Red Team Tools

Paths

Red Team Tools

Authors: Aaron Rosenmund, Ricardo Reimao, Tim Tomes, Rishalin Pillay, Lee Allen, Matt Glass, Josh Stroschein, Casey Dunham, Jeff Stein , Dawid Czagan, Guillaume Ross, Maril Vernon, Cristian Pascariu

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a

  • Technical Information Gathering
  • People Information Gathering
  • Technical Weakness Identification
  • Build Capabilities
  • Stage Capabilities
The ATT&CK section outlines tools used to achieve the following outcomes:
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
... Read more

What you will learn

  • What the tool is and does
  • Where to get it
  • How to emulate adversary techniques

Pre-requisites

  • Security fundamentals
  • Ethical hacking fundamentals
  • Security testing fundamentals

Introduction

The first course in this series discusses leveraging the MITRE ATT&CK framework in combination with open source tools to emulate adversary attacks.

Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK

by Aaron Rosenmund

Apr 30, 2020 / 17m

17m

Start Course
Description

Resources and time are limited and validation of security operations capabilities and defenses is elusive if not non-existent. Red team operations of all different shapes and sizes fill in this gap, but where do you start? In this course, Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK, you will gain the ability to prioritize and emulate techniques based on threat groups with the capability and intent to threaten your organization. First, you will learn about the different implementation of red team expertise within organizations. Next, you will discover the relationship between the tools and APT MITRE ATT&CK techniques Finally, you will explore how to operationalize adversary threat intelligence with ATT&CK Navigator. When you are finished with this course, you will have the skills and knowledge of red team tools for emulated adversary techniques with MITRE ATT&Ck needed to leverage the red team tools path to emulate threats and validate your organization's security operations.

Table of contents
  1. Course Overview
  2. Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK
  3. Resources

PRE-ATT&CK - Technical Information Gathering (TA0015)

Technical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack. Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.

Technical Information Gathering with theHarvester

by Ricardo Reimao

Jun 4, 2020 / 20m

20m

Start Course
Description

The reconnaissance phase is one of the most important phases of a red team engagement. It is in this phase that you gather information about your target so you can select which machines to exploit and how to exploit them. In this course, Technical Information Gathering with theHarvester, you will cover one of the most important tools for information gathering, ttheHarvester. First, you will learn to gather DNS subdomains. Then, you will discover how to gather IP addresses from your target. Finally, you will explore how to automatically search for information regarding the people that work in your target company, including email addresses, Twitter accounts, and even LinkedIn profiles. By the end of this course, you will know four important tactics from the MITRE PRE-ATT&CK framework: Determine domain and IP Address Space (T1250), Conduct Active Scanning (T1254), Discover target logon/email address format (T1255) and Mine Social Media (T1273).

Table of contents
  1. Course Overview
  2. Gathering Target Information with theHarvester
  3. Resources

Technical Information Gathering with Recon-ng

by Tim Tomes

Jun 22, 2020 / 40m

40m

Start Course
Description

Reconnaissance, also referred to as Open Source Intelligence (OSINT) gathering, is often viewed as the least important step of any information security testing methodology, and disregarded for this very reason. But rather than skip reconnaissance due to a perceived lack of value, we can increase its worth by reducing the time it takes to conduct these activities. In this course, Technical Information Gathering with Recon-ng, you will gain the ability to efficiently and effectively gather and analyze technical information from open sources. First, you will learn installation and configuration tips and be introduced to the interactive command line interface of Recon-ng. Next, you will discover installing, running, and configuring Recon-ng modules to harvest and transform data. Finally, you will explore how to analyze and export data for collaboration or use with other tools. When you are finished with this course, you will have the skills and knowledge of Recon-ng needed to accelerate the technical information gathering process and fuse results with the remainder of Red Team activities.

Table of contents
  1. Course Overview
  2. Technical Information Gathering with Recon-ng
  3. Resources

Technical Information Gathering with Maltego CE

by Ricardo Reimao

Aug 27, 2020 / 25m

25m

Start Course
Description

Performing an extensive information gathering about your target is crucial in a red team engagement. You should have as most information as possible about the technology and people in your target organization. In this course, Technical Information Gathering with Maltego CE, you will explore one of the most well-known information gathering tools amongst red team professionals, the Maltego framework. First, you will learn the basics about the tool and how Maltego uses its Transforms to collect data about our targets. Next, you will explore how to collect technical information such as DNS subdomains, IP addresses, and even the location of your target servers. Finally, you will see how to collect information about the people that work in the company, including collecting email addresses from employees as well as researching if accounts from the company were leaked in previous data breaches. When you are finished with this course, you will have the skills and knowledge of the Maltego CE needed to gather technical and people information from your target organization, covering three important tactics from the MITRE PRE-ATT&CK framework: Determine domain and IP address space (T1250), Conduct passive scanning (T1253), and Identify People of Interest (T1269).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Finding Technical and People Information with Maltego
  3. Resources

PRE-ATT&CK - People Information Gathering (TA0016)

People Information Gathering consists of the process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack.

People Information Gathering with the Social Engineering Toolkit (SET)

by Rishalin Pillay

Aug 6, 2020 / 23m

23m

Start Course
Description

Social engineering assesses people, processes, and procedures by using attack vectors such as email, malicious wireless networks and more in the attempt to breach organizational safeguards. In this course, People Information Gathering with the Social Engineering Toolkit (SET), you will cover how to utilize the Social Engineer Toolkit for Initial Access in a red team environment. First, you will demonstrate the ability to craft social engineering attacks such as spear phishing using various payloads. Next, you will work with other attack vectors within the Social Engineer Toolkit which relates to malicious payloads and integration into Metasploit. Finally, you will be able to simulate a social engineering attack. When you are finished with this course, you will have the skills and knowledge to execute these techniques these techniques: Conduct Social Engineering (T1268) and Spearphishing for information (T1397) using the Social Engineer Toolkit.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Social Engineering with Phishing and User Execution
  3. Resources

PRE-ATT&CK - Technical Weakness Identification (TA0018)

Technical weakness identification consists of identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities (e.g., expediency, stealthiness).

Technical Weakness Identification with Nikto

by Lee Allen

Aug 18, 2020 / 20m

20m

Start Course
Description

Would you like to identify web server weaknesses and vulnerabilities during the reconnaissance phase? In this course, Technical Weakness Identification with Nikto, you will gain the ability to scan web servers for vulnerabilities and misconfigurations. First, you will learn how to use Nikto to perform a web server vulnerability scan. Next, you will discover options within Nikto that allow you to start scans against multiple hosts. Finally, you will explore how to use the Nikto configuration file to setup static cookies and to send scan traffic through a proxy. When you are finished with this course, you will have the skills and knowledge of web server scanning with Nikto needed to identify web server vulnerabilities.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Scanning an Application with Nikto
  3. Resources

PRE-ATT&CK - Build Capabilities (TA0024)

Building capabilities consists of developing and/or acquiring the software, data and techniques used at different phases of an operation. This is the process of identifying development requirements and implementing solutions such as malware, delivery mechanisms, obfuscation/cryptographic protections, and call back and O&M functions.

Privilege Escalation and Client Execution with MSFVenom

by Matt Glass

Jan 21, 2020 / 24m

24m

Start Course
Description

Would you like to learn how to use a tool that can generate payloads for you? In this course, Privilege Escalation and Client Execution with MSFVenom, you will gain the ability to generate a variety of shell code payloads to fit your exploit, target, and situation. First, you will learn how to generate a payload within a standalone executable. Next, you will discover options within MSFVenom to change the payload capabilities. Finally, you will explore how to generate a payload for use in an existing exploit. When you are finished with this course, you will have the skills and knowledge of payload generation with MSFVenom needed to exploit vulnerabilities.

Table of contents
  1. Tool Introduction
  2. Privilege Escalation and Client Execution
  3. Resources

ATT&CK - Initial Access (TA0001)

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Initial Access with Aircrack-ng

by Ricardo Reimao

Feb 14, 2020 / 21m

21m

Start Course
Description

Exploiting wireless networks is one of the most effective ways to get access to the internal network of a company. It usually gives you the same level of access as regular employees at the office, and WiFi networks can usually be accessed from outside of the building. In this course, Initial Access with Aircrack-ng, we explore the Aircrack-ng WiFi security assessment tool. First, you will see how to identify potential target networks and exploit vulnerabilities in both WEP and WPA/WPA2 protocols. Then, you will learn how to crack the passwords for WEP networks and how to brute force credentials for networks. Finally, you will discover how to cause denial of service in the WiFi network, which can be a good distraction mechanism for a bigger attack. By the end of this course, you will be able to protect your networks with three important tactics from the Mittre Att&ck framework: WiFi Access Points (Initial Access - T1465), Brute Force (Credential Access - T1110), and Denial of Service (Impact - T1464).

