SEC565: Red Team Operations and Adversary Emulation™

GIAC Red Team Professional (GRTP)
GIAC Red Team Professional (GRTP)
  • In Person (6 days)
  • Online
36 CPEs
Develop and improve Red Team operations for security controls in SEC565 through adversary emulation, cyber threat intelligence, Red Team tradecraft, and engagement planning. Learn how to execute consistent and repeatable Red Team engagements that are focused on the effectiveness of the people, processes, and technology used to defend environments.

What You Will Learn

Penetration testing is effective at enumerating vulnerabilities, but less effective in addressing personnel and processes on the defense side. This can leave Blue Teams or defenders without sufficient knowledge of what offensive input to improve, in turn leaving organizations stuck in a cyclical process of just focusing on vulnerabilities in systems rather than on maturing defenders to effectively detect and respond to attacks.

In SEC565, students will learn how to plan and execute end-to-end Red Teaming engagements that leverage adversary emulation, including the skills to organize a Red Team, consume threat intelligence to map against adversary tactics, techniques, and procedures (TTPs), emulate those TTPs, report and analyze the results of the Red Team engagement, and ultimately improve the overall security posture of the organization. As part of the course, students will perform an adversary emulation against a target organization modeled on an enterprise environment, including Active Directory, intelligence-rich emails, file servers, and endpoints running in Windows.

SEC565 features six intensive course sections. We will start by consuming cyber threat intelligence to identify and document an adversary that has the intent, opportunity, and capability to attack the target organization. Using this strong threat intelligence and proper planning, students will follow the Unified Kill Chain and multiple TTPs mapped to MITRE® ATT&CK™(Adversarial Tactics, Techniques, and Common Knowledge) during execution. During three course sections, students will be immersed in deeply technical Red Team tradecraft ranging from establishing resilient and advanced attack infrastructure to abusing Active Directory. After gaining initial access, students will thoroughly analyze each system, pilfer technical data and target intelligence, and then move laterally, escalating privileges, laying down persistence, and collecting and exfiltrating critically impactful sensitive data. The course concludes with an exercise analyzing the Blue Team response, reporting, and remediation planning and retesting.

In SEC565, you will learn how to show the value that Red Teaming and adversary emulations bring to an organization. The main job of a Red Team is to make a Blue Team better. Offense informs defense and defense informs offense. SEC565 develops Red Team operators capable of planning and executing consistent and repeatable engagements that are focused on training and on measuring the effectiveness of the people, processes, and technology used to defend environments.

You Will Be Able To:

  • Consume threat intelligence and plan a Red Team engagement
  • Set up the required infrastructure to have a successful operation taking into account operational security
  • Create weaponization that will allow you to infiltrate an organization
  • Enumerate and extract valuable data required to achieve your objectives using automated tooling, but also manually, if required
  • Move laterally and persist in a corporate network
  • Elevate privileges using a variety of attack vectors and misconfigurations that you will now be able to identify
  • Report your findings in a meaningful way to bring maximum value to your client

You Will Learn How To:

  • Use threat intelligence to study adversaries for emulation
  • Build an adversary emulation plan
  • Map actions to MITRE® ATT&CK™ to aid in communicating with the Blue Team
  • Establish resilient, advanced C2 infrastructure
  • Maintain operational security throughout an engagement
  • Leverage initial access to elevate and propagate through a network
  • Enumerate and attack Active Directory
  • Collect and exfiltrate sensitive data in a safe manner
  • Close an engagement, deliver value, and plan for retesting

Syllabus (36 CPEs)

Download PDF
  • Overview

    During the first section of the course, we will present a common language to discuss adversary tactics and techniques. We will discuss the purpose of the Red Team and highlight the various frameworks and methodologies around this topic. Two critical steps before a successful adversary emulation are to conduct threat intelligence and to plan for the engagement. The section closes by looking at the first few actions during the Red Team engagement.

