Created
September 12, 2019 09:48
-
-
Save lystena/eb0bb2489c70974b685ac01de770c429 to your computer and use it in GitHub Desktop.
Venturing into the Dark - a review of Dark Side Ops 2: Adversary Simulation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| =========================================================================== | |
| Venturing into the Dark - a review of Dark Side Ops 2: Adversary Simulation | |
| =========================================================================== | |
| --------------------------------------------------------------------------- | |
| Location: BlackHat Las Vegas | |
| Links: https://www.blackhat.com/us-19/training/schedule/#dark-side-ops | |
| ----adversary-simulation-14210 | |
| https://silentbreaksecurity.com/training/dark-side-ops-2-advers | |
| ary-simulation/ | |
| Trainers: Silent Break Security Team (team of 3) | |
| Class Size: 21 | |
| Duration: 2 days | |
| --------------------------------------------------------------------------- | |
| BACKGROUND | |
| ---------- | |
| Recently I was fortunate enough to undertake the Dark Side Ops 2: Adversary | |
| Simulation course. This course is run by the Silent Break Security team and | |
| is intended to build on their Dark Side Ops: Malware Dev course. The course | |
| as described in their own words: | |
| "helps participants up their offensive game by sharing the latest | |
| in initial access and post-exploitation, defensive countermeasure | |
| bypasses, and unique malware code execution techniques." | |
| ... well colour me interested. For the most part, long gone are the days of | |
| 1997, when you could trip into admin rights while trying to disable Clippy. | |
| Modern controls have changed a default Windows build from Swiss cheese into | |
| a potentially daunting challenge. Unmodified open source tools often do not | |
| cut it. DSO seeks to help participants dive into developing and customising | |
| their own toolkits to take the challenge head on. | |
| COURSE STRUCTURE | |
| ---------------- | |
| The course followed the tried-and-true format of an instructor talking to a | |
| set of slides - introducing the topic, outlining the use cases, noting some | |
| areas for further research - all of which prepares you for the relevant lab | |
| material. These presentations are short, sharp and open up discussions that | |
| focus on realistic use cases and real world scenarios. | |
| The lab time was guided by the manual and self-paced. If you are pushed for | |
| time or struggling with the concept, the manual has enough detail that will | |
| walk you through the exercises step by step. Topics also have challenges or | |
| stop goals to push your understanding if you are racing ahead of the class. | |
| CONTENT SYNOPSIS | |
| ---------------- | |
| 11 labs cover the following topics, and flow logically from one to another: | |
| [+] DAY 1 | |
| - Automating infrastructure deployment | |
| - Windows Subsystems (COM, WSH, .NET, SxS) | |
| - Transitions and staging (Customising D2J and payloads) | |
| - Initial Access Techniques (getting payloads to be operationally ready) | |
| [+] DAY 2 | |
| - Zero day techniques (A methodology with examples to work from) | |
| - Into to rootkits (Build, modify, abuse and trigger) | |
| - Persistence techniques (Abusing existing functionality for persistence) | |
| - Targeting custom services (reverse engineering a custom .NET service) | |
| WHAT YOU ARE PROVIDED WITH | |
| -------------------------- | |
| - A thorough, well documented lab manual (printed and bound; plus PDF) | |
| - PDF copy of the presentation slides | |
| - Three customised virtual machines | |
| - Lab source code samples | |
| WHAT YOU'LL NEED | |
| ---------------- | |
| - A machine capable of running 3 virtual machines simultaneously | |
| - A healthy dose of enthusiasm, curiosity and willingness to use VS code | |
| - An ability to at a minimum follow instructions and debug error messages | |
| - Ideally a basic understanding of the course material and tool use cases | |
| WHO WOULD BENEFIT FROM THE COURSE | |
| --------------------------------- | |
| - People interested in offensive security looking to build custom tooling | |
| - Penetration testers and Red-teamers looking to build out new techniques | |
| - Blue-teamers looking to understand current adversary techniques/tooling | |
| IN REVIEW | |
| --------- | |
| I've been fortunate enough to have completed the OSCP, SANS SCADA training, | |
| Pentester Academy Blackhat training, as well as various employers, vendors, | |
| and community-run conference trainings. Looking back, all of them have been | |
| useful at one time or another. This time however, I felt compelled to write | |
| down how truly impressed with the course I was. Nick, Brady and the rest of | |
| the Silent Break Security team have created well thought out material which | |
| will help develop your tradecraft as well as your ability to customise your | |
| own tooling; ultimately making you a more effective and realistic operator. | |
| THANKS | |
| ------ | |
| - $EMPLOYER for paying the way and making it all financially feasible | |
| - Raphael Mudge who reviewed a different Silent Break Security course which | |
| encouraged me to consider this course in the first place | |
| - Nick, Brady and the Silent Break Security team for investing the time and | |
| energy needed to run a top-quality training course | |
| - @Joshua1909 for suggestions and corrections |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment