Reporting is, by nature, only the threat actors that have been caught. What about all the ones that didn’t get caught? There is no way to examine that and It comes down to the fact that we don’t know what they did and therein lies the problem for threat emulation.
Empire Operations: Tactics is an intermediate-level course series that focuses on executing Advanced Persistent Threat (APT) Tactics, Techniques, and Procedures (TTPs) using Empire. In this hands-on course, students will evaluate Turla’s 2020 campaign for deploying backdoors and stealing sensitive documents in a targeted cyber-espionage campaign against high profile targets. Students will learn to execute specially crafted emulation plans to gain initial access using a Microsoft Office Remote Code Execution Vulnerability – Follina (CVE-2022-30190), Reflectively Load DLLs, and Dropbox C2 Communications. Students will learn the basics of IronNetInjector, Turla’s .NET injector built-in IronPython, and deploy Empire’s ultra-modern IronPython agent for emulation. Finally, attendees will master the individual components of Empire and apply them to executing a red team operation. The Turla TTPs learned throughout the course will be tested on a comprehensive range using a provided emulation plan.
check Introduction, Background, & C2 Theory
check Turla (Venomous Bear)
check Empire Basics & IronPython Agents
check Attack Infrastructure
check C# and DLL Exploitation
check Privilege Escalation, Lateral Movement, & Exfiltration
