Craig Koroscil, Technical Director at root9B, is a 13-year veteran and U.S. Navy Chief. Craig brings to root9B significant depth and breadth of experience in cyber operations and planning, capability development, leadership and joint exercise planning within the Intelligence Community and US Cyber Command (USCC). Prior to joining root9B, Craig was a senior journeyman operator and technical lead for the National Security Agency and a USCC cyber planner supporting Geographic Combatant Commanders. Additionally, he was a pioneer and leader of multiple classified technical projects and is a NSA Cyber Exploitation Corps graduate with numerous industry certifications.
Adversary Tactics and Techniques
Adversary Tactics and Techniques
root9B’s Adversary Tactics and Techniques course is an intense 5-week hands-on course that teaches students the methodology and technical details of how attackers recon, gain access to, pivot, and remain hidden within a target network, and any artifacts their actions may leave behind. Whether they’re on a path to become pen-testers, red team members, or cyber hunters, the Adversary Tactics and Techniques course prepares students to excel by establishing a firm foundation in operational cyber exploitation methodologies. Future pen-testers will know how to infiltrate networks, and cyber defense analysts and operators will be better equipped to identify the tell-tale signs of an intrusion in progress. The course takes students with a basic understanding of computers and computer networks to a level where they are capable of executing fundamental exploitation operations in Windows and Linux environments.
The course begins by establishing a firm foundation on the Windows and Linux operating systems and how those systems communicate on networks, and finishes with using offensive tools, tactics, and procedures on those operating systems, with an emphasis on protecting assets and acquired accesses. Students will learn the technical details of how fundamental exploit techniques are executed and why they work. Modules covering topics from packet analysis to pivoting and tunneling are done in a way that emphasizes a capability independent mindset.
The course is taught by leading professionals in the cyber security field. All instructors have either had previous experience conducting cyber operations within the Intelligence Community, or have been pen-testers or red team members within the military or government. This experience is leveraged to enhance training and best prepare students to execute their organization’s mission no matter what cyber terrain they operate in.
The course focuses on five major topics: Windows, Linux, Networking, Tactical Forensics, and Adversary Methodologies & Exploitation Techniques. Every course module is taught through the use of numerous hands-on exercises designed to reinforce the practical application and employment of the most fundamental techniques used by sophisticated cyber organizations. Students learn by following along with the instructor and completing complex exercises designed to force students to think outside of the box and act within a dynamic environment. As students learn the concepts, they are simultaneously challenged to develop and apply their critical thinking skills to produce innovative solutions to complex problems. Additionally, students are taught advanced techniques and procedures to hide their tracks and remain hidden. Students will develop and demonstrate their skills throughout the course by achieving cyber objectives in live virtual environments.
The final week of the course includes several days of extensive exercises that require students to gradually combine everything learned in the previous modules, culminating in a final scenario that simulates a full-scale cyber operation. Students leave the ATT course with a thorough understanding of the exploitation process and the technical knowledge to perform a full range of fundamental cyber operations on target networks.
Cyber professionals with existing system administration, networking and/or cyber security backgrounds who are preparing to enter positions or advanced training in the fields of penetration testing, red teaming, or cyber hunting operations.
• Lecture slides in PDF
• Exercise materials (files, VMs, etc)
Basic operating system fundamentals and understanding of related components such a memory, CPU, storage devices, I/O devices.
Basic Linux command line knowledge such as filesystem navigation and creating and modifying files.
Basic Windows command line knowledge such as filesystem navigation and creating and modifying files.
Basic understanding of networking devices such as switches and routers and protocols within the OSI model.
Cyber security fundamentals to include exploitation concepts and terminology.
Module 1 – Adversary Tactics & Techniques – Linux Fundamentals
Module 2 – Adversary Tactics & Techniques – Network & Network Devices
Module 3 – Adversary Tactics & Techniques – Windows Fundamentals
Module 4 – Adversary Tactics & Techniques – Tactical Forensics / Live Memory Analysis / Reverse Engineering
Module 5 – Adversary Tactics & Techniques –Tradecraft & Exploitation Techniques / Culmination Exercise
ADVERSARY TACTICS &TECHNIQUES COURSE OUTLINE
1. MODULE 1 - ADVERSARY TACTICS & TECHNIQUES - LINUX FUNDAMENTALS (DAYS 1-6)
1.1. Introduction to Linux Operating System – This topic covers an introduction to the history of the Linux operating system, its uses, and the different distributions available for use with a focus on Red Hat Enterprise Linux (CentOS).
1.2. Command Line Interface and Bash Scripting – Fundamental knowledge of command line usage to properly navigate and survey a Linux OS environment. Introduction to Bash scripting.
