Adversary Tactics: Identity-Driven Offensive Tradecraft - October 2024 (In-person & Virtual; US Time)

This is a Hybrid training; participants can choose to join us in person in the Denver, Colorado area or virtually via Zoom.

Specter Bash is the in-person only event that complements the trainings, see below for details! (For a short time: Save 25% off your ticket by attending in person)

New Follow-on to Adversary Tactics: Red Team Operations!

We're excited to announce the new red teaming course from SpecterOps: Identity-driven Offensive Tradecraft! The course is in active development, but take a peek below for a preview of the syllabus and to register for the inaugural delivery of the course in October 2024!

As modern architecture increasingly shifts services and data from on-premises infrastructure to the cloud, Identity becomes the thread that ties everything together.

Our Adversary Tactics: Identity-driven Offensive Tradecraft course is a follow-on to our Adversary Tactics: Red Team Operations course and offers an in-depth look at identity-driven attacks, targeting both on-premises and hybrid identities. Participants will learn how to abuse the intricacies of different authentication and authorization mechanisms to traverse on-premises and cloud environments, gain access to integrated systems, and even cross tenants. Participants will also be equipped with a practical approach to identifying known attack paths and forging new ones within complex operational environments and across people, processes, and technology.

Course Summary

Modern ecosystems rely on Identity Providers (IdP) and Identity and Access Management (IAM) systems to authenticate users and govern access. Threat actors and red teams alike have been adopting and adapting “identity-driven” tradecraft to navigate modern environments and identity attack paths to their objectives. But what turns a path into an attack path? How do attackers discover new paths? And how do they abuse identity and access management platforms to execute attacks and impact the target?

Adversary Tactics: Identity-driven Offensive Tradecraft equips participants with a method of discovering attack paths in complex environments, including previously disclosed techniques, as well as new attack primitives in common technology stacks and bespoke internal systems and processes. Participants will learn to identify and execute a wide range of elaborate attacks against both on-premises and cloud technologies. They will practice these skills hands-on in a specially designed lab environment that simulates a real-world client environment incorporating a variety of technologies and attack paths, including cross-tenant and supply chain attacks. Technologies covered include Kerberos, NTLM, ADCS, ADFS, SAML, Okta, Entra ID, OAuth, Azure, and hybrid identities.

In typical SpecterOps fashion, “Red vs. Blue” discussions are incorporated into the lectures to provide participants with the defender’s perspective and detection logic, as well as OPSEC considerations to counter those. A defender will also actively “hunt” participants in the lab to push them to improve their tradecraft by making educated decisions.

Course Syllabus

Day 1

• Attack Path Identification Methodology
• Active Directory Situational Awareness
• Active Directory Guided Attacks
• Kerberos Delegation Abuse
• NTLM Tradecraft
• Authentication Coercion Techniques

Day 2

• Introduction to PKI, Active Directory Certificate Services, and PKINIT
• Certificate Abuse Techniques and Shadow Credentials
• Active Directory Federation Services, SSO, and SAML Attacks

Day 3

• Okta Deployment Scenarios
• Okta Abuse for Lateral Movement and Privilege Escalation
• SCCM Tradecraft and Hierarchy Takeover Techniques

Day 4

• Introduction to Entra ID and Azure Architecture
• OAuth and OpenID Flows in Entra ID
• Consent and Grant Flows
• Token Abuse
• Targeting Hybrid Environments
• Cross-Tenant and Supply Chain Attacks

Who Should Take This Course

• Red teamers and penetration testers seeking to learn advanced tradecraft that works in mature environments.
• Blue teamers seeking to gain insight into advanced tradecraft commonly used by advanced threat actors.
• Security practitioners seeking to learn a methodic approach for identifying attack paths in complex systems or environments.

Participant Requirements

Proficiency in the following:

• Windows and Active Directory fundamentals
• Operating through a C2 agent
• Payload generation
• Lateral movement techniques
• Credential abuse on Windows systems

Completion of the Adversary Tactics: Red Team Operators course is highly recommended but not strictly required.

We recommend participants have at least two (2) years of practical experience.

Specter Bash

In-person Attendee Benefits

By attending in person you'll receive the following exclusive benefits to the training:

• 30 days of course lab access
• Food! (Breakfast & Lunch provided throughout the event; Dinner provided Monday - Wednesday)
• Evening events to connect with industry peers
• Exclusive event-themed swag
• Week-long Halloween costume contest (see below)

Evening Events

Monday

Kick off the week with a Welcome Reception at the Breckenridge Brewery (attached to the training venue) to break the ice with drinks and food before a fun-filled week!

Tuesday

Spooky movies are as Halloween as Pumpkin Spice Lattes, so let’s chill our bones with a Scary Movie Night, hacking-themed Pumpkin Carving, and some good food. We will provide infosec-themed stencils and (foam) pumpkins for carving-- keep what you carve! The movie will be announced soon.

Wednesday

Gather ‘round the campfire to hear and share gripping tales of scary (in)security and spine-tingling hacks for a session of Hacking Horror Stories!
Food will be served so bring your appetite.
Anyone who attends is free to jump in and share their story but if you'd like to secure your spot to ensure you present, please email Jeff at jdimmock@specterops.io to sign up.

Week-long

We’re hosting a Halloween Costume Contest throughout the week for all in-person participants.
Anyone who wears a costume for at least one of the training days will get their choice of a free ticket to the SO-CON 2025 conference days OR 50% off a SO-CON 2025 training (which also includes a free ticket to conference days)

Let's Chat!

Join the conversation now in the BloodHound Slack in channel #specter-bash-2024. Sign up at https://ghst.ly/BHSlack

Venue

Specter Bash will take place at The Inverness in Denver, CO (200 Inverness Dr W, Englewood, CO 80112, USA)

Save money on your room with our Hotel Room Block!

Venue Amenities:

• Located on an 18-hole golf course
• Adjoining Breckenridge Brewery
• Luxury spa on-site
• 30 minutes from Denver International Airport

FAQs

How can I contact the organizer with any questions?

Please email training@specterops.io with any questions.  

What's the refund policy?

Full refunds will be provided up to 7 days before the course start date.

What are the hardware requirements for attending the course?

Courses are based in the SpecterOps training portal and accessible via an internet connection; no VMs are required for labs. The following are recommended hardware requirements:

• Internet Connection
• 8GBs of RAM
• Modern Web Browser capable of rendering HTML5