I recently had the opportunity to attend the first public offering of the SpecterOps Adversary Tactics: Red Team Operations course. This excellent, from-scratch training took participants through several modern Tools, Tactics, and Procedures (TTPs) and demonstrated their countermeasures and detections. I think this intensive four day course would best benefit intermediate to advanced participants who have a couple of years of pentesting or redteaming, though it would also benefit beginners who wanted to “drink from the firehose” and extremely accelerate their learning.

According to SpecterOps, “This intensive course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems, modern defenses, and active network defenders responding to Red Team activities.” You won’t be using MS03-026 or MS08-067 to pop these networks!

This course primarily used Raphael Mudge’s Cobalt Strike as the attack platform, with training modules on how to customize MalleableC2 profiles to better emulate an adversary or remain undetected. The course modules also heavily relied on open source powershell tools that the instructors had created and released. Notable examples were PowerView, PowerUp, BloodHound, and Empire.

Image via https://twitter.com/Al_Jaber/status/908800006156689408

On the first day, the instructors introduced the backstory for the student’s engagement on the network by walking through the goals and objectives. Next, the instructors introduced course modules such as setting up attack infrastructure, OSINT, and gaining initial access. Although setting up infrastructure probably could have been covered more in depth as it is a huge topic, the instructors referenced several externally available resources that covers this topic extensively, and that students could work through in their own time. Since the majority of the class were experienced red teamers, I think they sped up the pace of the content and moved along to more fun activities such as “initial access,” though OSINT was a fun module 🙂

The second day covered host enumeration, EDR evasion, persistence, and privilege escalation. Each topic was accompanied with a relevant and sometimes humorous war story from the instructor’s experience. This itself would have sold the class for me as the instructors have several years of intense experience, and a wealth of stories to share. Having an active defender (Brian Reitz) present definitely made the course more challenging and engaging, as he would keep an eye out for any poor attacker opsec or TTPs and demonstrate why good habits and attention to detail matters in the form of killed beacons or other consequences.

The third day covered Active Directory enumeration using BloodHound, as well as token, session, and password theft and reuse. Sean Metcalf of Trimarc Security and adsecurity.org fame, one of a handful of Active Directory wizards, made a surprise appearance and answered several AD related questions that came up. The instructors introduced a tool that I was not familiar with, PowerUpSQL made by the folks over at NetSPI. This tool was created along the same lines as the other Powershell tools that SpecterOps members have released, and enabled some awesome SQL enumeration that I look forward to trying out on engagements.

The fourth day was a brain wracking session on how kerberos attacks work, data exfiltration, and an overview from Brian about what he, as the blue team, had observed throughout the course. Kerberos is an extremely dense topic, but the instructors walked us through the topic and answered all the questions that came up. Once we had completed the course objectives and let the instructors know, the course wrapped up with Brian turning on REALLY hard mode, amping up the difficulty. He began kicking us out of the network in earnest, which made it incredibly challenging and fun.

What I appreciated about this course, aside from how well it was organized and run, was that they gave both offensive and defensive perspectives. An instructor would give the objectives for the training module and walk through how we were to complete it, and then Brian Reitz, a member of the SpecterOps threat hunting team, would talk us through how defenders could detect and respond to the attack that we were about to perform. This aspect would also make the course beneficial for any network defenders who attend, to get experience in seeing how pentesters, red teamers, and adversaries with similar TTPs perform attacks.

In addition to the course materials and objectives, it was amazing having a braintrust such as Sean Metcalf, Raphael Mudge, and all of the SpecterOps folks in one place. Everyone was easily approachable and helped out with any questions the students had. During the course module introductions, the instructors would bounce questions off each other as they are each thorough domain experts for various aspects of security. For instance during one course module on COM objects, Will Harmjoy called in Matt Nelson who gave a very indepth talk as he is currently doing a deep dive on all things COM objects and has released several blog posts and 0day on the topic. All of these factors made it an invaluable experience.

I would highly recommend this course to anyone. The course materials are an excellent quick reference guide that I’ll be making good use of on future engagements. You may not get a certification out of this course, but the knowledge and hands on experience you gain will accelerate your operational capabilities significantly.

Creative Commons License
SpecterOps Adversary Tactics course review by Ben Heise is licensed under a Creative Commons Attribution 4.0 International License.
Based on a work at https://rallysecurity.com/specterops-adversary-tactics-course-review/.