Table of contents
  1. Tool Introduction
  2. WiFi Password Cracking with Aircrack-ng
  3. Resources

Initial Access with Luckystrike

by Josh Stroschein

Aug 3, 2020 / 34m

34m

Start Course
Description

Creating and managing malicious office documents is a common red team task. However, it can become very tedious managing all of the payloads, templates, and potential anti-virus bypasses. In this course, Initial Access with Luckystrike, you will gain the ability to not only create malicious office documents, but manage them in a straight-forward framework. First, you will learn how to build your catalog to add a variety of payloads. Next, you will discover how to import templates to help create custom malicious office documents. Finally, you will explore how integrate custom payloads from other red team tools. When you are finished with this course, you will have the skills and knowledge of Luckystrike needed to manage all of your malicious document needs.

Table of contents
  1. Course Overview
  2. Creating Malicious Office Documents with Luckystrike
  3. Resources

Initial Access with WiFi-Pumpkin

by Ricardo Reimao

Mar 20, 2020 / 22m

22m

Start Course
Description

Having valid credentials is one of the most effective ways of getting access to the internal network of a company. It gives you the same level of access of a target employee, which often includes VPN access to the internal network as well as several external systems. In this course, Initial Access with WiFi-Pumpkin, you will explore the WiFi-Pumpkin tool, which is a rogue access point framework developed by Marcos Bomfim from the P0cL4bs. First, you will learn how to create rogue access points that look exactly like the WiFi network of your target company. Then, you will see how to set up captive portals, so that when users try to login to your rogue access point, they will be prompted to type their domain credentials and you can harvest them to use in other attacks. Finally, you will discover how to set up a rogue access point, how to set up a fake captive portal, how to customize the login page, and how to harvest the credentials that were submitted. By the end of this course, you will know two important tactics from the MITRE ATT&CK framework: Rogue WiFi Access Points (T1465) and Valid Accounts (T1078).

Table of contents
  1. Course Overview
  2. Credential Harvesting with Fake Captive Portals
  3. Resources

Initial Access with Gophish

by Matt Glass

Aug 7, 2020 / 30m

30m

Start Course
Description

Are you looking for a tool that can quickly and easily set up phishing campaigns and host its own landing pages? In this course, Initial Access with Gophish, you’ll cover how to utilize Gophish to complete Initial Access in a red team environment. First, you’ll see how to install Gophish and navigate through its features. Next, you’ll explore social engineering techniques to execute a malicious link phishing campaign and capture credentials. Finally, you’ll discover how to simulate a malicious attachment attack to gain access to your target. When you’re finished with this course, you’ll have the skills and knowledge to execute this technique - T1566: Spearphishing using Gophish.

Table of contents
  1. Course Overview
  2. Initial Access with Gophish
  3. Resources

Initial Access with sqlmap

by Casey Dunham

Oct 12, 2020 / 23m

23m

Start Course
Description

SQL injection flaws are one of the most critical application vulnerabilities. They can affect any application that uses a database, and a single flaw can lead to data loss or even server compromise. In this course, Initial Access with sqlmap, you'll learn how to use this powerful tool to identify and exploit a variety of SQL injection flaws in a red team environment. First, you'll discover how to setup sqlmap's command line and test authenticated web pages. Next, you'll use sqlmap's built-in enumeration tools to exfiltrate user data. Then, you'll delve into tuning sqlmap's parameters when crawling applications. Finally, you'll exploit a SQL injection to gain initial system access. When you're finished with this course, you'll have the skills and knowledge of sqlmap needed to streamline the process of finding and exploiting SQL injection flaws.

Table of contents
  1. Course Overview
  2. Exploiting SQL Injections with sqlmap
  3. Resources

Initial Access with King Phisher

by Jeff Stein

Oct 14, 2020 / 28m

28m

Start Course
Description

Through the use of phishing techniques, you'll learn the skills and understanding to further your red teaming objectives towards initial access. In this course, Initial Access with King Phisher, you’ll see how to utilize King Phisher to execute a phishing attack in a red team environment. First, you’ll demonstrate your ability to identify a victim and enumerate DNS to craft a successful phishing campaign. Next, you’ll apply a spearphishing technique to target a victim. Finally, you’ll simulate harvesting victim credentials by crafting a landing page to use in the attack. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques. Phishing: Spearphishing Link-T1566.002 & Valid Accounts-T1078 using King Phisher.

