homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Full Course List
      • Training Roadmap
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
    • GIAC Certifications
    • Training Events & Summits
      • Event Locations
        • Americas
        • Europe & Middle East
        • Asia Pacific
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Bachelors & Masters Degrees
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
      • Why Work with SANS
      • Industries
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • Healthcare Training
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
    • Blog
    • Partners
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Summits & Forums
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Courses >
  3. SEC565: Red Team Operations and Adversary Emulation
beta

SEC565: Red Team Operations and Adversary Emulation

    36 CPEs

    Develop and improve Red Team operations for security controls in SEC565 through adversary emulation, cyber threat intelligence, Red Team tradecraft, and engagement planning. Learn how to execute consistent and repeatable Red Team engagements that are focused on the effectiveness of the people, processes, and technology used to defend environments.

    Course Authors:
    Barrett Darnell
    Barrett Darnell
    Certified Instructor
    Jean-François Maes
    Jean-François Maes
    Certified Instructor
    What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor Statement

    What You Will Learn

    Penetration testing is effective at enumerating vulnerabilities, but less effective in addressing personnel and processes on the defense side. This can leave Blue Teams or defenders without sufficient knowledge of what offensive input to improve, in turn leaving organizations stuck in a cyclical process of just focusing on vulnerabilities in systems rather than on maturing defenders to effectively detect and respond to attacks.

    In SEC565, students will learn how to plan and execute end-to-end Red Teaming engagements that leverage adversary emulation, including the skills to organize a Red Team, consume threat intelligence to map against adversary tactics, techniques, and procedures (TTPs), emulate those TTPs, report and analyze the results of the Red Team engagement, and ultimately improve the overall security posture of the organization. As part of the course, students will perform an adversary emulation against a target organization modeled on an enterprise environment, including Active Directory, intelligence-rich emails, file servers, and endpoints running in Windows and Linux.

    SEC565 features six intensive course sections. We will start by consuming cyber threat intelligence to identify and document an adversary that has the intent, opportunity, and capability to attack the target organization. Using this strong threat intelligence and proper planning, students will follow the Unified Kill Chain and multiple TTPs mapped to MITRE® ATT&CK™(Adversarial Tactics, Techniques, and Common Knowledge) during execution. During three course sections, students will be immersed in deeply technical Red Team tradecraft ranging from establishing resilient and advanced attack infrastructure to abusing Active Directory. After gaining initial access, students will thoroughly analyze each system, pilfer technical data and target intelligence, and then move laterally, escalating privileges, laying down persistence, and collecting and exfiltrating critically impactful sensitive data. The course concludes with an exercise analyzing the Blue Team response, reporting, and remediation planning and retesting.

    In SEC565, you will learn how to show the value that Red Teaming and adversary emulations bring to an organization. The main job of a Red Team is to make a Blue Team better. Offense informs defense and defense informs offense. SEC565 develops Red Team operators capable of planning and executing consistent and repeatable engagements that are focused on training and on measuring the effectiveness of the people, processes, and technology used to defend environments.

    You Will Be Able To:

    • Consume threat intelligence and plan a Red Team engagement
    • Set up the required infrastructure to have a successful operation taking into account operational security
    • Create weaponization that will allow you to infiltrate an organization
    • Enumerate and extract valuable data required to achieve your objectives using automated tooling, but also manually, if required
    • Move laterally and persist in a corporate network
    • Elevate privileges using a variety of attack vectors and misconfigurations that you will now be able to identify
    • Report your findings in a meaningful way to bring maximum value to your client

    You Will Learn How To:

    • Use threat intelligence to study adversaries for emulation
    • Build an adversary emulation plan
    • Map actions to MITRE® ATT&CK™ to aid in communicating with the Blue Team
    • Establish resilient, advanced C2 infrastructure
    • Maintain operational security throughout an engagement
    • Leverage initial access to elevate and propagate through a network
    • Enumerate and attack Active Directory
    • Collect and exfiltrate sensitive data in a safe manner
    • Close an engagement, deliver value, and plan for retesting

    Syllabus (36 CPEs)

    Download PDF
    • Overview

      During the first section of the course, we will present a common language to discuss adversary tactics and techniques. We will discuss the purpose of the Red Team and highlight the various frameworks and methodologies around this topic. Two critical steps before a successful adversary emulation are to conduct threat intelligence and to plan for the engagement. The section closes by looking at the first few actions during the Red Team engagement.