1.3. Linux Daemons and File Systems – Students learn of the different daemons typically found on a Linux system, how they gain execution, and their functions. We will also cover a detailed overview of the Linux file system structure concentrating on system files, directories, and permissions.
1.4. Linux Boot Process – Detailed overview of the Linux operating systems boot process taking the students from the power on self-test to a command prompt.
1.5. Linux Run Levels – Detailed explanation of Linux run levels, their configurations, default settings, and uses.
1.6. Linux Forensics – This module covers the many different files, directories, logs, and other artifacts that may contain evidence of an attacker’s activity.
1.7. Linux Log Files and Log Cleaning – An overview of the common logs and logging locations on a Linux operating system with an introduction into methods, tools, and tradecraft behind cleaning log files on a Linux operating system.
1.8. Remote Logging – Overview of the different types of remote logging, the protocols most commonly used, and the methods to capture those logs.
1.9. Linux Authentication Methods – A look into how Linux systems validate a user’s credentials and the different methods used to harvest those credentials.
1.10. Linux Exploitation Techniques and System Surveying – Students will fuse everything they have learned to properly triage and survey a host system to determine safety of tools, techniques, and operations. Students learn the art of exploitation in this module focusing on blending in with the environment and cleaning up their tracks. This topic is focused on getting students to think like an operator, protecting their toolset, treading lightly, unnoticed, and only executing commands that are necessary and utilizing the least intrusive means.
1.11. Python Introduction – Familiarizes students with basic Python usage. Students will understand how to interpret, write and debug python scripts. Students will build upon this section later by using python as a powerful tool to streamline and automate various activities.
1.12. Module 1 Assessment – Students will be assessed on their understanding of the Module 1 training objectives.
2. MODULE 2 - ADVERSARY TACTICS & TECHNIQUES - NETWORKING & NETWORK DEVICES (DAYS 7-10)
2.1. Network Fundamentals – Overview of the networking fundamentals, TCP/IP stack, and relevant protocols utilized in an Ethernet network.
2.2. Network Devices – Overview of common network devices, their functions, and how those devices affect an attacker’s view of the network.
2.3. Protocol Encapsulation – This lesson covers an in-depth overview of protocol encapsulation and how to manipulate encapsulation to avoid detection and bypass security measures.
2.4. Packet Capture and Analysis – Detailed overview of the tools and filters available to capture network traffic and methods used to analyze the captured data.
2.5. Packet Crafting and Protocol Manipulation – Using Python with Scapy to generate tailored network traffic to meet a specific need such as fuzzing, covert command & control, and network enumeration.
2.6. Python Scriptint to conduct Network Fingerprinting – Students will create a python scanning utility to conduct a network scan of the environment to include OS fingerprinting and port identification.
2.7. Tunneling with SSH – Application of forward and reverse tunneling utilizing the SSH protocol.
2.8. Multi-Hop Tunneling – Tunneling through multiple hosts of different operating systems utilizing different utilities to enable tunneling through multiple networks.
2.9. Module 2 Assessment – Students will be assessed on their understanding of the Module 2 training objectives.
3. MODULE 3 - ADVERSARY TACTICS & TECHNIQUES - WINDOWS FUNDAMENTALS (DAYS 11-15)
3.1. Introduction to the Windows Operating System – This module covers a detailed overview of the many different versions of windows, their features, and system specific processes
3.2. Command Line Interface and Windows Batch Scripting – Fundamental knowledge of command line usage to properly navigate and survey a Windows OS environment. Introduction to batch scripting.
3.3. Windows Drivers and Services – Students learn the different uses of drivers and services on a Windows operating system and how they gain execution. Students also learn about the different security mechanism put into place to restrict driver execution.
3.4. Windows File Systems and Registry – An overview of the Windows OS file structure, focusing on file system types, directories of interest, and permissions. Detailed explanation of Windows registry organization, purpose, and implementation in the Windows operating system.
3.5. Windows Boot Process – This topic covers the Windows boot process detailing the process taken in order to get the operating system up and running.
3.6. Windows Forensics – This lesson covers the many different files, directories, registry keys, logs, and other artifacts that may contain evidence of an attacker’s activity.
3.7. Windows Logging and Log Cleaning – Students will learn about the different types of event logs, the information contained within those log entries, and the methods available to clean those logs. Students will also learn how to extract information from logs to further their exploitation goals. This topic also covers the different types of logging that may occur on a Windows operating system outside the scope of Windows event logs. Students learn how to identify the logs of interest and clean them as well.
3.8. Windows Users and Groups – An overview of the different types of users and groups found on Windows operating system, to include their default roles and privileges.
3.9. Active Directory and Kerberos – In depth look into Active Directory use, structure, and different means of interacting with Active Directory. This module will also cover Kerberos authentication.
