Empire Operations: Tactics is an intermediate-level course series that focuses on executing Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) using Empire. In this hands-on course, students will evaluate Turla’s 2020 campaign for deploying backdoors and stealing sensitive documents in a targeted cyber-espionage campaign against high profile targets. Students will learn to execute specially crafted emulation plans to gain initial access using a Microsoft Office Remote Code Execution Vulnerability – Follina (CVE-2022-30190), Reflectively Load DLLs, and Dropbox C2 Communications. Students will learn the basics of IronNetInjector, Turla’s .NET injector built in IronPython, and deploy Empire’s ultra-modern IronPython agent for emulation. Finally, attendees will master the individual components of Empire and apply them to executing a red team operation. The Turla TTPs learned throughout the course will be tested on a comprehensive range using a provided emulation plan.
- Introduction, Background, & C2 Theory
- Turla (Venomous Bear)
- Empire Basics & IronPython Agents
- Attack Infrastructure
- C# and DLL Exploitation
- Privilege Escalation, Lateral Movement, & Exfiltration
What will students be provided with:
- 1-week access to the comprehensive course range
- A copy of all course material
- Course Swag & Coin
Minimum Course Requirements:
- Laptop with 8GB of RAM
- Virtualization Software (VMware, VirtualBox, etc.)
- Up-to-date Kali Linux Virtual Machine
- Modern Web Browser (Chrome, Firefox, etc.)
- Microsoft Office (any version) or OpenOffice
- Basic understanding of Offensive Security Tools.
- Familiarity with C2 Frameworks.
- Willingness to learn in a fast-paced environment.
This course is aimed at intermediate red team operators who are looking to upgrade their skills in executing modern Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs).
Anthony “Cx01N” Rose, CISSP, is a Lead Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
Jake “Hubbl3” Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.