SANS SEC565 (Red Team Operations) Review
  • SANS SEC565 Review
Powered by GitBook
On this page
  • TL;DR
  • Disclaimer
  • Instructors
  • Format
  • Day 1: Planning Adversary Emulation and Threat Intelligence
  • Day 1 Thoughts
  • Day 2: Attack Infrax and OPSEC
  • Day 2 Thoughts
  • Day 3: Getting in and Staying in
  • Day 3 Thoughts
  • Day 4: Active Directory Attacks & Lateral Movement
  • Day 4 Thoughts
  • Day 5: Action on Objectives & Reporting
  • Day 5 Thoughts
  • Day 6: CTF
  • Day 6 Thoughts
  • Conclusion

SANS SEC565 Review

Red Team Operations and Adversary Emulation

Last updated 2 years ago

TL;DR

This is a solid course for anyone looking at getting started or wanting to understand what Red Teaming and to pick up skills you can take into a real world engagement tomorrow. There is a good balance of difficulty for anyone with a technical background to jump in and learn something, but enough flexibility via the individual range for experienced Red Team Operators to refine their techniques in a controlled environment.

Disclaimer

First and foremost, I received no compensation for this review. I'm writing it primarily because I was afforded the opportunity to take the Alpha course for free in return for my feedback to make the course better for prod and I want to pay a little forward to folks wondering if this course is for them.

Instructors

  • Jean-Francois Maes @Jean_Maes_1994

  • Barrett Darnell @pwnEIP

Format

  • Live Online

Make sure you have the right setup for this to get the most out of this format the course. I recommend having at least 2 displays, one for the briefer/slides and one to work on. I ended up chromecasting the lecture to my TV from my phone so I could free up my computer and have a large display so I could read the slides to follow along.

Day 1: Planning Adversary Emulation and Threat Intelligence

  • VM setup was rather quick once you get everything downloaded. I didn't particularly like the .iso delivery at first but it ended up working even though it was clunky

  • Really like the workbook being live updated from git, really helpful for folks who are running a laptop that want to keep the workbook up on the VM

  • Love the individual labs (entire range is for the individual), having taken other SANS courses and having issues with labs because of a shared environment I cannot speak more highly of doing it this way. In addition, the range is up 24/7 through the course giving you as much time as you need to work through labs.

  • Everything is taught with OPSEC in mind, to include having and using a redirector this is a pretty cool twist on the norm.

  • Noted that there is currently no GIAC certification, but one should be on the way

  • Two C2s covered in the course, Covenant and PS-Empire; future versions of the course will potentially use Cobalt Strike

Day 1 Thoughts

First day is really Red Team foundations focused, this is obviously the intent of the course and will probably be a bit slow for folks who have an established Red Team background but it does set a good baseline.

Day 2: Attack Infrax and OPSEC

  • Really slick VPS spawn site for redirection, continually reinforcing good OPSEC

  • Today was heavy on tradecraft , really good for new exposures to cement understanding going forward

  • Input on the long tail analysis from defenders => group by domain => filter down through frequency analysis and identify oddities

  • Great discussion on overlapping layers or resiliency tiers of your attack infrax

  • There is a ton of tooling discussion on this day, from C2 frameworks to tunneling tools alot of really good examples to pull into your own personal notes

  • Pivotclub is a great intro for beginners and intermediate red teamers to learn tunneling. I say both because while it starts off pretty easy the difficulty just keeps going up and will definitely either teach you or reinforce your knowledge

Day 2 Thoughts

Really enjoyed Day 2 as we got out of the conceptual/framework discussion and into more technical and OPSEC related labs. There was a good balance between instruction and lab time and a constant reinforcement of understanding what you are doing and why you are doing it. Barrett was easy to follow as an instructor and continually tossed in bits of knowledge during instruction to keep it interesting.

Day 3: Getting in and Staying in

  • As with Day 2, there is a ton of great content to pull into your notes to help build out an initial set

  • Good comparison of horizontal vs vertical privilege slides

  • The labs are a little long we finished the day without completing lab 4 during class hours, this was with experienced folks so its going to be quite a bit longer depending on your experience level

Day 3 Thoughts

Today was pretty lab heavy which is usually my preference. I started off with PS Empire but attempted to balance it with Covenant throughout today. You will likely need to spend after hours in order to go through all the labs with confidence using both C2s.

Day 4: Active Directory Attacks & Lateral Movement

  • This day is very AD heavy which is a good thing but the info is really really dense, almost felt like trying to prep for an MCSE in a day

  • AMSI bypass with AMSIscanbuffer walkthrough is pretty cool

  • Sweet bloodhound cheatsheet

  • Continually touched base on what IoCs would be left when walking through different techniques

Day 4 Thoughts

Day 4 content and labs were alot to digest and Jean did a good job of keeping us engaged. There were a few typos and lab SNAFUs that didn't help with speed of completion but I'm sure after our feedback the authors got it sorted. I don't come from a strong AD background and had to sprint to keep up most of the day. That being said, we weren't able to finish the last lab during class and I definitely didn't have enough time to get through everything with both C2s.

Day 5: Action on Objectives & Reporting

  • Good coverage on Golden/Silver Tickets as well as Kerberoasting

  • Really liked the discussion of Constrained Delegation vs Unconstrained Delegation

  • Not really sure what was done to robust covenant or PS-Empire but whatever ya'll did it sure works better than my current builds! 5 Days and no crashes...unreal.

  • Love that there are still breadcrumbs that tie back to the original threat intel in Day 1

  • Still reinforcing OPSEC through safe exfiltration techniques

  • Wish that they had something a little more hands on with emulating Ransomware as I've been asked to do this multiple times since the course and ended up rolling my own

Day 5 Thoughts

Today was split almost down the middle continuing with modern AD techniques, a touch of sql and then rolling back into the paperwork aspect of Red Teaming. As I mentioned before I'm kind of a lab fiend, but being relatively new it was a decent culmination of academic knowledge to round out the last two days.

Day 6: CTF

  • Range was rock solid, still impressed with the depth and quality of these individual environments

  • As with most SANS CTFs I've done, it started off following the material almost verbatim, but to my enjoyment forked just about a quarter of the way through. This ensured that not only could you run the walkthrough but think about how/why/where to employ the TTPs you learned

Day 6 Thoughts

I love a good CTF. I do wish there were a bit more flags and more adequately encompassed the totality of the course but given the timeline this was incredibly fast-paced and fun to participate in.

Conclusion

Hats off to Jean and Barrett, I knew it would be tough to nail a 500 level Red Team course but I think they hit a good balance with this course and I expect it will only get better with time.

A few months after taking SEC565 I was asked to participate as a Red Team Operator in a state level cyber defense exercise and used many of the domain lateral movement/privesc techniques exactly as taught in to course with great success and complete domain compromise. In addition to adding to my technical skillset I was able to explain to the participants how to effectively use a Red Team to meet planned objectives so I guess you can say Day 1 and the back half of Day 5 were worth it!

I can't say enough about getting solid cloud based individual ranges, it's such a welcome change for SANS. Thanks so much for the read if you made it this far and I hope you enjoy SEC565 as much as I did! If you have any questions or want to reach out...@bobhacksthings.