h1

Tradecraft – Red Team Operations Course and Notes

October 18, 2013

A few days ago, I posted the YouTube playlist on Twitter and it’s made a few rounds. That’s great. This blog post properly introduces the course along with a few notes and references for each segment.

Tradecraft is a new nine-part course that provides the background and skills needed to execute a targeted attack as an external actor with Cobalt Strike. I published this course to help you get the most out of the tools I develop.

If you’d like to jump into the course, it’s on YouTube:

Here are a few notes to explore each topic in the course with more depth.

1. Introduction

The first part of tradecraft introduces the course, the Metasploit Framework, and Cobalt Strike. If you already know Armitage or the Metasploit Framework–you don’t need to watch this segment. The goal of this segment is to provide the base background and vocabulary for Metasploit Framework novices to follow this course.

To learn more about the Metasploit Framework:

Cobalt Strike:

Targeted Attacks and Advanced Persistent Threat:

  • Read Intelligence-Driven Computer Network Defense from Lockheed Martin. The process in this course maps well to the “systematic process to target and engage an adversary” presented in this paper. If you need to exercise controls that detect, deny, disrupt, degrade, or deceive an adversary–I know a product that can help 🙂
  • Watch Michael Daly’s 2009 USENIX talk, The Advanced Persistent Threat. This talk pre-dates the marketing bonanza over APT actors and their work. This is a common sense discussion of the topic without an agenda. Even though it’s from 2009, the material is spot on.
  • Watch Kevin Mandia’s 2014 RSA talk, State of the Hack: One Year After the APT1 Report. This is a 20 minute summary of the APT1 report published by Mandiant in February 2013.

Advanced Persistent Threat Campaigns

These actors managed to compromise thousands of hosts and steal data from them for years, without detection. Cobalt Strike’s aim is to augment the Metasploit Framework to replicate these types of threats.

2. Basic Exploitation (aka Hacking circa 2003)

Basic Exploitation introduces the Metasploit Framework and how to use it through Cobalt Strike. I cover how to pick a remote exploit, brute force credentials, and pivot through SSH. I call this lecture “hacking circa 2003” because remote memory corruption exploits have little use in an environment with a handle on patch management. Again, if you have strong Metasploit-fu, you may skip this lecture.

A few notes:

  • I dismiss remote memory corruption exploits as a dated vector; but don’t discount the remote attack surface. HD Moore and Val Smith‘s Tactical Exploitation is one of the best resources on how to extract information from exposed services. First published in 2007, it’s still relevant. Watch the video and read the paper.
  • I used the Metasploitable 2 Virtual Machine for the Linux demonstrations in this segment.

3. Getting a Foothold

This segment introduces how to execute a targeted attack with Cobalt Strike. We cover client-side attacks, reconnaissance, and crafting an attack package.

To go deeper into this material:

4. Social Engineering

The fourth installment of tradecraft covers how to get an attack package to a user. The use of physical media as an attack vector is explored as well as watering hole attacks, one off phishing sites, and spear phishing.

  • Watch Advanced Phishing Tactics by Martin Bos and Eric Milam. This talk puts together a lot of concepts needed for a successful phish. How to harvest addresses, develop a good pretext, and create a phishing site.
  • Advanced Threat actors favor spear phishing as an access vector. I’d point you to one source, but since this concept has such market buzz, there are a lot of whitepapers on this topic. I suggest a google search and reading something from a source you consider credible.

5. Post Exploitation with Beacon

By this time, you know how to craft and deliver an attack package. Now, it’s time to learn how to setup Beacon and use it for asynchronous and interactive operations.

6. Post Exploitation with Meterpreter

This video digs into interactive post-exploitation with Meterpreter. You will learn how to use Meterpreter, pivot through the target’s browser, escalate privileges, pivot, and use external tools through a pivot.

Privilege Escalation

7. Lateral Movement

This installment covers lateral movement. You’ll learn how to enumerate hosts and systems with built-in Windows commands, steal tokens, interrogate hosts to steal data, and use just Windows commands to compromise a fully-patched system by abusing trust relationships. My technical foundation is very Linux heavy, I wish this lecture existed when I was refreshing my skillset.

Token Stealing and Active Directory Abuse

Recovering Passwords 

Pass the Hash

8. Offense in Depth

This segment dissects the process to get a foothold into the defenses you’ll encounter. You’ll learn how to avoid or get past defenses that prevent message delivery, prevent code execution, and detect or stop command and control.

Email Delivery

Anti-virus Evasion

  • If you like, you may use Cortana to force Armitage or Cobalt Strike to use an AV-safe executable of your choosing. You have the option to select an EXE with Cobalt Strike’s dialogs. This process allows you to automate the process of generating a new automatically for your payload parameters.
  • Also, check out Veil, a framework for generating anti-virus safe executables.
  • Here’s a blog post by funoverip.net on how to modify a client-side exploit to get past an anti-virus product

Payload Staging

Offense in Depth

9. Operations

This last chapter covers operations. Learn how to collaborate during a red team engagement, manage multiple team servers from one client, and load scripts to help you out.

Labs

The online course does not have dedicated labs per se. I have two sets of labs I run through with this material.

When I’m hired to teach, I bring a Windows enterprise in a box. I have my students conduct several drills to get familiar with the tools. I then drop them into my enterprise environment and assign goals for them to go through.

I also have a DVD with labs that map to the old version of this course. This DVD has two Linux target virtual machines and an attack virtual machine. Nothing beats setting up a Windows environment to play with these concepts, but this DVD isn’t a bad starter. If you see me at a conference, ask for one.

4 comments

  1. Can you talk a little bit of what you have in your Windows Enterprise in a box? Exchange, AD, IIS I assume? SQL Server? Any Firewalls/IDS?


    • The lab I use in my classes has a Smoothwall firewall. Behind it is a Windows 2K8 DC, a few Win 7 workstations, a few Linux servers, and a few low hanging fruit Windows 2003 servers. I have the MSDN OS subscription–so I don’t have access to exchange and other MS server software. I use a few free or OSS alternatives. For example, I setup hMailServer for email and tied it to domain accounts. I also setup RoundCube for webmail. I have two enclaves as well… one for software development and another with a mocked up HMI for a SCADA/ICS scenario. The HMI is kind of funny–it’s just a Java app exposed via VNC… but it’s fun, because it is interactive.


  2. Very good job putting all of this together! Not only are Cobalt Strike and your material awesome but the links you refer to are also classics.. 🙂 I wish I’d come across this post earlier when I was starting out.


    • Thanks. That’s part of my intent putting all of this together. These are all things I wish I knew about when I had started out too.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s