From BruCON 2015
Revision as of 21:51, 21 January 2015 by Tom.Gilis (talk | contribs) (Created page with "=Tactical Exploitation and Response= ===Course Description=== This unique class offers a view into attacker and defender models in one single session. Tactical Exploitation...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Tactical Exploitation and Response

Course Description

This unique class offers a view into attacker and defender models in one single session. Tactical Exploitation and Response will dive into the mechanics used in real attacker scenarios. Students will learn how to attack systems using real world techniques vs penetration testing techniques. Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.

After learning techniques that will be successful in attacking any target students will turn to learning unique ways to defend and detect against these attacks. This section of the course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.

Topics Covered:

  • Real offensive mindsets, not penetration testing mindsets
  • How attacker recon isn't about processes and software
  • Using Windows against itself
  • Privilege Escalation without exploits
  • Evasion Techniques
  • Lateral movement options
  • Host logging and auditing
  • Leveraging active directory
  • Host and network indicator extraction for enterprise results
  • Proper response mechanisms and communication
  • PCAP and network intelligence extraction
  • Advanced host and file triage capabilities
  • Host command and process monitoring across a host

Course Contents


  • Class fundamentals
  • Incident Response/Exploitation Fundamentals and Methodologies
  • Attacker Methodologies and Mindsets

Host based Exploitation

  • Web hacking techniques for Black Hats
  • Customizing exploits for weaponization
  • Shells through the web

Lateral Movement

  • Network Recon and how it is different from host
  • Working through networks
  • Uncommon lateral movement techniques
  • Abusing Single Sign On for lateral movement

Host Monitoring

  • Host monitoring and logging
  • Detecting ALL methods of logging on and off
  • Process Tracing/Tracking
  • Finding Maliciousness in processes
  • Windows Event Logs Concepts
  • Lateral Movement and Event Logs

Memory Analysis

  • Acquisitions and limitations
  • Intro to Volatility
  • Memory Analysis Basics
  • Memory Analysis Advanced
  • Poor Man's Memory Analysis

Network Logging Modules

  • DNS/Web logs and the basics
  • Detecting DNS Tunnels
  • Automating DNS logs
  • Normal Web Detection Techniques
  • Advanced Web Detection Techniques

Network Monitoring

  • Neflow and PCAP concepts
  • Finding suspicious traffic in network monitoring
  • Lateral Movement detection through network monitoring

Malware Analysis 101

  • Lab Setup
  • Goals
  • File Artifacts and Analysis


Students must have:

  • Familiarity with scripting languages such as Python/Perl/Ruby
  • A familiarity with Windows and Linux administration
  • Familiarity with the malware analysis and reverse engineering malware processes

Software and hardware requirements

Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gigs of memory is needed. Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.

Trainer Biography

Russ Gideon.png

Russ Gideon has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research, LLC.

More information is available on carnal0wnage

300px-twitter-icon.jpg @attackresearch

Links :

Wed. 22 - 24 April 2015 (09:00 - 17:00)


Back to Training Overview