From BruCON 2015
Jump to: navigation, search

Tactical Exploitation and Response

Course Description

This unique class offers a view into attacker and defender models in one single session. Tactical Exploitation and Response will dive into the mechanics used in real attacker scenarios. Students will learn how to attack systems using real world techniques vs penetration testing techniques. Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.

After learning techniques that will be successful in attacking any target students will turn to learning unique ways to defend and detect against these attacks. This section of the course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.

Topics Covered:

  • Real offensive mindsets, not penetration testing mindsets
  • How attacker recon isn't about processes and software
  • Using Windows against itself
  • Privilege Escalation without exploits
  • Evasion Techniques
  • Lateral movement options
  • Host logging and auditing
  • Leveraging active directory
  • Host and network indicator extraction for enterprise results
  • Proper response mechanisms and communication
  • PCAP and network intelligence extraction
  • Advanced host and file triage capabilities
  • Host command and process monitoring across a host

Course Contents


  • Class fundamentals
  • Incident Response/Exploitation Fundamentals and Methodologies
  • Attacker Methodologies and Mindsets

Host based Exploitation

  • Web hacking techniques for Black Hats
  • Customizing exploits for weaponization
  • Shells through the web

Lateral Movement

  • Network Recon and how it is different from host
  • Working through networks
  • Uncommon lateral movement techniques
  • Abusing Single Sign On for lateral movement

Host Monitoring

  • Host monitoring and logging
  • Detecting ALL methods of logging on and off
  • Process Tracing/Tracking
  • Finding Maliciousness in processes
  • Windows Event Logs Concepts
  • Lateral Movement and Event Logs

Memory Analysis

  • Acquisitions and limitations
  • Intro to Volatility
  • Memory Analysis Basics
  • Memory Analysis Advanced
  • Poor Man's Memory Analysis

Network Logging Modules

  • DNS/Web logs and the basics
  • Detecting DNS Tunnels
  • Automating DNS logs
  • Normal Web Detection Techniques
  • Advanced Web Detection Techniques

Network Monitoring

  • Neflow and PCAP concepts
  • Finding suspicious traffic in network monitoring
  • Lateral Movement detection through network monitoring

Malware Analysis 101

  • Lab Setup
  • Goals
  • File Artifacts and Analysis


Students must have:

  • Familiarity with scripting languages such as Python/Perl/Ruby
  • A familiarity with Windows and Linux administration
  • Familiarity with the malware analysis and reverse engineering malware processes

Software and hardware requirements

Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gigs of memory is needed. Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.

Trainer Biography

Due to a recent career change, Russ Gideon has been replaced with Colin Ames for this training.

Colin Ames is one of the founding partners of Attack Research LLC a boutique security company in the United States. Colin has been working in the information technology field for 18 years for both Government and Private organizations, with the last decade being focused on computer and information security. Colin was a contributing member of Metasploit, and has spoken and trained many times at security conferences like Blackhat, Shakacon, Countermeasures, and Source Boston. Colin has done Reverse Engineering, Exploitation Development, Vulnerability Discovery, and Post Exploitation on Windows, OSX, Linux, and Unix operating systems, and has a special place in his heart for File Formats, especially Adobe's PDF. Colin is also on the selection committee for the Shakacon security conference.

More information is available on carnal0wnage

Mon. 5 - 7 October 2015 (09:00 - 17:00)


Back to Training Overview