3.10. Simple Message Block (SMB) and Netbios – Detailed instruction introducing students to the different versions of SMB, protocol specific session setup, the authentication process, and the information contained within.
3.11. Windows Management Instrumentation Command-Line (WMIC) – This topic highlights the many different uses of the Windows Management Instrumentation and teaches students how to utilize WMIC to extract information from a target machine.
3.12. PowerShell Scripting – This module consists of writing PowerShell scripts and utilizing PowerShell to do almost anything on a Windows operating system. Students will learn how to gain information about processes, inject code directly into memory, extract memory from a running process, and much more – all without ever laying a binary onto disk.
3.13. Windows Exploitation Techniques and System Surveying – Students will fuse everything they have learned to properly triage and survey a host system to determine safety of tools, techniques, and operations. Students learn the art of exploitation in this module focusing on blending in with the environment and cleaning up their tracks. This topic is focused on getting students to think like an operator, protecting their toolset, treading lightly, unnoticed, and only executing commands that are necessary and utilizing the least intrusive means.
3.14. Module 3 Assessment – Students will be assessed on their understanding of the Module 3 training objectives.
4. MODULE 4 - ADVERSARY TACTICS & TECHNIQUES - TACTICAL FORENSICS/LIVE MEMORY ANALYSIS/REVERSE ENGINEERING (DAYS 16-19)
4.1. Open Source Forensic Software – An overview of several open source forensics software tools: sleuthkit, Volatility, Mandiant Redline, F-Response, EnCase, KnTDD and others.
4.2. Data acquisition – Detailed introduction on acquisition techniques to include physical and remote access data acquisition methods, data size considerations.
4.3. File System Forensics Analysis – This lesson covers forensic analysis techniques on file systems in a tactical environment. Students will learn basic concepts and theory on volume and file system data storage. This topic is focused on getting students to understand how a computer system stores data and teach principles that an adversary will use to hide malicious software from forensics analysis.
4.4. Timeline Analysis – Students will learn how to create data sets to perform timeline analysis of systems. Timeline analysis increase situational awareness by showing when processes were started and data was created, deleted or modified. Understanding the systems at this level is critical for an adversary in order to stay undetected in their target environment.
4.5. Reverse Engineering – This module takes Students through concepts and techniques to deeply inspect and determine if software is malicious. Students will be introduced to software that allows for program deconstruction, fundamentals of program execution and uncovering techniques used by malware to prevent its detection by anti-virus and security software.
4.6. Live Memory Forensics – Rootkits and back doors are successful in hiding from security software because they take advantage of the fact that most security software does not look for malware in system memory. This module teaches students how to successfully collect, analyze and discover malicious software that has successfully bypassed security software and is allowing adversary cyber organizations a vector into the network. Students will learn the advanced concepts of Rootkits memory hijacking techniques and how they can be discovered with the proper technique and tradecraft.
4.7. Module 4 Assessment – Students will be assessed on their understanding of the Module 4 training objectives.
5. MODULE 5 - ADVERSARY TACTICS & TECHNIQUES - TRADECRAFT AND EXPLOITATION (DAYS 20-25)
5.1. Exploitation Methodology – This lesson takes students through the exploitation methodology, providing them with the framework to understand adversary targets.
5.2. Metasploit Framework Introduction – Metasploit is the most widely used exploitation framework in use today, and is used in this class as a mechanism to quickly build familiarity with functional exploit methodologies. This lesson is focused on getting students accustomed to the different tools, syntax, and modules available for use within Metasploit.
5.3. Understanding and Extending the Metasploit Framework – Students will learn the architecture of the Metasploit Framework and understand how to incorporate custom modules to enhance its functionality.
5.4. Scanning and Enumeration Techniques – There are many different tools available for scanning and enumerating targets. Students will learn a wide range of tools and techniques for scanning and enumerating a target system while being the least intrusive and causing minimal network traffic decreasing their chance of detection.
5.5. Exploitation Fundamentals – This topic is designed to teach students the fundamentals behind exploit code by having students write their own buffer overflow. Students will debug a process, create an exploit, create shell code, and gain access to a target utilizing the exploit they created. They will utilize python to fuzz an application, create an overflow, and will then generate an exploit that can be imported in Kali Linux.
5.6. Exploitation Payloads and Shells – Covers the initial stages during a remote exploit to include types of payloads, payload generation or acquisition, and delivery. Students learn the difference and benefit to multi-stage and single-stage payloads, bind shells and reverse shells as well as understanding when to use which type of payload.
5.7. Exploitation and Tunneling Theory – Students will learn of the theory behind exploiting through tunnels. This module will teach students how to properly create a payload that will behave as intended while traversing through their managed tunnels.
