Adversary Tactics: Tradecraft Analysis - October 2024 (In-person & Virtual; US Time)

This is a Hybrid training; participants can choose to join us in person in the Denver, Colorado area or virtually via Zoom.

Specter Bash is the in-person only event that complements the trainings, see below for details! (For a short time: Save 25% off your ticket by attending in person)

Your organization has just implemented the leading detection and response products. Are they configured with default configuration? How much faith should you have in your ability to detect sophisticated attacks? How would you simulate attacks to ensure robust detections are in place? This course will teach the importance of understanding the inner workings of attack techniques and telemetry availability and provide a workflow for developing robust detection analytics or data driven evasion decisions. Focusing on various Windows components and attacker TTPs, you will dive deep into how software abstracts underlying capabilities and how attackers can interact with deeper layers to bypass superficial detection capabilities.

Course Summary

Knowledgeable detection engineers and red team operators know that while there are many effective products, all of them have gaps that can be exploited by a sophisticated adversary. A mature security program must continuously test and enhance product detection configurations to have an effective response capability. Unfortunately, they often run into a number of limitations, primarily in a lack of understanding of the:

1. attack technique itself
2. telemetry used for each detection
3. effectiveness of the detection

The result often leads to blind spots within the detection and response capabilities, ineffective detection strategy, and a false sense of security in the organization's ability to respond to advanced threat actors. When simulating sophisticated attacks, red team operators need to truly understand how a given technique works, the telemetry/artifacts it generates, and the strategies and biases that a defender might use to detect a technique. How organizations may respond to attackers is crucial in red team attack planning, technique selection, and evasion.

In Adversary Tactics: Tradecraft Analysis, we will present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We will discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we will identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course will culminate with participants creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage.

Whether you are a red team operator or detection engineer, you will have a comprehensive understanding of several attack chains. Red team operators will learn an approach to analyzing their own tools, a better understanding of which techniques to select to evade detection, and how to better describe to defenders why an evasion was successful. Detection engineers will understand how to craft a strategy to create robust detections and better detect families of attacks.

Course Syllabus

Day 1:

• Attack and Detection Strategies
• Native PSExec Overview
• Tradecraft Analysis Process
• Capability Identification
• Capability Deconstruction
• IPC Mechanisms

Day 2:

• Securable Objects
• Identifying Choke Points
• Telemetry Source Identification
• How EDR Tools Work
• Organic Logging
• SACLs
• Function Hooking
• Kernel Callback Functions
• ETW

Day 3:

• Operationalizing Telemetry
• Understanding Attacker Controlled Fields
• Operationalizing Detection Research
• Operationalizing Evasion Research
• Understanding the Triage, Investigation, and Remediation Process
• Evading the Response Process
• Documentation and Evaluation Metrics
• Detection Documentation
• Evasion Documentation

Day 4:

• Capstone Exercise

Participant Requirements

This course is intended for expert blue teamers, detection engineers, and red team operators. Participants should be familiar with detection engineering and/or red team operations, and be generally comfortable with Windows internals, attack technique analysis, offensive tools and techniques

Specter Bash

In-person Attendee Benefits

By attending in person you'll receive the following exclusive benefits to the training:

• 30 days of course lab access
• Food! (Breakfast & Lunch provided throughout the event; Dinner provided Monday - Wednesday)
• Evening events to connect with industry peers
• Exclusive event-themed swag
• Week-long Halloween costume contest (see below)

Evening Events

Monday

Kick off the week with a Welcome Reception at the Breckenridge Brewery (attached to the training venue) to break the ice with drinks and food before a fun-filled week!

Tuesday

Spooky movies are as Halloween as Pumpkin Spice Lattes, so let’s chill our bones with a Scary Movie Night, hacking-themed Pumpkin Carving, and some good food. We will provide infosec-themed stencils and (foam) pumpkins for carving-- keep what you carve! The movie will be announced soon.

Wednesday

Gather ‘round the campfire to hear and share gripping tales of scary (in)security and spine-tingling hacks for a session of Hacking Horror Stories!
Food will be served so bring your appetite.
Anyone who attends is free to jump in and share their story but if you'd like to secure your spot to ensure you present, please email Jeff at jdimmock@specterops.io to sign up.

Week-long

We’re hosting a Halloween Costume Contest throughout the week for all in-person participants.
Anyone who wears a costume for at least one of the training days will get their choice of a free ticket to the SO-CON 2025 conference days OR 50% off a SO-CON 2025 training (which also includes a free ticket to conference days)

Let's Chat!

Join the conversation now in the BloodHound Slack in channel #specter-bash-2024. Sign up at https://ghst.ly/BHSlack

Venue

Specter Bash will take place at The Inverness in Denver, CO (200 Inverness Dr W, Englewood, CO 80112, USA)

Save money on your room with our Hotel Room Block!

Venue Amenities:

• Located on an 18-hole golf course
• Adjoining Breckenridge Brewery
• Luxury spa on-site
• 30 minutes from Denver International Airport

FAQs

How can I contact the organizer with any questions?

Please email training@specterops.io with any questions.  

What's the refund policy?

Full refunds will be provided up to 7 days before the course start date.

What are the hardware requirements for attending the course?

Courses are based in the SpecterOps training portal and accessible via an internet connection; no VMs are required for labs. The following are recommended hardware requirements:

• Internet Connection
• 8GBs of RAM
• Modern Web Browser capable of rendering HTML5