Overview

The Advanced Red Team Operators course is an advanced-to-expert level simulated lab environment
hosted in Azure and AWS, designed for experienced students to gain practical experience in
advanced red team operations using Cobalt Strike. Over the course of three days, students will learn
how to build infrastructure to simulate a real-life red team operation using Cobalt Strike, a powerful
tool for executing red team operations. The course includes topics such as redirectors, C2 channels,
vulnerability identification, network enumeration, process injection, and privilege escalation. With
Terraform scripts provided to set up the lab environment and a simulated real-life attack path to
navigate, the Advanced Red Team Operators course is essential for experienced professionals
seeking to hone their advanced red team operations skills using Cobalt Strike.

 

Register Now!

Who Should Attend?

This course is intended for advanced students with a strong understanding of the fundamentals of
cybersecurity, experience with penetration testing, and experience in executing red team operations.
It is designed for individuals who want to take their red team skills to the next level and challenge
themselves with practical experience in advanced red team operations using Cobalt Strike. Current
red team operators will thrive here and have the opportunity to expand their skill set and learn new
techniques to stay ahead of the curve.

Key Learning Objectives
▪ Learn how to set up and configure Cobalt Strike with Docker
▪ Understand C2 channels and learn how to build HTTPS redirectors using Apache Mod-rewrite
▪ Gain practical experience in Azure configurations and setup
▪ Learn how to use AWS Lambda with Python
▪ Utilize GCP and Azure CDNs for custom traffic redirection
▪ Learn how to protect your infrastructure and team server
▪ Develop expertise in process injection and payload development
▪ Learn how to perform attack path enumeration and execution for red team operations.
Prerequisite Knowledge

Register Now!
Students should have experience in advanced cybersecurity fundamentals and a strong
understanding of penetration testing and execution of red team operations. However, this course is
designed to challenge you across areas that you may not be comfortable with, and that is the point. A
willingness to learn and not give up is essential. Students should also be familiar with Cobalt Strike
and have a working knowledge of AWS and Azure cloud platforms, GCP, Docker, Apache web server
configurations, HTTPS redirectors using Apache Mod-rewrite, shellcode development for bypassing
AV/EDR, and advanced network design for red team operations. Comfort with Terraform is also
expected for deploying necessary infrastructure.
Lab Environment
Students will be given multiple Terraform scripts to spin up their own lab environment in AWS/Azure
that consists of the following:
▪ Ubuntu Cobalt Strike Team Server
▪ Ubuntu Cobalt Strike Redirector Server
▪ Windows 10 Development Machine
▪ Kali Linux

▪ Windows Server 2019 (Domain Controller)
▪ Windows Serer 2019 (PKI Server)
▪ Windows Serer 2019 (Application Server)
▪ Windows Serer 2019 (SQL Server)

 

Register Now!

Hardware/Software Requirement
▪ Students must have an active AWS admin account with programmatic access.
▪ Students must have an active Azure admin account
▪ Students must have a GCP admin account
▪ Students must be able to run terraform from local laptops

Syllabus
Day 1:
▪ Introduction to the course and lab environment setup
▪ Setting up Cobalt Strike with Docker
▪ Understanding C2 channels and HTTPS redirectors using Apache Mod-rewrite
▪ Building infrastructure in Azure and AWS to protect the Cobalt Strike team server
▪ Utilizing AWS Lambda with Python for custom traffic redirection
▪ Using GCP and Azure CDNs for custom traffic redirection
▪ Protecting your infrastructure and team server
▪ Process injection techniques and payload development for gaining a foothold on a simulated
attack target
Day 2:
▪ Hiding shellcode for bypassing AV/EDR
▪ Footholds in 2023
▪ Terraform setup and configuration for a simulated Active Directory environment in AWS

▪ Breaching a simulated Active Directory environment and overcoming challenges using real-
life examples from 2022 and 2023 engagements

▪ Attack path enumeration and execution for red team operations
Note: Please note that the syllabus provided is intended to be a general outline of the course content
and does not reflect the true nature of the course guide or starting and ending points. This course is
hyper-current and changes are always made at the last minute to ensure that students receive the
most up-to-date and relevant content possible. As a result, the syllabus is subject to change, and
course content may be modified based on student skill level, course progression, and other factors.

Register Now!
Trainer
John Stigerwalt has worked as blue teamer, developer, senior penetration tester, and red
team lead. He has led long‐term red team engagements in highly complex Fortune 500
companies. He has also worked with Microsoft to increase kernel security for the Windows
10 operating system. John has led training at BlackHat, DerbyCon, and Wild West Hackin’
Fest. John has the following certifications: OSCP, OSCE, CRTP (Certified Red Team
Professional), CRTE (Certified Red Team Expert), and SLAE (Assembly Language and
Shellcoding). John enjoys spending time with his family, working on his maple syrup farm,
and running long distances.