T6: introduction red teaming for pentesters

Training Details

3-DAY TRAINING, 1-3 JUNE @ MEERVAART AMSTERDAM
TICKET PRICE: €1900 EX BTW

The training begins with an introduction to Red Teaming, covering core concepts such as objectives, methodology, and operational security (OPSEC). In addition, Cobalt Strike is introduced as a tool for conducting advanced red team operations. This provides a foundation for understanding infrastructure, attack techniques, and how to set up a secure and effective Red Team environment.

The modules then focus on practical attack techniques, including advanced reconnaissance (such as tracking pixels and cloud-specific methods), delivery techniques like HTML smuggling, and initial access via Microsoft Office, scripting, and cloud-based attacks. This is followed by an in-depth exploration of Windows and Active Directory environments, covering topics such as credential dumping, privilege escalation, lateral movement, and bypassing AV/EDR tooling. Specific Cobalt Strike tactics to evade detection and maintain OPSEC are also addressed.

In the final modules, the focus shifts to reaching the “crown jewels,” including exploiting tiering weaknesses, attacking cloud applications, and achieving long-term persistence. Attention is given to hybrid environments, network-based attacks, and browser-based techniques. The training concludes with guidelines for building and maintaining a Red Team, including lab essentials and compliance frameworks such as TIBER.

Training Outline

Module 1: Intro

• Core concepts Red Teaming
• Intro to OST
• Frameworks
• Threat Actors
• OPSEC

Module 2: Infra

• Cobalt Strike and C2
• Redirectors
• Domain Fronting
• Serverless: Lambdas / Google & Firebase Functions / Azure Functions

Module 3: Maldev & Detection

• Pre fileless era
• Fileless malware
• Shellcode injection
• Reflective DLL injection
• Unmanaged .NET
• Beacon Object Files
• AV: Signature, On-Disk VM, In Memory
• ETW & Userland unhooking
• EDR: Behavioral
• AMSI
• Network Sensors (NDR)
• Inprocess loading
• Proxying

Module 4: Recon & Initial Access

• Recon (OSINT)
• In: Psychology
• AiTM: Evilginx
• File vs credential vs device code flow phishing
• Files: ClickOnce, LOLBins
• Device code flow phishing
• Victim attacks (password prompting, browser creds, o365)
• Session tokens

Module 5: Active Directory

• AD: Basics, User Enum, Account Takeover, RPC, LDAP, ACLs, BloodHound/Bofhound
• AD Auth Attacks: NTLM, Kerberos
• AD: ADCS

Module 6: Lateral Movement

• PsExec
• WinRM
• WMI
• SMB
• MSSQL
• Token Theory & Token Theft
• RDP
• COM / DCOM
• (Remote) Registry
• OST Lateral Pack
• OST Hidden Desktop

Module 7: Privilege Escalation

• Low, Medium, High, SYSTEM integrity
• UAC Bypasses
• DPAPI
• LSASS
• LSA Dumping
• Bring your own vulnerable driver
• SCCM

Module 8: Cloud, Azure and Entra ID

• MS Graph (RoadTools, GraphRunner etc.)
• Hybrid AD
• Privileged Roles and Groups
• Entra Connect, SSO: PTA, PHS & ADFS
• ADFS: Golden SAML
• PTA: Privileged accounts
• PHS: AZUREADSSOACC & Kerberos tickets
• Dynamic Groups

Module 9: Out Fase & Crown Jewels

• Fake Ransomware deployment
• Understanding business flows
• Cleanup
• Preparing for Purple Teaming
• Gold Teaming

Prerequisites

Experience with penetration testing and knowledge of Windows & Active Directory, Command & Control tooling, scripting, and networking concepts.

Hardware & Software requirements

Laptop with a Cobalt Strike-client installed. If you don't have a Cobalt Strike license, please get in touch with us via [email protected].