    Exercises
    • Environment Orientation
    • Deep Dive into MITRE® ATT&CK™
    • Consuming Threat Intelligence
    • Red Team Planning
    Topics
    • Adversary Emulation
    • Ethical Hacking Maturity Model
    • Frameworks and Methodologies
    • Understanding Adversaries
    • Unified Kill Chain
    • MITRE® ATT&CK™
    • Threat Intelligence
    • Threat Report ATT&CK™ Mapping (TRAM)
    • ATT&CK™ Navigator
    • End-To-End Testing Model
    • Assumed Breach
    • Execution Phase
    • Building a Red Team - Skill Development
    • Reconnaissance
    • Open-Source Intelligence (OSINT)
    • Password Attacks
    • Social Engineering
    • Attacks Against MFA - evilnginx2
  • Overview

    The second section of the course will introduce various Red Team tools and command-and-control frameworks, both of which rely on a well-maintained attack infrastructure. We will spend most of the section discussing the important aspects of a resilient attack infrastructure and how the Red Team can create a bit of distance from defenders by utilizing redirectors. Another key aspect of protecting the attack infrastructure that will be discussed is implementing monitoring and operational security.

    Exercises
    • Setting Up C2 Frameworks
    • Setting Up Redirectors
    • VECTR
    • Cobalt Strike
    • Covenant
    • Empire C2

    Topics
    • Red Team Tools
    • Command and Control (C2)
    • C2 Comparison
    • Listeners and Communication Channels
    • Advanced Infrastructure
    • Redirectors
    • Third-Party Hosting
    • Comparison of Self-Hosted vs. Third-Party
    • Operational Security
    • Understand IoCs
    • Introduction to VECTR
    • Covenant
    • Cobalt Strike
  • Overview

    In the third section of the course, we will prepare our malicious payloads through weaponization. We will discuss various methods of delivery in order to achieve that initial access into the target network. After surveying the initial host and surrounding network, we will stealthily propagate through the network in a cycle of discovery, privilege escalation, credential access, and persistence.

    Exercises
    • Creating and Testing Payloads
    • Test Bypasses
    • Initial Access
    • Discovery and Privilege Escalation
    • Persistence
    • AMSI Bypass
    Topics
    • Weaponization
    • Custom Executables
    • Blending In
    • Execution Guardrails
    • Initial Access
    • Network Propagation
    • Discovery
    • Operational Security
    • Deception Technology
    • Local Network Enumeration
    • Local Privilege Escalation
    • Password Cracking
    • Persistence
    • Defense Evasion - Static vs Dynamic Analysis
    • AMSI Bypass internals
  • Overview

    The fourth course section dives deep into Microsoft Active Directory (AD), learning and practicing the tactics, techniques, and procedures used to attack and enumerate it. We will use various tools to enumerate, escalate, and pivot through these enterprise networks, including Domain and Forest Trusts, and identify how we can move between them.

    Exercises
    • Domain Enumeration
    • Privilege Hunting and Token Impersonation
    • AD Attack Tools
    • Bloodhound
    • AD Lateral Movement
    • Forest Lateral Movement
    Topics
    • Introduction to Active Directory
    • Trees and Forests
    • Authentication, Authorization, Access Tokens
    • AD Enumerate
    • DNS Extraction
    • Domain Privilege Escalation
    • Access Token Manipulation
    • Pass-The-Hash, Pass-The-Ticket
    • Kerberoasting
    • Silver Ticket, Golden Ticket, Skeleton Key
    • AD Certificate Services
    • Unconstrained and Constrained Delegation
    • Coerced Authentication Using PrinterBug and PetitPotam
    • Hopping the Trust
    • Bloodhound/SharpHound
    • AD Explorer
    • SMB Pipes, Remote Desktop Protocol, PsExec, Windows Management Instrumentation, dcom
    • SMB Relay
    • Responder
    • Setting Up Shadow Credentials
    • Domain Privilege Abuse
    • DC Sync
    • Domain Lateral Movement, Domain Trust Attacks
    • Pivoting Between Domains and Forests
    • Forest Enumeration, Forest Attacks
  • Overview

    In section five, we will use our newly exploited access to discover critical and sensitive information stored in the environment. We will collect and exfiltrate these data and demonstrate the impact of the Red Teams actions. After the active testing period, the Red Team must analyze the engagement, deliver reporting, and plan for retesting. The section will close with preparations for the immersive Red Team Capture-the-Flag Exercise in the final course section.