Table of contents
  1. Course Overview
  2. Executing a Phishing Campaign and Gather Credentials with King Phisher
  3. Resources

ATT&CK - Execution (TA0002)

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often coupled with techniques from other tactics to achieve broader goals, like stealing data.

Execution with macro_pack

by Ricardo Reimao

Sep 4, 2020 / 23m

23m

Start Course
Description

Masquerading malicious files into legitimate files is crucial for a successful phishing attack. When the malicious payload is hidden into legitimate documents, the victims are more likely to open the file, giving us access to their computer. In this course, Execution with macro_pack, you will see one of the most useful tools for malicious file masquerading, the macro_pack. First, you will learn the basics about malicious file masquerading and an overview of the macro_pack tool. Next, you will explore how to hide a Metasploit Meterpreter payload into a Microsoft Word file. Finally, you will learn how to create a file dropper with the macro_pack, which can be used to distribute malware hosted in remote servers via unsuspicious Microsoft Excel spreadsheets. When you are finished with this course, you will have the skills and knowledge of the macro_pack tool to masquerade malicious payloads into Microsoft Office files and covers three important tactics from the MITRE ATT&CK framework: User Execution - Malicious File (T1204.002), Command and Scripting Interpreter - Visual Basic (T1059.005) and Phishing - Spearphishing Attachment (T1566.001).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Masquerading Malicious Payload with macro_pack
  3. Resources

ATT&CK - Persistence (TA0003)

Persistence consists of techniques that adversaries use to maintain their foothold on systems.

Persistence with Empire

by Rishalin Pillay

Oct 23, 2020 / 23m

23m

Start Course
Description

Are you looking to obtain persistence using Empire? In this course, you’ll cover how to utilize Empire for persistence in a red team environment. First, you’ll demonstrate how to obtain a high integrity persistent agent. Next, you’ll apply registry and WMI attacks for persistence. Finally, you’ll simulate using a specific user for persistence callbacks. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques T1547.001, T1548.001, T1546.003, T1136.001 and T1053.002 using Empire.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Maintaining Persistent Access Using Empire
  3. Resources

ATT&CK - Defense Evasion (TA0005)

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware.

Defense Evasion with Invoke-Obfuscation

by Ricardo Reimao

Apr 10, 2020 / 24m

24m

Start Course
Description

One of the main objectives of a red team engagement is to not get caught by the client detection mechanisms. If you simply run your malicious code in a production server, you will most likely get caught by the Windows defender or the anti-virus solution. For this reason, obfuscating scripts to bypass those detection mechanisms is essential. In this course, Detection Evasion with Invoke-Obfuscation, you will explore how to bypass detection tools such as anti-virus solutions by obfuscating your malicious scripts. First, you will learn what script obfuscation is and how you can use it in your red team engagement. Then, you will see how to install the tool in Kali Linux. Finally, you will explore how to use the Invoke-Obfuscation tool to bypass the anti-virus and run a malicious payload in a fully patched Windows server. By the end of this course, you will know how to use the Invoke-Obfuscation PowerShell tool to obfuscate other PowerShell scripts, with the intent of evading detection. This course covers two important tactics from the Mitre Att&ck framework: Obfuscated Files or Information (T1027) and Deobfuscate/Decode Files or Information (T1140).

Table of contents
  1. Course Overview
  2. Bypassing Anti-virus Detection with Invoke-Obfuscation
  3. Resources

ATT&CK - Credential Access (TA0006)

Credential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

Credential Access with Hashcat

by Dawid Czagan

May 4, 2020 / 28m

28m

Start Course
Description

Red team members and penetration testers need to know how to crack passwords with different password cracking techniques. In this course, Credential Access with Hashcat, you will learn about Hashcat, the number one offline password cracker. First, you will see how to launch a dictionary attack using Hashcat. Next, you will discover how you can crack more passwords when you launch a dictionary attack with a rule. Then, you will learn how to launch a dictionary attack with a mask, also known as a hybrid attack). Finally, you will explore how to use Hashcat to crack password-protected PDF and DOCX files. By the end of this course, you will know how to use Hashcat to crack passwords with different password cracking techniques.

Table of contents
  1. Course Overview
  2. Password Cracking with Hashcat
  3. Resources

Credential Access with John the Ripper

by Rishalin Pillay

May 22, 2020 / 23m

23m

Start Course
Description

Performing password cracking is a common task performed in a red team engagement. Understanding how to use the tools can be a daunting task. In this course, Credential Access with John the Ripper, you will gain the ability to crack commonly used password hashes leveraging the highly customizable tool, John the Ripper. First, you will learn how to navigate the syntax of John and amp up your cracking capabilities by obtaining rich wordlists and permutating them. Next, you will discover how to perform password cracking of common operating systems such as Windows and Linux. Finally, you will explore how to use John within a Metasploit session, giving you the ability to perform password cracking during the exploitation phase. When you are finished with this course, you will have the skills and knowledge of John the Ripper needed to amplify your red team engagements when performing password cracking.

Table of contents
  1. Course Overview
  2. Credential Dumping and Brute Force Capabilities of John the Ripper
  3. Resources

Credential Access with Mimikatz

by Lee Allen

Aug 14, 2020 / 25m

25m

Start Course
Description

Would you like to be able to see clear text credentials stored in memory? How about harvesting clear text credentials stored in protected files? In this course, Credential Access with Mimikatz, you will learn how to leverage the advanced credential access capabilities of the open-source Mimikatz project towards post-exploitation activities. First, you will see how to harvest password hashes and clear text user names and passwords for active login sessions stored in system memory. Next, you will discover how Mimikatz can be used to open memory dumps from other systems for situations where you may not be able to run Mimikatz on the victim machine. Finally, you will explore how to obtain clear text usernames and passwords stored by browsers, changing domain user passwords on the fly, and capturing passwords to file. When you finished with this course, you will have the skills and knowledge of the open-source Mimikatz tool needed to emulate credential access techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Credential Access and Persistence with Mimikatz
  3. Resources

Credential Access with Responder

by Ricardo Reimao

Sep 18, 2020 / 20m

20m

Start Course
Description

One of the main objectives on a red team engagement is to get access to several user accounts (lateral movement) as well as administrator accounts (privilege escalation). After getting initial access to the internal network, you can launch several attacks to harvest credentials. In this course, Credential Access with Responder, you will explore one of the most important tools for lateral movement and privilege escalation, the Responder tool - a LLMNR, NBT-NS, and MDNS poisoner developed by Laurent Gaffie. First, you will exploit vulnerabilities on the LLMNR protocol. Then, you will use NBT-NS and MDNS protocols to gather credentials of domain users. Finally, you will learn not only how to get NTLM hashes, but also how to crack them to get plain text passwords and how to use those hashes in pass-the-hash attacks. By the end of this course, you will know two important tactics from the MITRE ATT&CK framework: LLMNR/NBT-NS Poisoning and Relay (T1171) and Network Sniffing (T1040).

Table of contents
  1. Course Overview
  2. LLMNR/NBT-NS Poisoning with Responder
  3. Resources

Credential Access with THC Hydra

by Lee Allen

Aug 19, 2020 / 27m

27m

Start Course
Description

There's no way around it - people are going to use weak passwords. THC Hydra will help you identify these passwords so that you can then use the information towards Red or Blue Teaming efforts. In this course, Credential Access with THC Hydra, you will learn how to brute force network logins. First, you will see where THC Hydra fits into the kill chain and the Mitre ATT&CK framework. Next, you will discover how the flexibility of THC Hydra can assist you in cracking passwords for various network protocols. Finally, you will explore how to leverage the password cracking capabilities of THC Hydra towards your own penetration testing or password strength assessment activities. When you are finished with this course, you will have the skills and knowledge needed to efficiently use THC Hydra towards your password cracking efforts.

Table of contents
  1. Course Overview
  2. Password Cracking with THC Hydra
  3. Resources

Credential Access with Cain & Abel

by Jeff Stein

Jul 28, 2020 / 25m

25m

Start Course
Description

Cain & Abel is a versatile tool for the Windows operating system which can help further your red teaming objectives with techniques ranging from manipulating network traffic to cracking passwords using brute force and cryptanalysis attacks.

In this course, Credential Access with Cain & Abel, you will gain the ability to access credential sets in a victim network.

First, you will learn to perform network reconnaissance from the Windows operating system.
Next, you will discover how you can use a man-in-the-middle attack to access the credentials transmitted between victims on a network.
Finally, you will explore how to remotely exploit a victim for harvested credentials which can then be cracked by the tool suite.

When you are finished with this course, you will have the skills and knowledge of Cain & Abel needed to access valid credential sets and move through a network during an attack engagement.

Table of contents
  1. Course Overview
  2. Credential Access with Cain and Abel
  3. Resources

ATT&CK - Discovery (TA0007)

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective.

Discovery with ADRecon

by Ricardo Reimao

Sep 18, 2020 / 22m

22m

Start Course
Description

The Active Directory of a company is a valuable source of information for a red team specialist. In there, you can find information about the users, computers, and even security policies. In this course, Discovery with ADRecon, you will learn about ADRecon, developed by Prashant Mahajan, which enables red team specialists to generate interesting reports from the Active Directory of a target company. First, you will discover the importance of the Active Directory data in a red team engagement and how this data can help you in further attacks. Then, you will see how to use ADRecon tool to extract data from your client’s Active Directory and generate a complete report about the environment. Finally, you will explore how to perform a Kerberoast attack using the ADRecon tool, in which you will gather hashed credentials from the Active Directory and crack them using Hashcat. When you are finished with this course, you will have the skills and knowledge to extract valuable information from the AD and plan your next attacks. This course covers five important tactics from the MITRE ATT&CK Framework: Password Policy Discovery (T1201), Permission Groups Discovery (T1069), Account Discovery (T1087), Data from Information Repositories (T1213) and Kerberoasting (T1208).

Table of contents
  1. Course Overview
  2. Active Directory Enumeration
  3. Resources

Discovery with BloodHound

by Guillaume Ross

Apr 20, 2020 / 21m

21m

Start Course
Description

Understanding the relationship between thousands of Active Directory objects can be difficult. Users are members of groups, which can be nested in other groups, and linked to thousands of permissions. In this course, Discovery with BloodHound, you will gain the ability to use BloodHound to quickly find the shortest path to compromise systems in an Active Directory environment. First, you will learn how to install BloodHound. Next, you will discover how to use SharpHound to gather data from AD. Finally, you will explore how to ingest and visualize that data, finding paths between objects and the ultimate goal, Domain Admin access. When you are finished with this course, you will have the skills and knowledge of BloodHound needed to start using it to attack AD, or to understand how to better defend it.

Table of contents
  1. Course Overview
  2. Discovering the Path to Domain Admin with BloodHound
  3. Resources

Discovery with Kismet

by Guillaume Ross

Oct 8, 2020 / 23m

23m

Start Course
Description

Have you ever needed to inventory devices or networks in an environment before deciding what to attack? Kismet is the perfect tool for this. In this course, Discovery with Kismet, you’ll discover how to utilize Kismet in a red team environment. First, you’ll see the ability to discover available wireless networks. Next, you’ll learn how to sniff traffic on networks. Finally, you’ll learn to eavesdrop on unencrypted data streams on wireless networks. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques : T1040 - Network Sniffing, T1507 - Network Information Discovery, T1439 - Eavesdrop on Insecure Network Communication using Kismet, plus, you'll even know how to discover Bluetooth devices and planes!

Table of contents
  1. Course Overview (Tool Introduction)
  2. Using Kismet to Discover Wireless Networks
  3. Resources

ATT&CK - Lateral Movement (TA0008)

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Lateral Movement with Mimikatz

by Lee Allen

Aug 14, 2020 / 29m

29m

Start Course
Description

Would you like to move from system to system without clear text credentials? How about impersonating a domain controller to inject data of your choosing? In this course, Lateral Movement with Mimikatz, you will learn how to leverage the advanced lateral movement capabilities of the open-source Mimikatz project towards post-exploitation activities. First, you will see how to 'Pass the Hash' to authenticate without the need of a clear text password. Next, you will discover how Mimikatz is used to bypass the domain controllers with 'Pass the Ticket'. Finally, you will explore how to create golden and silver tickets to impersonate domain users and service accounts. When finished with this course, you will have the skills and knowledge of the open-source Mimikatz tool needed to emulate lateral movement techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Lateral Movement and Defense Evasion with Mimikatz
  3. Resources

Lateral Movement with PsExec

by Matt Glass

Sep 25, 2020 / 21m

21m

Start Course
Description

Would you like to learn how to execute commands, programs, and open command prompts or PowerShell sessions on remote Windows hosts? In this course, Lateral Movement with PsExec, you will gain the ability to use PsExec to laterally move throughout a Windows domain from a host you already exploited. First, you will learn how to use PsExec to run commands on remote Windows hosts. Next, you will discover how to leverage PsExec to run programs remotely. Finally, you will explore how to laterally move throughout a Windows domain using PsExec. When you are finished with this course, you will have the skills and knowledge of PsExec needed to leverage it for lateral movement in a Windows domain.

