At the end of November, I participated in Adversary Tactics – Red Team Operations training, organized by SpecterOps, focusing on simulating and detecting challenging security threats. SpecterOps is behind the development of several security-related open source tools, such as BloodHound and PowerShell Empire, which are used both defensively and offensively. So expectations for the course were high.
Departure from Oulu was on Monday evening as the course started in Brussels the very next morning at 9 am local time. When I arrived at Brussels airport late at night, there was an interesting sight. The European Parliament Chamber is located in Brussels and it was here that the EU Data Protection Regulation (GDPR) was enacted on 27 April 2016.
4 days of intense hacker training
The first day covered the course's practicalities and the general principles of red teaming assignments, as well as the course training environment: a Windows environment consisting of multiple Active Directory domains with a few Linux machines.
The training environment of the course was built in a way that poor operational security (opsec) was punished. Lab machines had an agent installed that first alerted if students were using tools and methods that were too loud and noticeable. After the alerts, if students didn’t change their tactics, connections to certain machines were disconnected and the foothold on the network had to be re-established. In addition to an automated agent, one of the instructors was monitoring student actions and responding to clearly detectable attacks.
On the second day, a concept called 'user hunting' was introduced, which means practically hunting for privileged users in the environment. The purpose is to locate the machine on which such privileged user is logged on. Thereafter, various methods are used to move laterally to that machine and steal the user credentials from the machine's memory, which, if successful, would allow wider access to resources in the environment and thus access to sensitive information.
On the third day, there was a lot of talk about Kerberos, a key authentication protocol used especially in Windows environments, and it’s related abuse methods. One of these methods is the Golden Ticket, which can be used to gain access to the environment at a later date, once a privileged access has been obtained.
On the fourth day, the last day, there was a summary of the exercise and all the paths that could be used to reach the attacker's goals were revealed. Many of the subjects and methods that were introduced during the course were already familiar, and only a few were mentioned here. However, the course went much deeper, and in particular I learned more about detecting various attacks.
The flight back to Finland wasn't until the next morning, so I had time to visit some of the sights. I did a little walking tour where I stopped by the obligatory Mannek Pis bronze statue and at the European Parliament Chamber building. All in all, the trip and course were excellent and there is still much to learn.