SEC-T - 0x0Beyond

September 13-14, 2018 – Stockholm, Sweden

Dark Side Ops: Custom Penetration Testing Workshop

Hackers penetrate enterprise networks in the flash of an eye, ravage endpoints for sensitive data, and
silently exfiltrate the keys to your kingdom without ever popping an alert. Dark Side Ops: Custom
Penetration Testing enables participants to “break through” to the next level by removing their
dependence on 3rd-party penetration testing tools, allowing for outside-the-box thinking and custom
tool development designed specifically for the target environment. Participants are provided with
hands-on experience into the black hat techniques currently used by hackers to bypass network-based
enterprise intrusion detection and prevention systems (IDS/IPS), layer 7 web proxies, and data loss
prevention (DLP) solutions. The custom approach doesn’t stop there. Participants learn advanced
evasion techniques of corporate host-based countermeasures including antivirus and application
whitelisting solutions by developing, compiling, and deploying custom backdoors, payloads, and
persistence deep into protected enterprise networks.

At the end of this course students will be able to:
• Build custom payload droppers, beaconing backdoors, and interactive shells.
• Conduct highly targeted and sophisticated custom client-side and social engineering attacks.
• Escalate workstation and network privileges without an exploit.
• Bypass defensive host and network countermeasures such as anti-virus applications, firewalls,
IDS, IPS, SIEMs, and strict egress filtering.
• Establish custom, stealthy persistence in a target network.
• Exfiltrate data from a target networks using custom applications and network monitoring
evasion techniques.
• Compile and deploy an advanced, custom HTTP beaconing payload developed internally by the
trainers and used regularly on engagements to effectively infiltrate company networks.

Participants will receive source code to a variety of offensive tools, including custom shells, backdoors,
C2 listening posts, and social engineering exploitation techniques. To reinforce the knowledge provided
through instruction, participants will have realistic lab projects throughout the day, where the coding
skills, custom payload delivery, and advanced pivoting techniques from course instruction will all be
necessary.

Day 1
Lab 0 Introduction Review course topics
Lab 1 Throwback Learn about stage 1 malware Build and deploy Throwback
Lab 2 Client Side Exploitation Client-side exploitation techniques Build custom payloads
Lab 3 Windows API Windows API abuse and bypasses Build and inject a reflective DLL
Lab 4 Slingshot (RAT) Learn about reflective DLL injection Build Slingshot and convert to a reflective DLL
Lab 5 Post-exploitation hashdump module Learn about post-exploitation techniques Add hashdump module to Slingshot
Lab 6 Post-exploitation Mimikatz module Learn about post-exploitation techniques Add Mimikatz module to Slingshot
Day 2
Lab 7 Covert operations Learn about covert infrastructure and operational security Configure SOHO IP tables as redirector
Lab 8 Evading antivirus Learn how to evade antivirus Build dynamic APIs and in-memory PE loader
Lab 9 Windows persistence Learn about persistence stealthy techniques Identify a DLL hijacking vulnerability for persistence
Lab 10 In-memory Powershell Learn about Powershell execution techniques Run Powershell completely in-memory
Lab 11 Advanced Windows pivoting Learn about named pipes and other pivoting techniques Compile and execute SlingshotSMB
Lab 12 In-memory keylogger Learn Windows API keylogging techniques Implement a keylogger into Slingshot
Lab 13 Privilege escalation Learn about privilege escalation techniques Escalate privileges using DllHijacker
Bonus module Screen-grabber Learn addition post-exploitation tools Take a screenshot through Slingshot