    Exercises
    • Database Attacks
    • Action on Objectives
    • VECTR
    Topics
    • Action on Objectives
    • Database Attacks
    • SQL Abuse
    • Trust Abuse
    • PowerupSQL
    • Target Manipulation
    • Collection
    • Data Staging
    • Exfiltration
    • Impact
    • Emulating Ransomware
    • Engagement Closure
    • Analysis and Response
    • Red Team Reveal
    • Measuring People and Processes
    • Retesting
    • Remediation and Action Plan
    • Breach and Attack Simulation
    • APTSimulator
    • Network Flight Simulator
    • Atomic Red Team
    • MITRE® CALDERA
  • Overview

    In section six, we will conduct a Red Team engagement in a threat representative range depicting a Windows Active Directory enterprise network. Students will each have their own environment consisting of three domains. This story driven environment provides ample opportunity for each student to exercise many of the skills learned throughout the course. The environment is seasoned with rich user stories, target intelligence, and user activity. We will target Windows servers, workstations, and databases along with Active Directory infrastructure. We will also attack Linux servers and databases leveraging the systems maneuver through the segmented network.

    Exercises
    • Red Team engagement against Windows Active Directory enterprise network
    Topics
    • Adversary Emulation
    • Reconnaissance
    • Initial Access
    • Persistence and Privilege Escalation
    • Credential Access
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
    • Closure

GIAC Red Team Professional

The GIAC Red Team Professional certification validates an individual’s ability to conduct end-to-end Red Team engagements. GRTP certification holders have demonstrated knowledge of building an adversary emulation plan, establishing an C2 infrastructure, and emulating adversary tactics, techniques, and procedures (TTPs) to assist in improving overall security.

  • Building an adversary emulation plan using gathered threat intelligence
  • Creating a comprehensive attack infrastructure
  • Performing target reconnaissance
  • Gaining initial access
  • Network and Active Directory enumeration
  • Propagate throughout the network
  • Active Directory attacks
  • Bypassing common defense mechanisms
  • Collect and exfiltrate sensitive data
  • Producing an engagement report
  • Presenting Red Team actions to key personnel
  • Performing retesting and replaying of Red Team activities
More Certification Details

Prerequisites

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid foundation upon which to build Red Team concepts.

Suggested experience:

  • Experience penetration testing or administering Active Directory environments
  • Experience penetration testing Windows
  • Usage of Windows as a standard user and administrator
  • Experience with Linux for offensive purposes

Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC565 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY SEC565 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

"With this course we provide students with a blueprint they can use to set up a realistic Red Team operation against a client environment. Students will be able to consume threat intelligence, formulate a plan of attack, execute it, and ultimately create a debrief package that will provide maximum value for their organization. This course truly brings together a wide variety of knowledge and aims to equip the students with state-of-the-art tradecraft, keeping up to date with the latest and greatest TTPs. No other course brings together such a wide variety of knowledge of all things Red Team."

- Jean-François Maes

Reviews

Course content is great. Very informative and up-to-date attack vectors.
Hunter Vaughan
Northrop Grumman
The course content is absolutely amazing. Even if you already have some knowledge on the topic, there is still a wealth of information that will further enhance your understanding and solidify your procedures!
Kemmner Lankfurd
NetPlas Neckarsulm
The labs are fantastic, and they are fun to work through!
Eric Brown
Deutsche Bank
I studied for the OSCP. The course content and approach was OK, but this was next level. My mind was blown and I learned so much more. Simply excellent.
Kar Lankfurd
BeyondTrust

    Register for SEC565

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...