the fact, I have to say watching those videos did pay off.
Most week long courses I've attended pretty much flood you with information. I imagined the first day would be the same. Luckily for us (the students), they actually went at a pretty decent pace. The first couple of hours was spent getting network connectivity and discussing overall red team operations. Since I've been primarily a defender in my career, this was a great refresher on the terminologies and confirmed some of my assumptions as a blue team. They explained their methodology, went over offensive infrastructure recommendations, and shared real-world anecdotes. Once a baseline was established in the class and network connectivity was completed, we discussed what occurs in an "assumed breach" engagement. Situational Awareness, PowerShell/C# Weaponization, and Priv Esc were the topics explored after lunch. I would have liked to see some "demos" for the topics the instructors were discussing but I understand the time constraints. A lot of essentials to cover. Stopping for demos would not be sustainable. Additionally, during this time our team began "hacking away" at the problem set. We had "lab breaks" in between PowerPoint sessions. This is where it payed off to watch Raphael Mudges Cobalt Strike series the weekend before the course started. I'll take this time now to list all the "student infrastructure" available to us since day one. These tools enabled us, the students, to collaborate.
- Chatting platform for your team and the class (private/public channels)
- Collaborative Note Taking software (google docs like)
- HTML5 access to our virtual machines
- A wiki with walkthroughs, content, and resources
- Virtual breakout rooms. I really liked this because instructors would "pop in" to our team room and discuss with us. Gave us the opportunity to work through our problem sets as a team AND leverage the instructors in a private forum since the class was not in person.
- Capture the Flag platform
Without any spoilers, at the end of day 1, our team had some decent footholds, maybe some creds, maybe some hashes, etc. We definitely covered some ground and banged our heads against the keyboard. Solid day 1.
This day started with something I am a little bit familiar with...#ThreatHunting. They covered their hunt methodology, detection engineering strategies, data collection, and host/network analysis. This part of the course was clearly my comfort zone. Though this is my "strength", I certainly learned plenty and enjoyed their approach. Threat Hunting from an "assumed breached" mentality is what I mostly focused on during my time with US DoD. I enjoyed that their focus was based on soft and hard indicators. These indicators are basically the difference between signature versus behavior based detections. "Try to beat the adversary to their end goal" - Brandon Scullion. After our threat hunting overview, we dove into credential abuse. Here is where I drown, died, and came back to life after 5PM. Mimikatz madness, lsass abuse (OPSEC considerations), DCSync, windows credential management (way over my head & I confirmed harmj0y is a wizard), token types, impersonation levels, pass-the-hash misconceptions, and credential abuse detection. Though a lot was over my head, I understood the tactics and implications. It's just a matter of researching on my own and possibly writing a blog post on the tactics to understand them from the lowest level. After credential abuse, we took a look at basic active directory knowledge. This section was pretty simple if you have standard AD knowledge. Next we discussed payloads and lateral movement. This late into the course, detection and prevention efforts by the instructors began to kick in. Some of our beacons were getting caught and our feelings were hurt. Overall, Day 2 was pretty fun. The content was great and the lab is getting better and better. Day 2 #Get-Hyped
By the start of Day 3, my team had tool many beacons to count (terrible OPSEC). Additionally, we have gained DA in multiple domains and had exercised tons of tactics. By day 3, I'm already sad about not having access to this lab after the class. To no surprise, they did an awesome work with the lab. We began the day with some defensive dashboards and discussions. Personally speaking, they need to do this twice a day! I found it very beneficial to get a feel for some of their detections, their logic, and how they visualizing the data. Obviously, I am a defender full-time so I am a bit biased. After some defender insights, we discussed the following topics: OPSEC considerations, domain trusts, kerberos, golden tickets, silver tickets, SQL Abuse, and detections. I really liked how every topic came packed with use-cases and current tactics from the instructors. Though the class leveraged Cobalt Strike, I was glad they explained OPSEC considerations based on the "tactic" and "behaviors" as compared to the tool. The kerberos discussions were a good refresher as well. I've personally been following the "kerberoasting" game for a couple of months now. I find kerberos attacks pretty fascinating. The kerberos coverage was pretty fun to listen to and explore in the labs. On SQL Abuse, Lastly, as with any topic, we discussed basic detections on the attacks discussed. Pretty cool Day 3!
Last day! We began the day with the blue teamers hurting some feelings. They went over other dashboards and their detection logic. After our debrief, we got down to business. Day 4 focused on the following topics: Bloodhound mania, DPAPI (dee-pahpi), Kerberos Delegation, and lab debrief (sad times). They explained their methodology and strategy for using Bloodhound. TLDR; As a defender, I would agree that
SharpHound.exe -c all isn't very OPSEC. On the DPAPI section.. AWESOME stuff. Will really put things into perspective and I enjoyed their operational advice on the topic. This is a topic I had
zero knowledge of DPAPI prior to this course. Now I have enough understanding to understand some of the detailed blog posts. After DPAPI, we dove into Kerberos Delegation. This was quite a ride. Unconstrained, Constrained, and Resource-Based = three ways to abuse. I surprised myself that I was able to pick up most of the material. Kerberos is very complicated but after months and months of reading these posts, It was a good feeling to understand this part of the lecture. It was tons of fun! Loved the detailed approach and hearing about these tactics from the folks that understand them and perform them the best. It was nice to get a "dummied down" version of this amazing blog post. Lastly, SpecterOps guys went over the labs and did a defensive debrief on what they detected. I really enjoyed this section simply because it was the primary reason I took the course. Since I am mostly a defender, I find it extremely valuable to know adversary tactics from a hands-on standpoint. Tying to two together just really "hones in" my knowledge on the topic and why they're important to the security of a customers infrastructure. Day 4 complete. Course complete. Learned a lot.
It was a great course. For the price, I do believe it is worth it. I've attended other training that was nearly twice as much that wasn't as valuable to me. If you're looking to get into red teaming, I do believe this is a solid course to accomplish that. If you're a season red-teamer, I do believe this will "sharpen" your skills and answer many questions about how things work under the hood. Message to my fellow defenders: This course is great for us. Knowing how adversaries think and practicing some of their tactics can drive your hypothesis, data collection, and detection engineering to be more effective and realistic. Additionally, it will re-iterate why it's so important for us to know how our defensive tools are detection against certain tactics. Do you know what visibility gaps your tools present?
Below is a quick shoutout to one of the teams that wanted to challenge themselves while having some fun doing what we do.. #infosec. I realize that this image will likely only make sense to those that attend the course. Can you guess what cerberus is and why there are turtle on the screen? xD
Thank you for any that read this far. Let me know if you have any questions on the Bloodhoud slack channel.