elfGROUP white hat hacker participating Adversary Tactics training

At the end of November, I participated in Adversary Tactics – Red Team Operations training, organized by SpecterOps, focusing on simulating and detecting challenging security threats. SpecterOps is behind the development of several security-related open source tools, such as BloodHound and PowerShell Empire, which are used both defensively and offensively. So expectations for the course were high.

Departure from Oulu was on Monday evening as the course started in Brussels the very next morning at 9 am local time. When I arrived at Brussels airport late at night, there was an interesting sight. The European Parliament Chamber is located in Brussels and it was here that the EU Data Protection Regulation (GDPR) was enacted on 27 April 2016.

Indeed, the impact of the privacy policy was seen at the airport when I saw for the first time Google ads that were specifically about privacy and the ability of individuals to control their own information. The slogans included “Your Data. Your Choice." and "Choose what data gets saved". After arriving at the hotel at 12.30 am, it was time to go to bed so I would be as refreshed as possible the next day.

Google billboards at the airport


4 days of intense hacker training

The first day covered the course's practicalities and the general principles of red teaming assignments, as well as the course training environment: a Windows environment consisting of multiple Active Directory domains with a few Linux machines.

The training environment of the course was built in a way that poor operational security (opsec) was punished. Lab machines had an agent installed that first alerted if students were using tools and methods that were too loud and noticeable. After the alerts, if students didn’t change their tactics, connections to certain machines were disconnected and the foothold on the network had to be re-established. In addition to an automated agent, one of the instructors was monitoring student actions and responding to clearly detectable attacks.

Advisory Tactics Red Team Operations training

On the second day, a concept called 'user hunting' was introduced, which means practically hunting for privileged users in the environment. The purpose is to locate the machine on which such privileged user is logged on. Thereafter, various methods are used to move laterally to that machine and steal the user credentials from the machine's memory, which, if successful, would allow wider access to resources in the environment and thus access to sensitive information.

On the third day, there was a lot of talk about Kerberos, a key authentication protocol used especially in Windows environments, and it’s related abuse methods. One of these methods is the Golden Ticket, which can be used to gain access to the environment at a later date, once a privileged access has been obtained.

On the fourth day, the last day, there was a summary of the exercise and all the paths that could be used to reach the attacker's goals were revealed. Many of the subjects and methods that were introduced during the course were already familiar, and only a few were mentioned here. However, the course went much deeper, and in particular I learned more about detecting various attacks.

The flight back to Finland wasn't until the next morning, so I had time to visit some of the sights. I did a little walking tour where I stopped by the obligatory Mannek Pis bronze statue and at the European Parliament Chamber building. All in all, the trip and course were excellent and there is still much to learn.

SpecOps Advisory Tactics course in Brussels


Share This Story, Choose Your Platform!

About the Author: Miika R.

Miika R.

Miika Rinne is a Cyber Security Specialist at elfGROUP. Ethical hacking is Miika’s special interest and in his work, he focuses on cyber security assessments and hunting down vulnerabilities and exploits. Leisure time is largely consumed in cyberspace, but Miika also likes to read books and to do various sports.