5.8. Exploitation through Tunneling – During this part of the course students will actively create tunnels and deploy exploits through them, gaining access deep within target networks.
5.9. Unknown Process/Binary Triaging and Analysis – This module will teach students how to methodically prosecute an unknown process and determine with a high level of confidence the capabilities, related files, and network connections of that running process.
5.10. Culmination Exercise – The culmination exercise helps reinforce all the training objectives and techniques the students have been exposed to through a mission-driven real-world scenario within a controlled cyber range. The students will be expected to conduct open-source research, target analysis, covert infrastructure acquisition through exploitation, and target infiltration and exploitation through various modern techniques. From that point, students will need to survey and enumerate the target network, identify critical infrastructure and laterally move toward the valuable information. Students will need to overcome malware, logging, firewall restrictions, administrator’s actions due to IDS/IPS alerts, and much more. This exercise is used to solidify a student’s tradecraft and enhance their thought process as they move through hosts and networks.
GOVERNMENT ONLY, CALL FOR PRICINGroot9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.
Eric Bodkin has five years of experience conducting Computer Network Operations (CNO) and is a nine-year veteran of the Armed Forces. At root9B he specializes in advanced penetration testing, incident response, and forensic analysis for Fortune 500, Government and Military clients. Prior to joining root9B, Eric was a senior operator at the National Security Agency directing numerous cyber operations in support of Joint, National, and Intelligence Community requirements. Additionally, he was the project manager for a critical multinational cyber capability, served as a Technical Lead for NSA’s CNO operator training pipeline, and provided analysis and reporting on suspected malware samples discovered during operations. Eric has multiple industry certifications and a Bachelor’s Degree from the University of Southern Methodist in Dallas, TX.
Mr. Fleming is an accomplished intelligence professional with nearly 13 years of experience in cyber warfare acting as a Senior Army Information Operations Intelligence Professional and Senior Cyber Security Engineer.
Eric Fleming is currently the Director of Network Defense Operations (NDO) for root9B in Colorado Springs. As NDO Director, he directs complex, mission-critical projects that require integrating knowledge and resources across technical disciplines and functional boundaries. Eric applies a broad and deep understanding of technical concepts in conjunction with an understanding of the client's business to recommend strategy, advance technology and develop innovative solutions for defending networks against the most sophisticated adversaries.
Eric Fleming’s experience includes acting as Senior Army Journeyman CNO Operator, Technical Director, Lead Penetration Tester, Senior Software Developer and Lead Trainer. He has performed numerous assessments, security research, developed sophisticated exploits to the most challenging problems, and developed and trained advanced cyber security courses. Eric also worked on the Agency’s incidence response team where he reported suspected exploitation attempts, viruses, and unexplained anomalies affecting information systems using various forensic tools and techniques.
Eric Starace is a native of Hudson, New York, with 25 years of experience within the Cryptologic, Intelligence and Cyber communities. He has specialized in Advanced Cyber Operations, tactics, and training, along with Red Team operations. His professional background spans numerous assignments across the Cyber and Cryptology community including senior positions within the Navy’s Intelligence and Cyber Communities
Eric was a Department of Defense certified Journeyman-level technician with expert skills in cyber operations across multiple disciplines. As a senior leader within the Navy’s cyber community, he has led large teams of analysts and operators to achieve National and Service related intelligence goals. He is the recipient of the Director of National Intelligences Exceptional Achievement Award among various Navy and Department of Defense Commendations.
Willie is a senior intelligence professional with 23 years of experience in Computer Network Operations (CNO) and Systems Engineering. He has over 13 years of experience in multiple disciplines in Hunt Operations, established in both National intelligence and commercial sectors. Mr. Rosado is an experienced cyber analyst and has led numerous Red Team, Hunt, penetration tests and participated on vulnerability assessments. He has also generated alternative system concepts and designs for new remote Hunt capability. As a Hunt SME he has designed operationally oriented training/exercise scenarios that describe the interactions between systems and users to support Defense Cyber Operations (DCO). The resulting threads greatly enhance Hunt tactics and procedures for the discovery of threats to DoD Information Networks (DoDIN). Mr. Rosado is a highly credentialed individual with certifications in GIAC Certified Intrusion Analyst, IAD/RDO Network Operations Senior Analyst, CISSP, Certified Reverse Engineering Analyst, CCNA, Cross Technology Certified NetAnalyst. He has earned a BS in Computer Information Technology, University of Maryland University College, 2012 and Associates in Applied Science on Electronic Engineering Technology, Pensacola State College, 1999.
Dates & Locations
This is by far the best CTN training I have ever been to (13 years in). Would recommend regardless of role in the command, and regardless of command. I have been to many commands and have fulfilled many roles, and this is by far the best and most relevant.