Going through Raphael Mudge’s Advanced Threat Tactics Course videos and blog post is akin to rummaging through treasure.
Although this is a showcase for Cobalt Strike which is a *must have* tool for IT security Red Team operations and Adversary Simulation, it is so much more.
For me, this course catapulted and solidified my thinking and is the pre-eminent single source of information for not only the tools of advanced threat simulation, but the underlying methodology and tradecraft.
I’ll make no bones about it, I consider Cobalt Strike a masterpiece put together by a craftsman, and In case you think I’m going overboard, harmj0y described Cobalt Strike’s Powershell weaponisation capabilities as “A new hope” and:
This is the PowerShell weaponization I’ve been waiting for, and the most seamless I’ve seen up to this point.
Raphael Mudge is also a gifted teacher.
Consider with me the sixth video in the course on Lateral Movement:
Note that Raphael takes care to lay out for us the underlying mechanisms of the Windows Enterprise environment. As well as:
- The fundamentals of lateral movement.
- User, Domain and share enumeration and reconnaissance – Both old school (Windows NET/DOMAIN commands) and new (Powerview).
- Re-purposing trust material / Access Tokens / Credentials / Password hashes – Pass-the-Hash / Kerberos Tickets (Golder Ticket) / Powersploit / Mimikatz / WinRM & WMI / Impersonation.
And so on. Just so much juicy information packed into such a small tin.
The same theme repeats throughout; the emphasis on Tradecraft & Professionalism. For example, not touching disk and using native functionality. Put simply, being light-footed forensically.
As a quick aside, Raphael describes his SMB beacon as “phenomenal for lateral movement” and he’s not wrong, nor exaggerating.
It’s not just the videos though, it’s the plethora of links to other sources of information making this course a superb platform from which to delve further and further…..
It’s also worth noting that this is frequently updated:
The Advanced Threat Tactics Course and Notes page isn't static. I regularly add to this collection of links: https://t.co/eZTcPzRpAY
— A. Hacker (@armitagehacker) November 22, 2015
I strongly encourage you to take the time to watch the videos, read the blog post and accompanying links. It’s the most valuable single resource I know of and superior to any book I’ve read.