Reporting is, by nature, only the threat actors that have been caught. What about all the ones that didn’t get caught? There is no way to examine that and It comes down to the fact that we don’t know what they did and therein lies the problem for threat emulation.
Empire Operations: Tactics (APT28) is an intermediate-level course that focuses on executing Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) using Empire. In this hands-on course, students will evaluate the 2021-2022 exploitation campaign from Fancy Bear (APT28) using MSHTML RCE (CVE-2021-40444) in macro-enabled docs, OneDrive C2 communications, and C# payloads. Next, attendees will learn the individual components of Empire and how to apply them to execute a red team operation. Key topics that will be taught are building C2 infrastructure, deploying customized payloads in C# and PowerShell, and creating tailored scripts for engagements. Finally, the Empire TTPs learned throughout the course will be tested on a comprehensive range using an emulation plan provided on APT 28.
Day 1
check Introduction, Background, & C2 Theory
check Fancy Bear (APT 28)
check Empire Basics
check Attack Infrastructure
check Malicious Macros & CVE-2021-40444
Day 2
check .NET Tradecraft
check C# and DLL Exploitation
check Privilege Escalation, Lateral Movement, & Exfiltration
check Student Topics
check Debrief
check Conclusion