Table of contents
  1. Course Overview
  2. Lateral Movement with PsExec
  3. Resources

Lateral Movement with WMIOps

by Matt Glass

Sep 25, 2020 / 24m

24m

Start Course
Description

Do you need a tool that can run commands on remote Windows hosts from an exploited machine? In this course, Lateral Movement with WMIOps, you’ll cover how to utilize WMIOps to complete lateral movement in a red team environment.

First, you’ll demonstrate executing commands on remote hosts.
Next, you’ll apply these skills to gather information from Windows servers.
Finally, you’ll simulate lateral movement by opening remote PowerShell sessions on Windows devices.

When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques T1047: Windows Management Instrumentation and T1077: Windows Admin Shares using WMIOps.

Table of contents
  1. Course Overview
  2. Lateral Movement with WMIOps
  3. Resources

Lateral Movement with Infection Monkey

by Maril Vernon

Aug 11, 2020 / 28m

28m

Start Course
Description

Unsure of whether or not configuration vulnerabilities are providing adversaries with a clear path of lateral movement within your environment? Or do you have untested controls you are “pretty sure” defend against lateral movement? In this course, Lateral Movement with Infection Monkey, you will learn how to configure and employ the Infection Monkey to test for lateral movement and network segmentation against known MITRE tactics. First, you will learn how to launch the team server and GUI client. Next, you will discover how to configure the Monkey against MITRE. Finally, you will explore how to how to identify the vulnerable network paths and interpret results for actionable hardening steps. When you are finished with this course, you will have the skills and knowledge of lateral movement, network discovery, and credential compromise techniques needed to steps to proactively improve security posture against them.

Table of contents
  1. Course Overview
  2. Lateral Movement with Infection Monkey
  3. Resources

ATT&CK - Collection (TA0009)

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives.

Collection with PowerSploit

by Ricardo Reimao

May 29, 2020 / 28m

28m

Start Course
Description

One of the main differences between a penetration testing and a red team engagement is executing the same attacks as malicious actors to demonstrate the impact a real attack to our clients. Therefore, after getting access to a few machines in the network, your job is to look for sensitive information that could be interesting for hackers. In this course, Collection with PowerSploit, you will cover one of the most important tools for a red team specialist, the PowerSploit framework. Here, you focus on the collection capabilities of this tool, which includes collecting keystrokes using a stealthy keylogger, collecting screenshots, collecting audio from the victim’s microphone, and even searching for sensitive files in the computers and network shared folders. This course covers four important tactics from the MITRE ATT&CK framework: Audio Capture (T1123), Input Capture (T1056), Screen Capture (T1113) and Data from Network Shared Drive (T1039).

Table of contents
  1. Course Overview (Tool Introduction)
  2. Collecting Sensitive Data with PowerSploit
  3. Resources

Collection with PowerUpSQL

by Ricardo Reimao

Sep 18, 2020 / 26m

26m

Start Course
Description

An important step on a red team engagement is collecting sensitive information. By demonstrating what kind of data a hacker could have access to, your client can better understand the impact of a real cyber-attack. In this course, Collection with PowerUpSQL, you will cover one of the most important tools for exploiting Microsoft SQL databases, the PowerUpSQL framework. First, you will learn how to get access to the database by discovering weak credentials in your target. Next, you will explore how to find and collect sensitive data in the database, including credit card information and stored passwords. Finally, you will see how to simulate a malicious attack of modifying stored data, hiding your tracks, and deleting entire tables. When you are finished with this course, you will have the skills and knowledge of PowerUpSQL needed to collect sensitive data from your target Microsoft SQL databases and cover four important tactics from the MITRE ATT&CK framework: Valid Accounts (T1078), Data from Local System (T1005), Stored Data Manipulation (T1492) and Data Destruction (T1485).

Table of contents
  1. Course Overview
  2. Collecting Sensitive Data with PowerUpSQL
  3. Resources

ATT&CK - Command and Control (TA0011)

Command and Control consists of techniques that adversaries use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Command and Control with Covenant

by Aaron Rosenmund

Dec 31, 2019 / 19m

19m

Start Course
Description

Testing systems against advanced adversary techniques is required not just for red team operations but for targeted testing of defensive and detective measures on a network. Growing the skills to emulate the steadily advancing adversary capabilities within your team is a moving target that is complicated by the multitude of attack techniques available. In this course, Command, and Control with Covenant, you will gain the ability to leverage the advanced .NET, in-memory compilation techniques used by the open-source Covenant project to emulate adversary communication within an environment. First, you will learn to install the command and control infrastructure used to control compromised systems. Next, you will explore how to create and install implants called grunts to connect back to the adversary server. Finally, you will explore how to run tasks, gather information, and spread laterally within the Covenant C2 framework. When you are finished with this course, you will have the skills and knowledge of the Covenant command and control framework needed to emulate post-exploitation techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Emulation Adversary C2 and Lateral Movement Operations with Covenant
  3. Resources

Command and Control with Pupy

by Matt Glass

Sep 25, 2020 / 25m

25m

Start Course
Description

Are you looking for a tool that can help you manage your target workstations after you exploited them? In this course, Command and Control with Pupy, you will gain the ability to manage target sessions, collect information, and run additional attacks from a single interface. First, you will learn how to generate client files in Pupy. Next, you will discover how to use different encryption protocols in Pupy. Finally, you will explore how to capture information from targets using Pupy. When you are finished with this course, you will have the skills and knowledge needed to manage exploited targets with Pupy.

Table of contents
  1. Tool Introduction
  2. Command and Control, Privilege Escalation, and Collection with Pupy
  3. Resources

Command and Control with Empire

by Rishalin Pillay

Sep 17, 2020 / 22m

22m

Start Course
Description

Are you looking to use Empire in a red team engagement? In this course, Command and Control with Empire, you’ll learn how to utilize Empire for command and control in a red team environment. First, you’ll see how to leverage multi-hop proxies for C2. Next, you’ll learn to apply file upload capabilities and registry commands to establish remote access. Finally, you’ll explore to simulate establishing a C2 over a non-standard port. When you’re finished with this course, you’ll have the skills and knowledge to execute ingress tool transfer (T1105), remote access software (T1219), non-standard port (T1571) and multi-hop proxy (T1090.003) using Empire.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Command and Control with Empire
  3. Resources

Command and Control with PoshC2

by Jeff Stein

Oct 15, 2020 / 27m

27m

Start Course
Description

On the Windows OS, PowerShell can offer effective control of a system, this course will give you the skills and understanding to harness PowerShell to further your red teaming objectives towards command and control of a victim system. In this course, Command and Control with PoshC2 you’ll cover how to utilize PoshC2 to execute privilege escalation in a red team environment. First, you’ll demonstrate ways to gain system access and evade detection using the PoshC2 implant. Next, you’ll apply the built-in PoshC2 modules to send commands to enumerate the victim system. Finally, you’ll simulate the harvesting of credentials to escalate privilege with PowerShell. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques Application Layer Protocol: Web Protocols-T1071.001, Account Discovery: Local Account- T1087.001 & Remote Access Software-T1219 using PoshC2.

Table of contents
  1. Course Overview
  2. Leveraging Poshc2 to Control Victim Systems
  3. Resources

ATT&CK - Exfiltration (TA0010)

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once data has been obtained, adversaries will often times package it to avoid detection as it is removed.

Exfiltration with Dnscat2

by Cristian Pascariu

Sep 10, 2020 / 23m

23m

Start Course
Description

Tight network restrictions might hinder the ability to establish a C2 communication channel. To overcome these limitations an offensive security analyst will rely on abusing other legitimate protocols. In this course, Exfiltration with Dnscat2, you’ll cover how to utilize Dnscat2 for data exfiltration in a red team environment. First, you’ll set up an alternative C2 channel. Next, you’ll bypass network restrictions. Finally, you’ll simulate a data exfiltration attack. When you’re finished with this course, you’ll have the skills and knowledge to execute these techniques T1048, T1022, and T1071 using Dnscat2.

Table of contents
  1. Course Overview
  2. Exfiltrating Data Using DNS Tunneling with Dnscat
  3. Resources