Presented By: Leszek Miś

The In & Out – Network Data Exfiltration Techniques [RED edition] training class has been designed to present students modern, emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.

As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense/offense in depth strategy. We will also learn through the importance of network baselining, memory forensics, automated malware analysis solutions. Then, we will focus on the real threat simulation tactics that are the key important aspect of this training.

We will deep dive into the individual network protocols, services and post exploitation techniques commonly in use by adversaries in corporate networks and discuss the security detection features. Using available set of tools, the student will play one by one with well prepared exfiltration, pivoting, tunneling and protocol anomalies use-cases to generate the true network symptoms of modern attacker behavior.

This 3 day course will take place on the 9th, 10th and 11th of September 2019 in London.
The price is £1,950 (inc VAT). Book your place in our shop now.

Learning Objectives

  • Learn how to bypass Linux and Windows local security restrictions and command line arguments detections by using obfuscation and Living Off The Land Binaries And Scripts
  • Generate and run different, encrypted types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure port forwarding & proxying, change a transport on the fly and find what the network traffic artifacts of such actions are.
  • Manually generate suspicious network events from Python, ex. saturate a DHCP Server, establish a C2 connection by using QUIC, HTTP2, NTP, flood the network service, run a brute force attack, etc.
  • Simulate DNS DGA traffic, run a DNS tunnels and remote shells, exfiltrate and hide data transfer using DNS-over-HTTPS and explain how to gain the Internet connection on the plane or in the hotel for free through captive portal bypassing.
  • Use different HTTP techniques, headers and methods for stealing the data with combination of web application injection techniques (OOB) + walk through the world of web shells
  • Run, detect and understand a TLS/SSL-based anomalies and exfiltration methods
  • Run a cmd.exe and deliver compressed and encrypted, in-memory offensive Powershell scripts during a post-exploitation stage for leaking the data and bypassing AV / EDR / AMSI
  • Clone, armor and phish popular websites and use them for covert channel
  • Create CDN domain fronting setup and punch holes in the NAT
  • Achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic
  • Cheat security platforms by running internal WMI, Websockets, WinRM or P2P covert channels
  • Hide a stolen data in binary file, WAV file, Image file or exfiltrate data from the air-gapped system using hops and bad USB
  • Configure the station to connect to anonymizers like external VPN, TOR, Open proxy and ‘ping’ to the IP/domains tagged on the globally recognized security feeds, rules or phishy lists
  • Use a popular cloud-based services for C2 communication and data stealing, ex. Pastebin, Twitter, AWS, Dropbox, etc.
  • Replay malicious PCAP files and in terms of network behaviour and analyze the malware samples using Cuckoo
  • Describe the syntax of signature-based rules works, how Suricata or Bro IDS can help you detect suspicious events and what are the differences between these two IDS engines
  • Understand values of automated attackers simulations
  • Run verification actions for IT security products and providers during PoC / PoV

And many, many more.

Through hands-on labs, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.

All the below training exercises are based on pure hands-on approach where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network. This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments.

Labs include:

  • Log patterns for critical network services -> generating unseen network events -> log entries based on CVE-2018-15473, CVE-2016-2776, ns-slapd OOM killer DOS and more.
  • One-liners for bind / reverse shells.
  • Network hops chaining and hiding behind open proxies.
  • Tunneling traffic into internal networks.
  • Hiding and tunneling traffic to external hosts – Domain fronting / web categorization.
  • Obfuscation techniques for Linux, cmd. exe and Powershell.
  • Cool examples of LOLbins + GTFOs.
  • Bypassing and generating WAF alerts / Out-of-band SQL Injections and more.
  • Malware network patterns – dumping and analyzing malicious PCAP dumps, grabbing IOCs and diving into the sandbox environment.
  • The importance of egress filtering – getting outbound-filtering rules ready for your shellz!
  • Generating stageless and staged payloads in different formats + whitelist bypassing + armoring exe files + sandbox detection.
  • Network and OS artifacts for upgrading the shells and changing the transport on the fly.
  • Request throttling, behavior tunning and profile customization of beacon / shell connections.
  • Local network scanning from the pwned OS / browser through XSS.
  • Looping, port forwarding, pivoting and routing tricks through Meterpreter / Empire sessions.
  • Linux ELF in-memory code execution for generating network events.
  • Setup reverse proxy & valid TLS / SSL certificates for your C2.
  • Desktop and camera capturing live.
  • Powershell file compression / encryption for stolen data.
  • Data exfiltration and tunneling over ICMP.
  • Handy tcpdump / Wireshark tips and tricks during malware investigation.
  • DLP validation through data exfiltration using multiple network channels at once.
  • C2 hidden channels over the clouds.
  • Probing for valid DNS RR, DNS security checks, DNS anomalies, exfiltration, tunneling and port forwarding.
  • Customizing your own instance of dnscat2.
  • Using emerging network protocols for data leak testing: QUIC, HTTP2, DoH.
  • DGA generators and network traffic artifacts.
  • NTLM Multi-relaying and command execution + BadPDF.
  • Socat tips and tricks.
  • Playing with LDAP as C2 and payload delivery channel.
  • Simulated, automated browser exploitation
  • Ship your Empire and Metasploit with Docker +
  • Using post-exploitation modules for lateral movements: smbexec, pth, wmiexec
  • Auditing and exfiltrating data against layer 7 inspection rules on NG-firewalls.
  • HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies, QUIC, HTTP2, WebDAV, WebSockets
  • A combo of text-based steganography and hiding in images.
  • Overview of automated, ready to use detection tests based on MITRE’s ATT&CK.
  • TOR network traffic simulations.
  • P2P network traffic simulations.
  • Network flooding: UDP flood, TCP SYN/FIN/RST/PUSH/ACK flood, ICMP flood, HTTP.
  • An example of DHCP Starvation.
  • Running BF against network services and web apps vs WAF.
  • Simulating and analyzing DNS rebinding.
  • Focusing on network/exfiltration/ modules of Nishang, PowerSploit, Powercat, Empire.
  • The world of web shells.
  • Using SMB named pipes for C2.
  • Silver / Golden tickets / Kerberoasting / DCsync / DCShadow.
  • RDP exfiltration.
  • IPtables + logging rules as a method of data exfiltration via packet port numbers.
  • Punching holes in your NAT.
  • SSH tunneling tips and tricks.

