RED TEAM Operator Malware Development Essential...
This course asks you to think deeply about what it means to you to be a considerate, ethical, responsible red teamer. It will then show you how to translate responsibility into practical application and refine your tradecraft in the areas of C2 infrastructure design, malware emulation, and payload engineering.
RED TEAM Operator Malware Development Essential...
This course requires fundamental understanding of basic red team concepts. A student should be familiar with how to carry out red team engagements, from C2 infrastructure setup to reporting and presenting findings. The course assumes competency with C2 frameworks and some basic malware development for red team operations. Extensive malware development experience is not a requirement for this course.
Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information.
We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. These descriptive names thus show up in a PDB path when a malware project is compiled with symbol debugging information. Everyone loves an origin story, and debugging information gives us insight into the malware development environment, a small, but important keyhole into where and how a piece of malware was born. We can use our newfound insight to detect malicious activity based in part on PDB paths and other debug details.
Malware is software, and malware developers are software developers. Like any software developers, malware authors often have to debug their code and sometimes end up creating PDBs as part of their development process. If they do not spend time debugging their malware, they risk their malware not functioning correctly on victim hosts, or not being able to successfully communicate with their malware remotely.
We do not discount the fact that some malware developers are using CI/CD build environments. We know that some threat actors and malware authors are indeed adopting contemporary enterprise development processes, but malware PDBs like this example are extraordinarily rare:
Specifying a custom path for a PDB file is not uncommon in the development world. An offensive or red team operator may wish to specify a fake PDB path and can do so easily using compiler linking options.
We found that many malware authors and operators leaked PDB paths that described the functionality of the malware itself and gave us insight into the development environment. Furthermore, outside of the descriptors of the malware development files and environment, when PDB files are present, we identified anomalies that help us identify files that are more likely to be circumstantially interesting. There is room for red team and offensive operators to improve their tradecraft by falsifying PDB paths for purposes of stealth or razzle-dazzle.
Red teams use a variety of techniques and tools to exploit gaps within the security architecture. For example, in assuming the role of a hacker, a red team member may infect the host with malware to deactivate security controls or use social engineering techniques to steal access credentials.
Mariusz is an active security researcher, pentester and red team operator currently involved in advanced adversary simulations.He is best known for his researches on malware development and frequent releases of offensive tools that help red teams bolster their game against cybersecurity criminals.
As people I have interacted with will attest, my favorite subject in the entire world is binary exploitation. I love everything about it, from the problem solving aspects to the OS internals, assembly, and C side of the house. I also enjoy pushing my limits in order to find new and creative solutions for exploitation. In addition to my affinity for exploitation, I also love to red team. After all, this is what I do on a day to day basis. While I love to work my way around enterprise networks, I find myself really enjoying the host-based avoidance aspects of red teaming. I find it incredibly fun and challenging to use some of my prerequisite knowledge on exploitation and Windows internals in order to bypass security products and stay undetected (well, try to anyways). With Cobalt Strike, a very popular remote access tool (RAT), being so widely adopted by red teams - I thought I would investigate deeper into a newer Cobalt Strike capability, Beacon Object Files, which allow operators to write post-exploitation capabilities in C (which makes me incredibly happy as a person). This blog will go over a technique known as thread hijacking and integrating it into a usable Beacon Object File.
Apart from pure offensive research, we deliver various information security training in the following domains: offensive security tools (OST) development threat simulations offensive counterintelligence network security software exploitation malware analysis web security hardware exploitation SEKTOR7 supports x33fcon conference, an annual gathering of Blue and Red Teams in Europe.
Currently we offer online courses helping in building up a solid red team operator skillset, necessary in conducting the effective threat simulations. Online courses can be found in our Institute: RED TEAM Operator: Malware Development Essentials course - This course will teach you how to become a better ethical hacker, pentester and red teamer by learning offensive security tools (OST) development. It covers developing droppers, trojans and payload/DLL injectors using some basic C and Intel assembly skills. RED TEAM Operator: Malware Development Intermediate course - More advanced offensive security tools (OST) development techniques in Windows, including: API hooking, 32-/64-bit migrations, reflective binaries and more. RED TEAM Operator: Malware Development Advanced (vol.1) course - Advanced offensive security tools (OST) development topics for Windows user land only, including: hidden data storage, rootkit techniques, finding privileged objects in system memory, detecting new process creation, generating and handling exceptions, building COFFs and custom RPC-like instrumentation, and more. RED TEAM Operator: Windows Evasion course - Learn how to avoid modern endpoint protection technology with well known, less known and in-house developed techniques RED TEAM Operator: Privilege Escalation in Windows course - A course about breaking and bypassing Windows security model. Escalating privileges with 20 different techniques. From non-admin to SYSTEM. RED TEAM Operator: Windows Persistence course - 27 persistence methods in Windows. From basic to advanced, unique and known, used in malware like Stuxnet or Flame and by nation-state threat actors, including EquationGroup, Turla and APT29.
Ivan Da Silva @humble_desser Mariusz Banach is a red team operator and former malware analyst that has poured his heart and knowledge into his Malware Development training. I was lucky enough to take his training and I was impressed with his research and knowledge of the subject(s). I would recommend this training to anyone interest into getting familiar with malware development. Also mentioned on LinkedIn
Jakub Dzieciątko @aol1306 Mariusz created the best training on malware development I have ever attended and has great teaching skills. He's clearly an expert on the topic and he enjoys sharing his own research. I'm going to recommend his work to anyone interested in red teaming. The things I liked the most about it: - the amount of useful content - the materials created in a way I can easily use them later - inspiring methods of tool creation - good organization - infection divided into stages, each stage well explained and multiple techniques presented - going together with the exercises so I could see how you work - presenting methods to find our own evasion etc techniques
anonymized @anonymized Hey guys, I can confirm that me and other guys from our team had a training from Mariusz last week. The framework looks pretty l33t, but I still haven't explored most of it... it is actually pretty big ? so, I'm still discovering all the possibilities. The training was amazing and as far as initial access and all kind of tactics to keep your malware undetected are concerned, it was even better than [CUT] or [CUT] ??
By mimicking sophisticated real-world threats, the exercise is highly realistic. A red team deploys bleeding edge hacking tools and techniques designed to infiltrate systems and premises. This could extend to writing their own malware and devising new methodologies, just as malicious hackers do. 041b061a72