      Exercises
      • Environment Orientation
      • Deep Dive into MITRE® ATT&CK™
      • Consuming Threat Intelligence
      • Red Team Planning
      Topics
      • Adversary Emulation
      • Ethical Hacking Maturity Model
      • Frameworks and Methodologies
      • Understanding Adversaries
      • Unified Kill Chain
      • MITRE® ATT&CK™
      • Threat Intelligence
      • Threat Report ATT&CK™ Mapping (TRAM)
      • ATT&CK™ Navigator
      • End-To-End Testing Model
      • Assumed Breach
      • Execution Phase
      • Building a Red Team - Skill Development
      • Reconnaissance
      • Open-Source Intelligence (OSINT)
      • Password Attacks
      • Social Engineering
      • Attacks Against MFA - evilnginx2
    • Overview

      The second section of the course will introduce various Red Team tools and command-and-control frameworks, both of which rely on a well-maintained attack infrastructure. We will spend most of the section discussing the important aspects of a resilient attack infrastructure and how the Red Team can create a bit of distance from defenders by utilizing redirectors. Another key aspect of protecting the attack infrastructure that will be discussed is implementing monitoring and operational security.

      Exercises
      • Setting Up C2 Frameworks
      • Setting Up Redirectors
      • VECTR
      • Covenant
      • PowerShell Empire

      Topics
      • Red Team Tools
      • Command and Control (C2)
      • C2 Comparison
      • Listeners and Communication Channels
      • Advanced Infrastructure
      • Redirectors
      • Third-Party Hosting
      • Comparison of Self-Hosted vs. Third-Party
      • Operational Security
      • Understand IoCs
      • Introduction to VECTR
      • Covenant
    • Overview

      In the third section of the course, we will prepare our malicious payloads through weaponization. We will discuss various methods of delivery in order to achieve that initial access into the target network. After surveying the initial host and surrounding network, we will stealthily propagate through the network in a cycle of discovery, privilege escalation, credential access, and persistence.

      Exercises
      • Creating and Testing Payloads
      • Test Bypasses
      • Initial Access
      • Discovery and Privilege Escalation
      • Persistence
      Topics
      • Weaponization
      • Custom Executables
      • Blending In
      • Execution Guardrails
      • Initial Access
      • Network Propagation
      • Discovery
      • Operational Security
      • Deception Technology
      • Local Network Enumeration
      • Local Privilege Escalation
      • Password Cracking
      • Persistence
    • Overview

      The fourth course section dives deep into Microsoft Active Directory (AD), learning and practicing the tactics, techniques, and procedures used to attack and enumerate it. We will use various tools to enumerate, escalate, and pivot through these enterprise networks, including Domain and Forest Trusts, and identify how we can move between them.

      Exercises
      • Domain Enumeration
      • Privilege Hunting and Token Impersonation
      • AD Attack Tools
      • Bloodhound
      • AD Lateral Movement
      • Forest Lateral Movement
      Topics
      • Introduction to Active Directory
      • Trees and Forests
      • Authentication, Authorization, Access Tokens
      • AD Enumerate
      • DNS Extraction
      • Domain Privilege Escalation
      • Access Token Manipulation
      • Pass-The-Hash, Pass-The-Ticket
      • Kerberoasting
      • Silver Ticket, Golden Ticket, Skeleton Key
      • AD Certificate Services
      • Unconstrained and Constrained Delegation
      • Coerced Authentication Using PrinterBug and PetitPotam
      • Hopping the Trust
      • LLMNR/NBNS/WPAD
      • Bloodhound/SharpHound
      • AD Explorer
      • SMB Pipes, Remote Desktop Protocol, PsExec, Windows Management Instrumentation, dcom
      • SMB Relay
      • LLMNR/NBT-NS Poisoning and Relay
      • Responder
      • Setting Up Shadow Credentials
      • Domain Privilege Abuse
      • DC Sync
      • Domain Lateral Movement, Domain Trust Attacks
      • Pivoting Between Domains and Forests
      • Forest Enumeration, Forest Attacks
    • Overview

      In section five, we will use our newly exploited access to discover critical and sensitive information stored in the environment. We will collect and exfiltrate these data and demonstrate the impact of the Red Teams actions. After the active testing period, the Red Team must analyze the engagement, deliver reporting, and plan for retesting. The section will close with preparations for the immersive Red Team Capture-the-Flag Exercise in the final course section.

      Exercises
      • Database Attacks
      • Action on Objectives
      • VECTR
      • SCYTHE
      Topics
      • Action on Objectives
      • Database Attacks
      • SQL Abuse
      • Trust Abuse
      • PowerupSQL
      • Target Manipulation
      • Collection
      • Data Staging
      • Exfiltration
      • Impact
      • Emulating Ransomware
      • Engagement Closure
      • Analysis and Response
      • Red Team Reveal
      • Measuring People and Processes
      • Retesting
      • Remediation and Action Plan
      • Breach and Attack Simulation
      • APTSimulator
      • Network Flight Simulator
      • Atomic Red Team
      • MITRE® CALDERA
      • SCYTHE
    • Overview

      In section six, we will conduct a Red Team engagement in a threat representative range depicting a Windows Active Directory enterprise network. Students will each have their own environment consisting of three domains. This story driven environment provides ample opportunity for each student to exercise many of the skills learned throughout the course. The environment is seasoned with rich user stories, target intelligence, and user activity. We will target Windows servers, workstations, and databases along with Active Directory infrastructure. We will also attack Linux servers and databases leveraging the systems maneuver through the segmented network.

      Exercises
      • Red Team engagement against Windows Active Directory enterprise network
      Topics
      • Adversary Emulation
      • Reconnaissance
      • Initial Access
      • Persistence and Privilege Escalation
      • Credential Access
      • Discovery
      • Lateral Movement
      • Collection
      • Command and Control
      • Exfiltration
      • Impact
      • Closure

    Prerequisites

    The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid foundation upon which to build Red Team concepts.

    Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

    Laptop Requirements

    Important! Bring your own system configured according to these instructions!

    A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

    It is critical that you back up your system before class. It is also strongly advised that you not bring a system storing any sensitive data.

    CPU

    64-bit Intel i5/i7 2.0+ GHz processor

    CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.

    Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + I to open Settings, then click System, then About. Your processor information will be listed near the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click About this Mac.

    BIOS

    • Enabled Intel-VT
    • Intel's VT (VT-x) hardware virtualization technology must be enabled in your systems BIOS or UEFI settings. You must be able to access your system's BIOS to enable this setting in order to complete lab exercises. If your BIOS is password-protected, you must have the password. This is absolutely required.

    RAM

    • 16 GB RAM is highly recommended for the best experience. To verify on Windows 10, press Windows key + I to open Settings, then click System, then About. Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click About this Mac.

    Hard Drive Free Space

    • 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

    Operating System

    • Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

    Additional Software Requirements

    VMware Player Install

    • VMware Workstation Player 16, VMware Fusion 12, or VMware Workstation 16
    • Install VMware Player 16, VMware Fusion 12, or VMware Workstation 16. Older versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.

    If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

    Author Statement

    "Organizations are maturing their security testing programs to include Red Team engagements and adversary emulations. These engagements provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and improve detection and prevention controls. This course will teach you how to plan Red Team engagements, leverage threat intelligence to map against adversary tactics, techniques, and procedures, build a Red Team program and plan, execute a Red Team engagement with a strong emphasis on operational security and tradecraft, and report and analyze the results. Direct application of the lessons in this course will give Red Team operators the skills necessary to improve the overall security posture of an organization."

    - Barrett Darnell

    "With this course we provide students with a blueprint they can use to set up a realistic Red Team operation against a client environment. Students will be able to consume threat intelligence, formulate a plan of attack, execute it, and ultimately create a debrief package that will provide maximum value for their organization. This course truly brings together a wide variety of knowledge and aims to equip the students with state-of-the-art tradecraft, keeping up to date with the latest and greatest TTPs. No other course brings together such a wide variety of knowledge of all things Red Team."

    - Jean-Françis Maes

    No scheduled events for this course.

    Who Should Attend SEC565?

    • Security professionals interested in expanding their knowledge of Red Team engagements in order to understand how they are different from other types of security testing
    • Penetration testers and Red Team members looking to better understand their craft
    • Blue Team members, defenders, and forensic specialists looking to better understand how Red Team engagements can improve their ability to defend by better understanding offensive methodologies, tools, tactics, techniques, and procedures
    • Auditors who need to build deeper technical skills and/or meet regulatory requirements
    • Information security managers who need to incorporate or participate in high-value Red Team engagements

    See prerequisites
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kingdom of Saudi Arabia
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    • © 2022 SANS™ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn