Red Team Tools

Paths

Red Team Tools

Authors: Aaron Rosenmund, Ricardo Reimao, Tim Tomes, Rishalin Pillay, Lee Allen, Keith Watson, Matt Glass, Josh Stroschein, Casey Dunham, Jeff Stein , FC, Malek Mohammad, William Hardy, Jurriën, Dawid Czagan, Gavin Johnson-Lynn, Guillaume Ross, Maril Vernon, Zach Roof, Cristian Pascariu, Uzair Ansari, Pinal Dave

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a

  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
... Read more

What you will learn

  • What the tool is and does
  • Where to get it
  • How to emulate adversary techniques

Pre-requisites

  • Security fundamentals
  • Ethical hacking fundamentals
  • Security testing fundamentals

Introduction

The first course in this series discusses leveraging the MITRE ATT&CK framework in combination with open source tools to emulate adversary attacks.

Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK

by Aaron Rosenmund

Apr 30, 2020 / 17m

17m

Start Course
Description

Resources and time are limited and validation of security operations capabilities and defenses is elusive if not non-existent. Red team operations of all different shapes and sizes fill in this gap, but where do you start? In this course, Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK, you will gain the ability to prioritize and emulate techniques based on threat groups with the capability and intent to threaten your organization. First, you will learn about the different implementation of red team expertise within organizations. Next, you will discover the relationship between the tools and APT MITRE ATT&CK techniques Finally, you will explore how to operationalize adversary threat intelligence with ATT&CK Navigator. When you are finished with this course, you will have the skills and knowledge of red team tools for emulated adversary techniques with MITRE ATT&Ck needed to leverage the red team tools path to emulate threats and validate your organization's security operations.

Table of contents
  1. Course Overview
  2. Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK
  3. Resources

ATT&CK - Reconnaissance (TA0043)

Reconnaissance consists of techniques in which an adversary actively or passively tries to gather information that can be used to support targeting and plan future operations.

Reconnaissance with OWASP Amass

by Ricardo Reimao

May 7, 2021 / 19m

19m

Start Course
Description

One of the most important phases on a red team engagement is the reconnaissance phase. It is at this stage that we try to enumerate as much information as possible from our target so we can plan a proper attack. In this course, Reconnaissance with OWASP Amass, we cover one of the most reliable tools for finding sub domains and IP addresses related to our target. We start by using this tool to perform traditional domain enumeration using passive and active techniques. Next, we use Amass to perform DNS brute forcing and reverse WHOIS lookups. Then, we translate all the data we gathered into useful charts to show the dependencies between the enumerated data. This course covers several important tactics from the Mitre Att&ck framework, including: Search Open Technical Databases (T1596), Gather Victim Network Information (T1590), Active Scanning (T1595) and Search Open Website/Domains (T1593)

Table of contents
  1. Course Overview (Tool Introduction)
  2. Enumerating Domains and IPs with OWASP Amass
  3. Resources

Reconnaissance with Sn1per

by Ricardo Reimao

Apr 14, 2021 / 19m

19m

Start Course
Description

The first and most important phase of a red team engagement is reconnaissance. It is during this phase that you gather valuable information about your target, such as IP addresses, sub-domains, open ports and even potential vulnerabilities to be exploited.

In this course, Reconnaissance with Sn1per, we cover one of the most complete tools for recon, called Sn1per.

First, you will learn how to use this tool to perform active and passive scans against the Globomantics corporation. Then, you will learn how to use Sn1per to perform a stealth scan (using OSINT techniques) against a public domain.

This course covers several important tactics from the MITRE ATT&CK framework, including: Active Scanning (T1595), Gather Victim Host Information (T1592), Gather Victim Network Information (T1590), Search Open Technical Databases (T1596), Search Open Websites/Domains (T1593) and Gather Victim Identity Information (T1589).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Gathering Technical Information with Sn1per
  3. Resources

Technical Information Gathering with theHarvester

by Ricardo Reimao

Jun 4, 2020 / 20m

20m

Start Course
Description

The reconnaissance phase is one of the most important phases of a red team engagement. It is in this phase that you gather information about your target so you can select which machines to exploit and how to exploit them. In this course, Technical Information Gathering with theHarvester, you will cover one of the most important tools for information gathering, ttheHarvester. First, you will learn to gather DNS subdomains. Then, you will discover how to gather IP addresses from your target. Finally, you will explore how to automatically search for information regarding the people that work in your target company, including email addresses, Twitter accounts, and even LinkedIn profiles. By the end of this course, you will know four important tactics from the MITRE PRE-ATT&CK framework: Determine domain and IP Address Space (T1250), Conduct Active Scanning (T1254), Discover target logon/email address format (T1255) and Mine Social Media (T1273).

Table of contents
  1. Course Overview
  2. Gathering Target Information with theHarvester
  3. Resources

Technical Information Gathering with Recon-ng

by Tim Tomes

Jun 22, 2020 / 40m

40m

Start Course
Description

Reconnaissance, also referred to as Open Source Intelligence (OSINT) gathering, is often viewed as the least important step of any information security testing methodology, and disregarded for this very reason. But rather than skip reconnaissance due to a perceived lack of value, we can increase its worth by reducing the time it takes to conduct these activities. In this course, Technical Information Gathering with Recon-ng, you will gain the ability to efficiently and effectively gather and analyze technical information from open sources. First, you will learn installation and configuration tips and be introduced to the interactive command line interface of Recon-ng. Next, you will discover installing, running, and configuring Recon-ng modules to harvest and transform data. Finally, you will explore how to analyze and export data for collaboration or use with other tools. When you are finished with this course, you will have the skills and knowledge of Recon-ng needed to accelerate the technical information gathering process and fuse results with the remainder of Red Team activities.

Table of contents
  1. Course Overview
  2. Technical Information Gathering with Recon-ng
  3. Resources

Technical Information Gathering with Maltego CE

by Ricardo Reimao

Aug 27, 2020 / 25m

25m

Start Course
Description

Performing an extensive information gathering about your target is crucial in a red team engagement. You should have as most information as possible about the technology and people in your target organization. In this course, Technical Information Gathering with Maltego CE, you will explore one of the most well-known information gathering tools amongst red team professionals, the Maltego framework. First, you will learn the basics about the tool and how Maltego uses its Transforms to collect data about our targets. Next, you will explore how to collect technical information such as DNS subdomains, IP addresses, and even the location of your target servers. Finally, you will see how to collect information about the people that work in the company, including collecting email addresses from employees as well as researching if accounts from the company were leaked in previous data breaches. When you are finished with this course, you will have the skills and knowledge of the Maltego CE needed to gather technical and people information from your target organization, covering three important tactics from the MITRE PRE-ATT&CK framework: Determine domain and IP address space (T1250), Conduct passive scanning (T1253), and Identify People of Interest (T1269).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Finding Technical and People Information with Maltego
  3. Resources

People Information Gathering with the Social Engineering Toolkit (SET)

by Rishalin Pillay

Aug 6, 2020 / 23m

23m

Start Course
Description

Social engineering assesses people, processes, and procedures by using attack vectors such as email, malicious wireless networks and more in the attempt to breach organizational safeguards.

In this course, People Information Gathering with the Social Engineering Toolkit (SET), you will cover how to utilize the Social Engineer Toolkit for Initial Access in a red team environment.

  • First, you will demonstrate the ability to craft social engineering attacks such as spear phishing using various payloads.
  • Next, you will work with other attack vectors within the Social Engineer Toolkit which relates to malicious payloads and integration into Metasploit.
  • Finally, you will be able to simulate a social engineering attack.
When you are finished with this course, you will have the skills and knowledge to execute these techniques these techniques: Conduct Social Engineering (T1268) and Spearphishing for information (T1397) using the Social Engineer Toolkit.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Social Engineering with Phishing and User Execution
  3. Resources

Technical Weakness Identification with Nikto

by Lee Allen

Aug 18, 2020 / 20m

20m

Start Course
Description

Would you like to identify web server weaknesses and vulnerabilities during the reconnaissance phase? In this course, Technical Weakness Identification with Nikto, you will gain the ability to scan web servers for vulnerabilities and misconfigurations. First, you will learn how to use Nikto to perform a web server vulnerability scan. Next, you will discover options within Nikto that allow you to start scans against multiple hosts. Finally, you will explore how to use the Nikto configuration file to setup static cookies and to send scan traffic through a proxy. When you are finished with this course, you will have the skills and knowledge of web server scanning with Nikto needed to identify web server vulnerabilities.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Scanning an Application with Nikto
  3. Resources

Reconnaissance with Shodan

by Keith Watson

Jun 25, 2021 / 27m

27m

Start Course
Description

When planning future operations, a red team needs information about the target organization. Specifically, details about the organization’s internet-connected devices, their software, services, IP addresses, and locations can be leveraged to plan and execute other phases of the adversary life cycle. In this course, Reconnaissance with Shodan, I’ll cover how to utilize Shodan to execute reconnaissance in a red team environment. First, I’ll demonstrate how to identify devices associated with a specific organization. Next, I’ll apply search filters for refine the information to specific software and versions. Finally, I’ll simulate reviewing specific device information as a potential attack target. When you’re finished with this course, you’ll have the skills and knowledge to execute MITRE ATT&CK techniques, such as T1592 Gather Victim Host Information, T15960 Gather Victim Network Information, and T1596 Search Open Technical Databases, using Shodan. More importantly, knowing how these techniques can be used against you, will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors.

Table of contents
  1. Course Overview
  2. Using Shodan for Reconnaissance
  3. Resources

ATT&CK - Resource Development (TA0042)

Resource development consists of techniques in which adversaries create, purchase, or compromise/steal resources that can be used to support targeted operations.

Privilege Escalation and Client Execution with MSFVenom

by Matt Glass

Jan 21, 2020 / 24m

24m

Start Course
Description

Would you like to learn how to use a tool that can generate payloads for you? In this course, Privilege Escalation and Client Execution with MSFVenom, you will gain the ability to generate a variety of shell code payloads to fit your exploit, target, and situation. First, you will learn how to generate a payload within a standalone executable. Next, you will discover options within MSFVenom to change the payload capabilities. Finally, you will explore how to generate a payload for use in an existing exploit. When you are finished with this course, you will have the skills and knowledge of payload generation with MSFVenom needed to exploit vulnerabilities.

Table of contents
  1. Tool Introduction
  2. Privilege Escalation and Client Execution
  3. Resources

ATT&CK - Initial Access (TA0001)

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Initial Access with Aircrack-ng

by Ricardo Reimao

Feb 14, 2020 / 21m

21m

Start Course
Description

Exploiting wireless networks is one of the most effective ways to get access to the internal network of a company. It usually gives you the same level of access as regular employees at the office, and WiFi networks can usually be accessed from outside of the building. In this course, Initial Access with Aircrack-ng, we explore the Aircrack-ng WiFi security assessment tool. First, you will see how to identify potential target networks and exploit vulnerabilities in both WEP and WPA/WPA2 protocols. Then, you will learn how to crack the passwords for WEP networks and how to brute force credentials for networks. Finally, you will discover how to cause denial of service in the WiFi network, which can be a good distraction mechanism for a bigger attack. By the end of this course, you will be able to protect your networks with three important tactics from the Mittre Att&ck framework: WiFi Access Points (Initial Access - T1465), Brute Force (Credential Access - T1110), and Denial of Service (Impact - T1464).

Table of contents
  1. Tool Introduction
  2. WiFi Password Cracking with Aircrack-ng
  3. Resources

Initial Access with Luckystrike

by Josh Stroschein

Aug 3, 2020 / 34m

34m

Start Course
Description

Creating and managing malicious office documents is a common red team task. However, it can become very tedious managing all of the payloads, templates, and potential anti-virus bypasses. In this course, Initial Access with Luckystrike, you will gain the ability to not only create malicious office documents, but manage them in a straight-forward framework. First, you will learn how to build your catalog to add a variety of payloads. Next, you will discover how to import templates to help create custom malicious office documents. Finally, you will explore how integrate custom payloads from other red team tools. When you are finished with this course, you will have the skills and knowledge of Luckystrike needed to manage all of your malicious document needs.

Table of contents
  1. Course Overview
  2. Creating Malicious Office Documents with Luckystrike
  3. Resources

Initial Access with WiFi-Pumpkin

by Ricardo Reimao

Mar 20, 2020 / 22m

22m

Start Course
Description

Having valid credentials is one of the most effective ways of getting access to the internal network of a company. It gives you the same level of access of a target employee, which often includes VPN access to the internal network as well as several external systems. In this course, Initial Access with WiFi-Pumpkin, you will explore the WiFi-Pumpkin tool, which is a rogue access point framework developed by Marcos Bomfim from the P0cL4bs. First, you will learn how to create rogue access points that look exactly like the WiFi network of your target company. Then, you will see how to set up captive portals, so that when users try to login to your rogue access point, they will be prompted to type their domain credentials and you can harvest them to use in other attacks. Finally, you will discover how to set up a rogue access point, how to set up a fake captive portal, how to customize the login page, and how to harvest the credentials that were submitted. By the end of this course, you will know two important tactics from the MITRE ATT&CK framework: Rogue WiFi Access Points (T1465) and Valid Accounts (T1078).

Table of contents
  1. Course Overview
  2. Credential Harvesting with Fake Captive Portals
  3. Resources

Initial Access with Gophish

by Matt Glass

Aug 7, 2020 / 30m

30m

Start Course
Description

Are you looking for a tool that can quickly and easily set up phishing campaigns and host its own landing pages?

In this course, Initial Access with Gophish, you’ll cover how to utilize Gophish to complete Initial Access in a red team environment.

First, you’ll see how to install Gophish and navigate through its features.
Next, you’ll explore social engineering techniques to execute a malicious link phishing campaign and capture credentials.
Finally, you’ll discover how to simulate a malicious attachment attack to gain access to your target.

When you’re finished with this course, you’ll have the skills and knowledge to execute this technique - T1566: Spearphishing using Gophish.

Table of contents
  1. Course Overview
  2. Initial Access with Gophish
  3. Resources

Initial Access with sqlmap

by Casey Dunham

Oct 12, 2020 / 23m

23m

Start Course
Description

SQL injection flaws are one of the most critical application vulnerabilities. They can affect any application that uses a database, and a single flaw can lead to data loss or even server compromise. In this course, Initial Access with sqlmap, you'll learn how to use this powerful tool to identify and exploit a variety of SQL injection flaws in a red team environment. First, you'll discover how to setup sqlmap's command line and test authenticated web pages. Next, you'll use sqlmap's built-in enumeration tools to exfiltrate user data. Then, you'll delve into tuning sqlmap's parameters when crawling applications. Finally, you'll exploit a SQL injection to gain initial system access. When you're finished with this course, you'll have the skills and knowledge of sqlmap needed to streamline the process of finding and exploiting SQL injection flaws.

Table of contents
  1. Course Overview
  2. Exploiting SQL Injections with sqlmap
  3. Resources

Initial Access with King Phisher

by Jeff Stein

Oct 14, 2020 / 28m

28m

Start Course
Description

Through the use of phishing techniques, you'll learn the skills and understanding to further your red teaming objectives towards initial access. In this course, Initial Access with King Phisher, you’ll see how to utilize King Phisher to execute a phishing attack in a red team environment. First, you’ll demonstrate your ability to identify a victim and enumerate DNS to craft a successful phishing campaign. Next, you’ll apply a spearphishing technique to target a victim. Finally, you’ll simulate harvesting victim credentials by crafting a landing page to use in the attack. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques. Phishing: Spearphishing Link-T1566.002 & Valid Accounts-T1078 using King Phisher.

Table of contents
  1. Course Overview
  2. Executing a Phishing Campaign and Gather Credentials with King Phisher
  3. Resources

Initial Access with the Bash Bunny

by FC

Nov 25, 2020 / 19m

19m

Start Course
Description

One of the most important parts of a Red Team engagement is the initial access and how to exfiltrate important information to help you gain a deeper foothold into your target environment. In this course, Initial Access with Bash Bunny, you will learn the capabilities of the BashBunny and why it is a key initial access tool in the red team toolkit. Threat actors take advantage of physical access to devices in order to obtain credentials stored on the device. APT groups such as DarkVishnya have used Bash Bunny devices to help infiltrate major banks across Europe. Having the ability to covertly plug in a device that hacks your target in seconds and pull out confidential data ready for use with no interaction required can be a game changer for red team members. You will learn how to utilize this tool to help you achieve your red team goals. Within this course you will learn about bunny scripts, how to load them and even modify them to help obtain and exfiltrate key files and information from your target. The Bash Bunny is amazingly adaptable and can also be used to launch a number of attacks at multiple stages of the cyber kill chain including launching stagers for Empire (covered in Pluralsight course Command and Control with Empire) and you will also show you where to find additional resources to help craft your perfect attack vector for those specialist jobs. When you have finished with this course, you will have the skills and knowledge to perform attacks from your team that simulate APT capability against your client

Table of contents
  1. Course Overview
  2. Initial Access with Bash Bunny
  3. Resources

ATT&CK - Execution (TA0002)

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often coupled with techniques from other tactics to achieve broader goals, like stealing data.

Execution with macro_pack

by Ricardo Reimao

Sep 4, 2020 / 23m

23m

Start Course
Description

Masquerading malicious files into legitimate files is crucial for a successful phishing attack. When the malicious payload is hidden into legitimate documents, the victims are more likely to open the file, giving us access to their computer. In this course, Execution with macro_pack, you will see one of the most useful tools for malicious file masquerading, the macro_pack. First, you will learn the basics about malicious file masquerading and an overview of the macro_pack tool. Next, you will explore how to hide a Metasploit Meterpreter payload into a Microsoft Word file. Finally, you will learn how to create a file dropper with the macro_pack, which can be used to distribute malware hosted in remote servers via unsuspicious Microsoft Excel spreadsheets. When you are finished with this course, you will have the skills and knowledge of the macro_pack tool to masquerade malicious payloads into Microsoft Office files and covers three important tactics from the MITRE ATT&CK framework: User Execution - Malicious File (T1204.002), Command and Scripting Interpreter - Visual Basic (T1059.005) and Phishing - Spearphishing Attachment (T1566.001).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Masquerading Malicious Payload with macro_pack
  3. Resources

ATT&CK - Persistence (TA0003)

Persistence consists of techniques that adversaries use to maintain their foothold on systems.

Persistence with Empire

by Rishalin Pillay

Oct 23, 2020 / 23m

23m

Start Course
Description

Are you looking to obtain persistence using Empire? In this course, you’ll cover how to utilize Empire for persistence in a red team environment. First, you’ll demonstrate how to obtain a high integrity persistent agent. Next, you’ll apply registry and WMI attacks for persistence. Finally, you’ll simulate using a specific user for persistence callbacks. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques T1547.001, T1548.001, T1546.003, T1136.001 and T1053.002 using Empire.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Maintaining Persistent Access Using Empire
  3. Resources

Persistence with Impacket

by Ricardo Reimao

Sep 15, 2021 / 20m

20m

Start Course
Description

In a red team engagement, after getting access to servers, it is important that you create persistence in your targets. In this way, you can access the servers at anytime, even if the original point of entry is patched. In this course, Persistence with Impacket, you’ll learn how to utilize the Impacket framework to maintain foothold in a red team environment. First, you’ll explore the basics of persistence and how to install the Impacket framework. Next, you'll discover how to use Impacket to create persistence via WMI event triggers. Finally, you’ll learn how to harvest hashes so you can use the accounts to access the environment later. When you’re finished with this course, you’ll have the skills and knowledge of Impacket needed to execute these techniques: Event Triggered Execution (T1546), Valid Accounts (T1078) and Windows Management Instrumentation (T1047).

Table of contents
  1. Course Overview
  2. Persistence with Impacket
  3. Resources

ATT&CK - Privilege Escalation (TA0004)

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives.

Privilege Escalation with Rubeus

by Ricardo Reimao

May 18, 2021 / 20m

20m

Start Course
Description

One of your main objectives in a red team engagement is getting admin-level access to the domain. Escalating your privileges through vulnerability exploitation is usually difficult in highly-patched environments. In this course, Privilege Escalation with Rubeus, we will explore how to get admin credentials using two well-known attacks against active directory domains: Kerberoasting and AS-REP Roasting. First, you will learn how to harvest hashed credentials using Rubeus to execute a Kerberoasting attack. Then, you will see how to harvest even more hashed credentials using the AS-REP technique. Finally, you will explore how to crack those hashed passwords using Hashcat. This course covers three important tactics from the Mitre Att&ck framework: Access Token Manipulation (T1134), Kerberoasting (T1558.003) and AS-REP Roasting (T1558.004).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Stealing Kerberos Tickets with Rubeus
  3. Resources

Privilege Escalation with UACMe

by Malek Mohammad

Jul 28, 2021 / 9m

9m

Start Course
Description

UACME is an open-source tool used to bypass Windows user account control and get local administrator privileges, it is used by Threat actors, Red teams, Blue teams and Pen testers. In this course, Privilege Escalation with UACMe, you’ll learn how to utilize UACMe to bypass Windows user account control and get local admin privileges in a red team environment. First, we’ll demonstrate how to compile and use this tool. Next, we’ll simulate a real world scenario using UACMe to gain local admin privileges. Finally, you'll learn the importance to know how these techniques can be used against you that will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors. When you’re finished with this course, you’ll have the skills and knowledge to execute the technique, bypass user account control #T1548 using UACMe.

Table of contents
  1. Course Overview
  2. Using UACMe to Escalate Privileges
  3. Resources

ATT&CK - Defense Evasion (TA0005)

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware.

Defense Evasion with Meterpreter

by William Hardy

Jun 2, 2021 / 2h 3m

2h 3m

Start Course
Description

The ability to evade defenses is a vital skill for anyone involved in penetration testing or red-teaming engagements in secure environments. In this course, Defense Evasion with Meterpreter, you will learn to customize your Meterpreter tooling to stay under the radar and avoid detection. First, you will explore the inner workings of Metasploit’s Meterpreter payloads and how many endpoint security tools work. Next, you will discover how to slip past signature-based detections on disk and in memory. Finally, you will learn how to defeat emulators and heuristic analysis engines as well as network-based security tools. When you are finished with this course, you will have the skills and knowledge required to conduct security assessments successfully in highly secured networks.

Table of contents
  1. Course Overview
  2. Meterpreter Deep Dive
  3. Antivirus and EDR
  4. Evading Antivirus on Disk
  5. Evading Antivirus Heuristics
  6. Evading Detection in Memory
  7. Evading Detection on the Network
  8. Course Conclusion

Defense Evasion with ProxyChains

by Ricardo Reimao

Apr 20, 2021 / 20m

20m

Start Course
Description

Virtually every company has a at least a firewall solution to prevent hackers from accessing internal servers. As a red team specialist, you job is to simulate a real attack and try to bypass such defense mechanisms. In this course, Defense Evasion with ProxyChains, you will learn how to bypass network defense tools by tunneling the traffic through compromised machines. First, you will explore what network defense evasion is and how ProxyChains can help you to accomplish that. Then, you will see how to obfuscate your real IP address by using ProxyChains and the TOR network. Finally, you will learn how to bypass network segmentation and firewall solutions by using ProxyChains to re-route your traffic through an already compromised machine. This course covers a tactic from the MITRE ATT&CK framework: Network Boundary Bridging (T1599).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Evading Defense Mechanisms with ProxyChains
  3. Resources

Defense Evasion with Invoke-Obfuscation

by Ricardo Reimao

Apr 10, 2020 / 24m

24m

Start Course
Description

One of the main objectives of a red team engagement is to not get caught by the client detection mechanisms. If you simply run your malicious code in a production server, you will most likely get caught by the Windows defender or the anti-virus solution. For this reason, obfuscating scripts to bypass those detection mechanisms is essential. In this course, Detection Evasion with Invoke-Obfuscation, you will explore how to bypass detection tools such as anti-virus solutions by obfuscating your malicious scripts. First, you will learn what script obfuscation is and how you can use it in your red team engagement. Then, you will see how to install the tool in Kali Linux. Finally, you will explore how to use the Invoke-Obfuscation tool to bypass the anti-virus and run a malicious payload in a fully patched Windows server. By the end of this course, you will know how to use the Invoke-Obfuscation PowerShell tool to obfuscate other PowerShell scripts, with the intent of evading detection. This course covers two important tactics from the Mitre Att&ck framework: Obfuscated Files or Information (T1027) and Deobfuscate/Decode Files or Information (T1140).

Table of contents
  1. Course Overview
  2. Bypassing Anti-virus Detection with Invoke-Obfuscation
  3. Resources

Defense Evasion with Veil

by Jurriën

Jan 8, 2021 / 18m

18m

Start Course
Description

Threat actors, penetration testers, and Red Teamers often need to get a payload through target defenses to verify a vulnerability or gain a form of access to the target system in order to further their progress towards the agreed upon goal. In this course, Defense Evasion with Veil, you’ll cover how to utilize the Veil to execute obfuscated payloads in a Red Team environment. First, you'll learn how to install the framework within Kali Linux and create a payload through the UI. Next, you’ll apply the knowledge learned about building the payload through the UI and create a similar payload through the command line for automation purposes. Finally, you’ll simulate how to check if any of the generated payloads is known within the VirusTotal database. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques T1027 using Veil. More importantly, knowing how these techniques can be used against you, will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors.

Table of contents
  1. Course Overview
  2. Using Veil for Payload Obfuscation and Intended Target Insurance
  3. Resources

ATT&CK - Credential Access (TA0006)

Credential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

Credential Access with Mimikatz

by Lee Allen

Aug 14, 2020 / 25m

25m

Start Course
Description

Would you like to be able to see clear text credentials stored in memory? How about harvesting clear text credentials stored in protected files? In this course, Credential Access with Mimikatz, you will learn how to leverage the advanced credential access capabilities of the open-source Mimikatz project towards post-exploitation activities. First, you will see how to harvest password hashes and clear text user names and passwords for active login sessions stored in system memory. Next, you will discover how Mimikatz can be used to open memory dumps from other systems for situations where you may not be able to run Mimikatz on the victim machine. Finally, you will explore how to obtain clear text usernames and passwords stored by browsers, changing domain user passwords on the fly, and capturing passwords to file. When you finished with this course, you will have the skills and knowledge of the open-source Mimikatz tool needed to emulate credential access techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Credential Access and Persistence with Mimikatz
  3. Resources

Credential Access with Hashcat

by Dawid Czagan

May 4, 2020 / 28m

28m

Start Course
Description

Red team members and penetration testers need to know how to crack passwords with different password cracking techniques. In this course, Credential Access with Hashcat, you will learn about Hashcat, the number one offline password cracker. First, you will see how to launch a dictionary attack using Hashcat. Next, you will discover how you can crack more passwords when you launch a dictionary attack with a rule. Then, you will learn how to launch a dictionary attack with a mask, also known as a hybrid attack). Finally, you will explore how to use Hashcat to crack password-protected PDF and DOCX files. By the end of this course, you will know how to use Hashcat to crack passwords with different password cracking techniques.

Table of contents
  1. Course Overview
  2. Password Cracking with Hashcat
  3. Resources

Credential Access with Responder

by Ricardo Reimao

Sep 18, 2020 / 20m

20m

Start Course
Description

One of the main objectives on a red team engagement is to get access to several user accounts (lateral movement) as well as administrator accounts (privilege escalation). After getting initial access to the internal network, you can launch several attacks to harvest credentials. In this course, Credential Access with Responder, you will explore one of the most important tools for lateral movement and privilege escalation, the Responder tool - a LLMNR, NBT-NS, and MDNS poisoner developed by Laurent Gaffie. First, you will exploit vulnerabilities on the LLMNR protocol. Then, you will use NBT-NS and MDNS protocols to gather credentials of domain users. Finally, you will learn not only how to get NTLM hashes, but also how to crack them to get plain text passwords and how to use those hashes in pass-the-hash attacks. By the end of this course, you will know two important tactics from the MITRE ATT&CK framework: LLMNR/NBT-NS Poisoning and Relay (T1171) and Network Sniffing (T1040).

Table of contents
  1. Course Overview
  2. LLMNR/NBT-NS Poisoning with Responder
  3. Resources

Credential Access with Cain & Abel

by Jeff Stein

Jul 28, 2020 / 25m

25m

Start Course
Description

Cain & Abel is a versatile tool for the Windows operating system which can help further your red teaming objectives with techniques ranging from manipulating network traffic to cracking passwords using brute force and cryptanalysis attacks.

In this course, Credential Access with Cain & Abel, you will gain the ability to access credential sets in a victim network.

First, you will learn to perform network reconnaissance from the Windows operating system.
Next, you will discover how you can use a man-in-the-middle attack to access the credentials transmitted between victims on a network.
Finally, you will explore how to remotely exploit a victim for harvested credentials which can then be cracked by the tool suite.

When you are finished with this course, you will have the skills and knowledge of Cain & Abel needed to access valid credential sets and move through a network during an attack engagement.

Table of contents
  1. Course Overview
  2. Credential Access with Cain and Abel
  3. Resources

Credential Access with John the Ripper

by Rishalin Pillay

May 22, 2020 / 23m

23m

Start Course
Description

Performing password cracking is a common task performed in a red team engagement. Understanding how to use the tools can be a daunting task. In this course, Credential Access with John the Ripper, you will gain the ability to crack commonly used password hashes leveraging the highly customizable tool, John the Ripper. First, you will learn how to navigate the syntax of John and amp up your cracking capabilities by obtaining rich wordlists and permutating them. Next, you will discover how to perform password cracking of common operating systems such as Windows and Linux. Finally, you will explore how to use John within a Metasploit session, giving you the ability to perform password cracking during the exploitation phase. When you are finished with this course, you will have the skills and knowledge of John the Ripper needed to amplify your red team engagements when performing password cracking.

Table of contents
  1. Course Overview
  2. Credential Dumping and Brute Force Capabilities of John the Ripper
  3. Resources

Credential Access with THC Hydra

by Lee Allen

Aug 19, 2020 / 27m

27m

Start Course
Description

There's no way around it - people are going to use weak passwords. THC Hydra will help you identify these passwords so that you can then use the information towards Red or Blue Teaming efforts. In this course, Credential Access with THC Hydra, you will learn how to brute force network logins. First, you will see where THC Hydra fits into the kill chain and the Mitre ATT&CK framework. Next, you will discover how the flexibility of THC Hydra can assist you in cracking passwords for various network protocols. Finally, you will explore how to leverage the password cracking capabilities of THC Hydra towards your own penetration testing or password strength assessment activities. When you are finished with this course, you will have the skills and knowledge needed to efficiently use THC Hydra towards your password cracking efforts.

Table of contents
  1. Course Overview
  2. Password Cracking with THC Hydra
  3. Resources

Credential Access with LaZagne

by Gavin Johnson-Lynn

Feb 26, 2021 / 21m

21m

Start Course
Description

After initial access to a system, the next goal is typically to elevate privileges and exploit further systems. LaZagne retrieves credentials from a wide variety of operating system and software sources that help to do just that. In this course, Credential Access with LaZagne, you’ll learn how to utilize LaZagne to escalate privileges in a red team environment. First, you’ll explore getting credentials stored in browsers, one of the key features of LaZagne. Next, you’ll see how to get credentials from some of the many other programs that store them on a system. Finally, you’ll learn how to get LaZagne to extract as many credentials as it can find from a system, along with how to store them in a file for easy automation. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003) and Unsecured Credentials: Credentials In Files (T1552.001) using LaZagne. Knowing how these techniques can be used against you will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors.

Table of contents
  1. Course Overview
  2. Extracting Credentials with LaZagne
  3. Resources

ATT&CK - Discovery (TA0007)

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective.

Discovery with BloodHound

by Guillaume Ross

Apr 20, 2020 / 21m

21m

Start Course
Description

Understanding the relationship between thousands of Active Directory objects can be difficult. Users are members of groups, which can be nested in other groups, and linked to thousands of permissions. In this course, Discovery with BloodHound, you will gain the ability to use BloodHound to quickly find the shortest path to compromise systems in an Active Directory environment. First, you will learn how to install BloodHound. Next, you will discover how to use SharpHound to gather data from AD. Finally, you will explore how to ingest and visualize that data, finding paths between objects and the ultimate goal, Domain Admin access. When you are finished with this course, you will have the skills and knowledge of BloodHound needed to start using it to attack AD, or to understand how to better defend it.

Table of contents
  1. Course Overview
  2. Discovering the Path to Domain Admin with BloodHound
  3. Resources

Discovery with Seatbelt

by Ricardo Reimao

Oct 6, 2021 / 20m

20m

Start Course
Description

In a red team engagement, after getting access to some servers, it is important that you enumerate sensitive information about the environment so you can move laterally and execute your red-team objectives. In this course, Discovery with Seatbelt, you'll learn how to utilize the Seatbelt tool to enumerate crucial information about the targets in a red team environment. First, you’ll explore the basics of discovery and how to compile and run the Seatbelt tool. Next, you'll see how to use Seatbelt to discover sensitive data of a local machine. Finally, you’ll learn how to collect information about remote targets using the Seatbelt tool. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques [Account Discovery (T1087), Security Software Discovery (T1518.001) and System Information Discovery (T1082)] using Seatbelt. More importantly, knowing how these techniques can be used against you, will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors.

Table of contents
  1. Course Overview
  2. Discovery with Seatbelt
  3. Resources

Discovery with Kismet

by Guillaume Ross

Oct 8, 2020 / 23m

23m

Start Course
Description

Have you ever needed to inventory devices or networks in an environment before deciding what to attack? Kismet is the perfect tool for this. In this course, Discovery with Kismet, you’ll discover how to utilize Kismet in a red team environment. First, you’ll see the ability to discover available wireless networks. Next, you’ll learn how to sniff traffic on networks. Finally, you’ll learn to eavesdrop on unencrypted data streams on wireless networks. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques : T1040 - Network Sniffing, T1507 - Network Information Discovery, T1439 - Eavesdrop on Insecure Network Communication using Kismet, plus, you'll even know how to discover Bluetooth devices and planes!

Table of contents
  1. Course Overview (Tool Introduction)
  2. Using Kismet to Discover Wireless Networks
  3. Resources

Discovery with ADRecon

by Ricardo Reimao

Sep 18, 2020 / 22m

22m

Start Course
Description

The Active Directory of a company is a valuable source of information for a red team specialist. In there, you can find information about the users, computers, and even security policies. In this course, Discovery with ADRecon, you will learn about ADRecon, developed by Prashant Mahajan, which enables red team specialists to generate interesting reports from the Active Directory of a target company. First, you will discover the importance of the Active Directory data in a red team engagement and how this data can help you in further attacks. Then, you will see how to use ADRecon tool to extract data from your client’s Active Directory and generate a complete report about the environment. Finally, you will explore how to perform a Kerberoast attack using the ADRecon tool, in which you will gather hashed credentials from the Active Directory and crack them using Hashcat. When you are finished with this course, you will have the skills and knowledge to extract valuable information from the AD and plan your next attacks. This course covers five important tactics from the MITRE ATT&CK Framework: Password Policy Discovery (T1201), Permission Groups Discovery (T1069), Account Discovery (T1087), Data from Information Repositories (T1213) and Kerberoasting (T1208).

Table of contents
  1. Course Overview
  2. Active Directory Enumeration
  3. Resources

ATT&CK - Lateral Movement (TA0008)

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Lateral Movement with Mimikatz

by Lee Allen

Aug 14, 2020 / 29m

29m

Start Course
Description

Would you like to move from system to system without clear text credentials? How about impersonating a domain controller to inject data of your choosing? In this course, Lateral Movement with Mimikatz, you will learn how to leverage the advanced lateral movement capabilities of the open-source Mimikatz project towards post-exploitation activities. First, you will see how to 'Pass the Hash' to authenticate without the need of a clear text password. Next, you will discover how Mimikatz is used to bypass the domain controllers with 'Pass the Ticket'. Finally, you will explore how to create golden and silver tickets to impersonate domain users and service accounts. When finished with this course, you will have the skills and knowledge of the open-source Mimikatz tool needed to emulate lateral movement techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Lateral Movement and Defense Evasion with Mimikatz
  3. Resources

Lateral Movement with PsExec

by Matt Glass

Sep 25, 2020 / 21m

21m

Start Course
Description

Would you like to learn how to execute commands, programs, and open command prompts or PowerShell sessions on remote Windows hosts? In this course, Lateral Movement with PsExec, you will gain the ability to use PsExec to laterally move throughout a Windows domain from a host you already exploited. First, you will learn how to use PsExec to run commands on remote Windows hosts. Next, you will discover how to leverage PsExec to run programs remotely. Finally, you will explore how to laterally move throughout a Windows domain using PsExec. When you are finished with this course, you will have the skills and knowledge of PsExec needed to leverage it for lateral movement in a Windows domain.

Table of contents
  1. Course Overview
  2. Lateral Movement with PsExec
  3. Resources

Lateral Movement with WMIOps

by Matt Glass

Sep 25, 2020 / 24m

24m

Start Course
Description

Do you need a tool that can run commands on remote Windows hosts from an exploited machine? In this course, Lateral Movement with WMIOps, you’ll cover how to utilize WMIOps to complete lateral movement in a red team environment.

First, you’ll demonstrate executing commands on remote hosts.
Next, you’ll apply these skills to gather information from Windows servers.
Finally, you’ll simulate lateral movement by opening remote PowerShell sessions on Windows devices.

When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques T1047: Windows Management Instrumentation and T1077: Windows Admin Shares using WMIOps.

Table of contents
  1. Course Overview
  2. Lateral Movement with WMIOps
  3. Resources

Lateral Movement with CrackMapExec

by Jurriën

May 20, 2021 / 23m

23m

Start Course
Description

As a pentester or red teamer, you most likely encounter Windows domains on a regular basis. If you are looking for a single tool offering a multitude of options for you to gather information, and use it to further your presence within the network, CrackMapExec is the tool to help you. In this course, Lateral Movement with CrackMapExec you will learn how to utilize CME for Windows AD navigation in a Red Team environment. First, you'll explore how to get CME up and running. Next, you'll discover how to gather credentials from endpoints and possibly domain controllers [T1021.002] and use them to further the penetration [T1021.006] of the AD network. Finally, you'll learn that you won’t always need to crack the password to authenticate against systems when you find an account where Kerberos Pre-Auth has been disabled [T1558.004]. When you’re finished with this course, you’ll have the skills and knowledge to leverage CrackMapExec for lateral movement within AD networks.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Lateral Movement with CrackMapExec
  3. Resources

Lateral Movement with Infection Monkey

by Maril Vernon

Aug 11, 2020 / 28m

28m

Start Course
Description

Unsure of whether or not configuration vulnerabilities are providing adversaries with a clear path of lateral movement within your environment? Or do you have untested controls you are “pretty sure” defend against lateral movement?

In this course, Lateral Movement with Infection Monkey, you will learn how to configure and employ the Infection Monkey to test for lateral movement and network segmentation against known MITRE tactics.

First, you will learn how to launch the team server and GUI client.
Next, you will discover how to configure the Monkey against MITRE.
Finally, you will explore how to identify the vulnerable network paths and interpret results for actionable hardening steps.

When you are finished with this course, you will have the skills and knowledge of lateral movement, network discovery, and credential compromise techniques needed to steps to proactively improve security posture against them.

Table of contents
  1. Course Overview
  2. Lateral Movement with Infection Monkey
  3. Resources

ATT&CK - Collection (TA0009)

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives.

Collection with PowerSploit

by Ricardo Reimao

May 29, 2020 / 28m

28m

Start Course
Description

One of the main differences between a penetration testing and a red team engagement is executing the same attacks as malicious actors to demonstrate the impact a real attack to our clients. Therefore, after getting access to a few machines in the network, your job is to look for sensitive information that could be interesting for hackers. In this course, Collection with PowerSploit, you will cover one of the most important tools for a red team specialist, the PowerSploit framework. Here, you focus on the collection capabilities of this tool, which includes collecting keystrokes using a stealthy keylogger, collecting screenshots, collecting audio from the victim’s microphone, and even searching for sensitive files in the computers and network shared folders. This course covers four important tactics from the MITRE ATT&CK framework: Audio Capture (T1123), Input Capture (T1056), Screen Capture (T1113) and Data from Network Shared Drive (T1039).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Collecting Sensitive Data with PowerSploit
  3. Resources

Collection with PowerUpSQL

by Ricardo Reimao

Sep 18, 2020 / 26m

26m

Start Course
Description

An important step on a red team engagement is collecting sensitive information. By demonstrating what kind of data a hacker could have access to, your client can better understand the impact of a real cyber-attack. In this course, Collection with PowerUpSQL, you will cover one of the most important tools for exploiting Microsoft SQL databases, the PowerUpSQL framework. First, you will learn how to get access to the database by discovering weak credentials in your target. Next, you will explore how to find and collect sensitive data in the database, including credit card information and stored passwords. Finally, you will see how to simulate a malicious attack of modifying stored data, hiding your tracks, and deleting entire tables. When you are finished with this course, you will have the skills and knowledge of PowerUpSQL needed to collect sensitive data from your target Microsoft SQL databases and cover four important tactics from the MITRE ATT&CK framework: Valid Accounts (T1078), Data from Local System (T1005), Stored Data Manipulation (T1492) and Data Destruction (T1485).

Table of contents
  1. Course Overview
  2. Collecting Sensitive Data with PowerUpSQL
  3. Resources

ATT&CK - Command and Control (TA0011)

Command and Control consists of techniques that adversaries use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Command and Control with Covenant

by Aaron Rosenmund

Nov 4, 2020 / 19m

19m

Start Course
Description

Testing systems against advanced adversary techniques is required not just for red team operations but for targeted testing of defensive and detective measures on a network. Growing the skills to emulate the steadily advancing adversary capabilities within your team is a moving target that is complicated by the multitude of attack techniques available. In this course, Command, and Control with Covenant, you will gain the ability to leverage the advanced .NET, in-memory compilation techniques used by the open-source Covenant project to emulate adversary communication within an environment. First, you will learn to install the command and control infrastructure used to control compromised systems. Next, you will explore how to create and install implants called grunts to connect back to the adversary server. Finally, you will explore how to run tasks, gather information, and spread laterally within the Covenant C2 framework. When you are finished with this course, you will have the skills and knowledge of the Covenant command and control framework needed to emulate post-exploitation techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Emulation Adversary C2 and Lateral Movement Operations with Covenant
  3. Resources

Command and Control with Pupy

by Matt Glass

Sep 25, 2020 / 25m

25m

Start Course
Description

Are you looking for a tool that can help you manage your target workstations after you exploited them? In this course, Command and Control with Pupy, you will gain the ability to manage target sessions, collect information, and run additional attacks from a single interface. First, you will learn how to generate client files in Pupy. Next, you will discover how to use different encryption protocols in Pupy. Finally, you will explore how to capture information from targets using Pupy. When you are finished with this course, you will have the skills and knowledge needed to manage exploited targets with Pupy.

Table of contents
  1. Tool Introduction
  2. Command and Control, Privilege Escalation, and Collection with Pupy
  3. Resources

Command and Control with Empire

by Rishalin Pillay

Sep 17, 2020 / 22m

22m

Start Course
Description

Are you looking to use Empire in a red team engagement? In this course, Command and Control with Empire, you’ll learn how to utilize Empire for command and control in a red team environment. First, you’ll see how to leverage multi-hop proxies for C2. Next, you’ll learn to apply file upload capabilities and registry commands to establish remote access. Finally, you’ll explore to simulate establishing a C2 over a non-standard port. When you’re finished with this course, you’ll have the skills and knowledge to execute ingress tool transfer (T1105), remote access software (T1219), non-standard port (T1571) and multi-hop proxy (T1090.003) using Empire.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Command and Control with Empire
  3. Resources

Command and Control with Merlin

by Zach Roof

Dec 21, 2020 / 27m

27m

Start Course
Description

Want to learn how a C2 server can be leveraged to steal a database backup? If so, you’re in the right place! In this course, Command and Control with Merlin, we’ll cover how to utilize Merlin to execute data exfiltration in a red team environment. First, you’ll witness how Merlin evades network packet detection via the HTTP/3 protocol. Second, you’ll use Merlin’s HTTP/3 functionality to upload a recon script. Finally, you’ll use the results of the recon script to exfiltrate a database backup to the Merlin C2 server. During each step of the process, we’ll see what Merlin attacks are discovered by Wazuh (a host-based intrusion detection system) and Suricata (a network-based intrusion detection system). No previous Wazuh or Suricata experience is required. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques: Exfiltration Over C2 Channel (T1041), Ingress Tool Transfer (T1105), Application Layer Protocol (T1071) using Merlin.

Table of contents
  1. Course Overview
  2. Command and Control with Merlin
  3. Resources

Command and Control with PoshC2

by Jeff Stein

Oct 15, 2020 / 27m

27m

Start Course
Description

On the Windows OS, PowerShell can offer effective control of a system, this course will give you the skills and understanding to harness PowerShell to further your red teaming objectives towards command and control of a victim system. In this course, Command and Control with PoshC2 you’ll cover how to utilize PoshC2 to execute privilege escalation in a red team environment. First, you’ll demonstrate ways to gain system access and evade detection using the PoshC2 implant. Next, you’ll apply the built-in PoshC2 modules to send commands to enumerate the victim system. Finally, you’ll simulate the harvesting of credentials to escalate privilege with PowerShell. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques Application Layer Protocol: Web Protocols-T1071.001, Account Discovery: Local Account- T1087.001 & Remote Access Software-T1219 using PoshC2.

Table of contents
  1. Course Overview
  2. Leveraging Poshc2 to Control Victim Systems
  3. Resources

ATT&CK - Exfiltration (TA0010)

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once data has been obtained, adversaries will often times package it to avoid detection as it is removed.

Exfiltration with Dnscat2

by Cristian Pascariu

Sep 10, 2020 / 23m

23m

Start Course
Description

Tight network restrictions might hinder the ability to establish a C2 communication channel. To overcome these limitations an offensive security analyst will rely on abusing other legitimate protocols. In this course, Exfiltration with Dnscat2, you’ll cover how to utilize Dnscat2 for data exfiltration in a red team environment. First, you’ll set up an alternative C2 channel. Next, you’ll bypass network restrictions. Finally, you’ll simulate a data exfiltration attack. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques T1048, T1022, and T1071 using Dnscat2.

Table of contents
  1. Course Overview
  2. Exfiltrating Data Using DNS Tunneling with Dnscat
  3. Resources

Exfiltration with CloakifyFactory

by Rishalin Pillay

Oct 1, 2021 / 20m

20m

Start Course
Description

Exfiltration consists of techniques that adversaries may use to steal data from your network. In this course, Exfiltration with CloakifyFactory, you’ll learn how to utilize CloakifyFactory to execute exfiltration techniques in a red team environment. First, you’ll discover exfiltration over C2. Next, you’ll apply exfiltration using a web service. Finally, you’ll simulate exfiltration over alternative protocol. When you’re finished with this course, you’ll have the skills and knowledge to execute techniques T1041, T1567.002, T1048.001 using CloakifyFactory. More importantly, knowing how these techniques can be used against you, will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors.

Table of contents
  1. Course Overview (trailer)
  2. Exfiltration with CloakifyFactory
  3. Resources

Exfiltration with Powershell-RAT

by Uzair Ansari

Oct 6, 2021 / 20m

20m

Start Course
Description

PowerShell is an important subject of which to have a working knowledge. In this course, Exfiltration with Powershell-RAT, you’ll cover how to utilize Powershell-RAT tool to execute [backdoor attack] in a red team environment. First, you’ll go through some of the scripts that perform specific task that enables you to perform the attack. Next, you’ll apply necessary configurations to facilitate transmission of user activity screenshots as an email attachment that will be sent to the attacker. Finally, you’ll simulate the attack by executing the python script. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques • T1113 - Screen Capture • T1053.005 - Scheduled Task/Job: Scheduled Task • T1020 - Automated Exfiltration • T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol using Powershell RAT.

More importantly, knowing how these techniques can be used against you, will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors.

Table of contents
  1. Course Overview
  2. Exfiltration with Powershell RAT
  3. Resources

ATT&CK - Impact (TA0040)

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Adversaries are trying to manipulate, interrupt, or destroy your systems and data.

Impact with Slowloris

by Pinal Dave

May 20, 2021 / 21m

21m

Start Course
Description

Knowing how to use Slowloris and how Denial of Service techniques can be used against you, will ultimately lead your organization to detect and defend against specific attacks. In this course, Impact with Slowloris, you’ll learn how to utilize Slowloris to execute impact in a red team environment. First, you’ll discuss this tool, the legal aspects, and the outcome you can expect from the engagement. Next, you'll learn about the installation and environmental setup of Slowloris. Finally, you’ll simulate a Denial of Service attack. When you’re finished with this course, you’ll have the skills and knowledge to execute these Denial of Service attack techniques using Slowloris.

Table of contents
  1. Course Overview
  2. Impact with Slowloris
  3. Resources

Impact with Low Orbit Ion Cannon (LOIC)

by Matt Glass

Sep 30, 2021 / 23m

23m

Start Course
Description

Are you looking for a tool to test an application’s resilience against denial of service attacks? In this course, Impact with Low Orbit Ion Cannon (LOIC), you’ll learn how to utilize LOIC to execute Denial of Service (DoS) attacks in a red team environment. First, you’ll access the LOIC interface and discover its features. Next, you’ll apply what you learned to execute a network flood attack on a remote host. Finally, you’ll simulate a Distributed Denial of Service (DDoS) attack by using the hivemind feature to control multiple hosts running LOIC. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques MITRE ATT&CK Direct Network Flood – ID: T1498.001, and Service Exhaustion Flood – ID: 1499.002 using LOIC. More importantly, knowing how these techniques can be used against you, will ultimately lend to your ability as an organization, or an individual, to detect and defend against specific attack vectors.

Table of contents
  1. Course Overview
  2. Impact with Low Orbit Ion Cannon (LOIC)
  3. Resources
Learning Paths

Red Team Tools

  • Number of Courses54 courses
  • Duration23 hours

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Further details on the MITRE ATT&CK® framework can be found at https://attack.mitre.org/

Our red team operations tooling courses map to the MITRE ATT&CK® matrix tactics, techniques, and procedures. Each course focuses on the use of a specific industry-standard, generally open source, tool to carry out adversary emulation. Knowing what a tool is and how it can perform a specific task, will ultimately lend to your ability as an organization or an individual to detect and defend against specific attack vectors.

The ATT&CK section outlines tools used to achieve the following outcomes:

  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact

Courses in this path

Introduction

The first course in this series discusses leveraging the MITRE ATT&CK framework in combination with open source tools to emulate adversary attacks.

ATT&CK - Resource Development (TA0042)

Resource development consists of techniques in which adversaries create, purchase, or compromise/steal resources that can be used to support targeted operations.

ATT&CK - Initial Access (TA0001)

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

ATT&CK - Execution (TA0002)

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often coupled with techniques from other tactics to achieve broader goals, like stealing data.

ATT&CK - Persistence (TA0003)

Persistence consists of techniques that adversaries use to maintain their foothold on systems.

ATT&CK - Privilege Escalation (TA0004)

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives.

ATT&CK - Defense Evasion (TA0005)

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware.

ATT&CK - Credential Access (TA0006)

Credential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

ATT&CK - Discovery (TA0007)

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective.

ATT&CK - Lateral Movement (TA0008)

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

ATT&CK - Collection (TA0009)

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives.

ATT&CK - Command and Control (TA0011)

Command and Control consists of techniques that adversaries use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

ATT&CK - Exfiltration (TA0010)

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once data has been obtained, adversaries will often times package it to avoid detection as it is removed.

ATT&CK - Impact (TA0040)

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Adversaries are trying to manipulate, interrupt, or destroy your systems and data.

Join our learners and upskill
in leading technologies