Course Outline

1. Introduction:

a. ATT&CK Framework – Tactics, Techniques and Procedures.
– top data sources vs top attack techniques
– the easiest / the hardest detection points
– SOC priorities vs “what am I missing?”

b. Cyber kill chain model
c. Defense in depth
d. Offense in depth
e. The importance of:
– Network traffic baseline profiling
– Memory forensics
– Data sources and log correlation
– Automated exfiltration and post-exploitation simulations

2. Modern RAT’s implementation and popular APT/C2 malware communication design – real use cases based on the malware Zoo:

a. The review of the latest APT campaigns
b. Multi-Staging and Network Link chaining
c. Data Hiding / obfuscation
d. Transfer / protocol customization
e. Timing channels / scheduled jobs / packet dripping

3. TCP/UDP bind and reverse shells:

a. Meterpreter + Veil Framework + Shellter + Sharpshooter:
– Generating staged / stageless exotic payloads
– Powershell & cmd.exe obfuscation
– Auditing and bypassing firewallsiv.
– Routing, relaying, pivoting & port forwarding

b. CLI tips & tricks:
– netcat / nc / cryptocat / telnet / socat / curl / wget / xxd / rsync / whois
– /dev/tcp & /dev/udp
– installutil / regsvr32 / regsvcs / regasm / print / msbuild / installutil
– PHP / Perl / Python / Ruby / JSP / ASP / LUA / awk shellz

c. TCP/UDP raw socket tunnels.
d. Generate your own network shellcode & analyze the Exploit-db Shellcode Archive.

4. General bypassing, exfiltration, tunneling, pivoting, proxying and C2 techniques:
a. ICMP
b. DNS:
– Authoritative vs recursive
– CDN theory & domain fronting
– Fast-flux domains
– Dictionary and random characters DGA
– DNS proxy, DNS over HTTPS, DNS over TLS
– DNS Rebinding and other DNS anomalies

c. HTTP/S & web application exploitation techniques combo:
– HTTP methods / headers / cookies / redirects / error codes
– Chunked Transfer Encoding
– Website cloning and armoring
– WebDAV and Websockets C2
– Certificate exfiltration & TLS/SSL anomalies
– *Injections + exfiltration → OOB
– Webshells
– HTTP anomalies -> ex. extraneous whitespace after HTTP status code

d. Offensive Powershell Frameworks vs AD / LDAP environments:
– Golden / Silver Ticket / Kerberoasting
– NTLM relaying and external redirects
– UNC paths

e. Storage protocols: FTP / TFTP / SMB / NFS / iSCSI / AoE
f. WMI / WinRM / PS-remote
g. Forward / Reverse / SOCKS Proxy
h. SSH / SFTP / SCP
i. VPN: PPTP, IPSec, TLS
j. TOR / Open Proxy
k. POP3 / SMTP / IMAP
l. VOIP
m. P2P / Torrent
n. SNMP
o. + chaining of aboves and many more.

5. Cloud-based exfiltration techniques and C2 channels.
6. Just a Browser Exfiltration:
a. Local network scanning and hidden network enumeration through XSS
b. Audio / video exfil
c. Keylogging

7. Hoping from air-gapped networks → how to create your own Bad USB using RPI.

8. Signature-based event analytics, rule bypassing & malicious network traffic generation:
a. Suricata ET / VRT rules vs attacker → the rule syntax
b. Bro IDS / Zeek script index for deep low-level network baselining and security monitoring
c. Threat Intelligence feeds, lists and 3rd party APIs:
– IP reputation lists
– Malware / Phishing feeds
– C2 / Open Proxy lists / TOR exit-nodes
– Censys / VT / Passive Total / Shodan

9. Automated adversary simulation platforms and open source projects based on MITRE’s ATT&CK.
10. Chained attack scenarios CHALLENGE – generating advanced test scenarios and covering all possible detection points -> introduction to BLUE edition of the training.
11. Summary → recommended defensive/protection tactics, tools and commercial platforms.

Become confident that your SOC / network security really works!

Target Audience

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

Student Requirements

  • An intermediate level of command line syntax experience using Linux and Windows
  • Fundamental knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills is a plus, but not essential

What to Bring

  • At least 20GB of free disk space
  • At least 8GB of RAM
  • Students should have the latest Virtualbox installed on their machine
  • Full Admin access on your laptop

About the Trainer

Instructor – Leszek Miś (@cr0nym)

Leszek Miś is the Founder of Defensive Security (www.defensive-security.com), Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got a deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Author of many IT Security training:

  • Open Source Defensive Security → The Trinity of Tactics for Defenders
  • In & Out → Network Data Exfiltration Techniques [RED EDITION]
  • In & Out → Detection of Network Data Exfiltration Techniques [BLUE EDITION]
  • System Internals – Network, OS and Memory Forensics
  • SELinux → Development & Administration of Mandatory Access Control Policy
  • Advanced RHEL/CentOS Defensive Security & Hardening
  • ModSecurity → Development and Management of Web Application Firewall rules
  • FreeIPA → Identity Management for Linux Domain Environments & Trusts

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out “what da **ck” the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.

Book your 44CON 2019 training course now!