Training - Wild West Hackin’ Fest | Hacking Training Conference in Deadwood

TWO-DAY TRAINING

A WWHF conference ticket is included with the training hosted on the WWHF website.

Registration will open on Tuesday, March 10th at 7:30 AM.

Training will be held on Tuesday, March 10th from 9 AM to 4 PM and Wednesday, March 11th from 9 AM to 4 PM.

SANS manages their own course registration so we are unable to bundle SANS Training with a conference ticket (but will provide you with a discount code). Please email us at thebank at wildwesthackinfest dot com with your SANS registration # and we will send you a code for a discounted conference ticket.

WARNING! This part is slightly painful to understand, but I promise we can get through it together.

To register for SANS SEC564 or SEC573 (Special Python): Please click on the blue button above and you will be redirected to the SANS registration page. Once you have your course registration confirmation, please email thebank at wildwesthackinfest dot com with that info and we’ll send you a discount code for a reduced price conference ticket.

To register for the Hosted Training: Please click the link and register for both the con and training using the above orange button.

SEC564: Red Team Exercises

SEC564: Red Team Exercises & Adversary Emulation

Instructor: Jorge Orchilles

$2800 + taxes & fees

Registration Instructions: Please Click Here to register for the training on the SANS website. Once you’ve got your registration #, please email at thebank at wildwesthackinfest dot com for a discounted ticket to WWHF.

Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate real-world adversaries in order to train and measure the effectiveness of the people, processes, and technology used to defend organizations. SEC564 will provide you with the skills to manage and operate a Red Team, conduct Red Team exercises and adversary emulations, and understand the role of the team and its importance in security testing.

Built on the fundamentals of penetration testing, Red Team exercises use a comprehensive approach to gain a holistic view of an organization’s security posture in order to improve its ability to detect, respond, and recover from an attack. When properly conducted, Red Team exercises significantly improve an organization’s security posture and controls, hone its defensive capabilities, and measure the effectiveness of its security operations.

Red Team exercises require a different approach from a typical security test and rely heavily on well-defined TTPs, which are critical to successfully emulating a realistic adversary. The Red Team exercises and adversary emulation results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against a real adversary, and identify where security strengths and weaknesses exist across people, processes, and technology.

Whether you support a defensive or offensive role in security, understanding how Red Team exercises can be used to improve security is extremely valuable. This intensive two-day course will explore Red Team concepts in-depth, provide the required fundamentals of adversary emulation, and help you improve your organization’s security posture.

SEC573 (Special): Automating Information Security with Python

Instructor: Jonathan Thyer

$2800 + taxes & fees

Python is a simple, user-friendly language that is designed to make automating the tasks that security professionals perform quick and easy. Whether you are new to coding or have been coding for years, SANS SEC573: Automating Information Security with Python will have you creating programs that make your job easier and make your work more efficient. This self-paced course starts from the very beginning, assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the course.

All security professionals, including Penetration Testers, Forensics Analysts, Network Defenders, Security Administrators, and Incident Responders, have one thing in common: CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don’t evolve with them, we’ll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.

Maybe your chosen Operating System has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold…or you can write a tool yourself.

Or perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn’t be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.

Or, as a Penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when “off-the-shelf” tools and exploits fall short? If you’re good, you write your own tool.

SEC573 is designed to give you the skills you need for tweaking, customizing, or outright developing your own tools. We put you on the path of creating your own tools, empowering you to better automate the daily routine of today’s information security professional and to achieve more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Join us and learn Python in-depth and fully weaponized.

You Will Learn How To:

Leverage Python to perform routine tasks quickly and efficiently
Automate log analysis and packet analysis with file operations, regular expressions, and analysis modules to find evil
Develop forensics tools to carve binary data and extract new artifacts
Read data from databases and the Windows Registry
Interact with websites to collect intelligence
Develop UDP and TCP client and server applications
Automate system processes and process their output

A GUIDE TO ACTIVE DEFENSE, CYBER DECEPTION AND HACKING BACK

Instructor: John Strand

$1500 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between.

In this class, you will learn how to force an attacker to take more moves to attack your network. These moves may increase your ability to detect them. You will learn how to gain better attribution as to who is attacking you and why. You will also find out how to get access to a bad guy’s system. And most importantly, you will find out how to do the above legally.

The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. Some of the things we talk about you may implement immediately, others may take you a while to implement. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, attribute who is attacking you and, finally, attack the attackers.

This class is based on the DARPA funded Active Defense Harbinger Distribution live Linux environment. This VM is built from the ground up for defenders to quickly implement Active Defenses in their environments. This class is also very heavy with hands-on labs. We will not just talk about Active Defenses. We will be doing hands-on labs and through them in a way that can be quickly and easily implemented in your environment.

KEY TAKEAWAYS

Non-standard defenses
Full free environment with all tools and instructions for those tools
Understand legal issues

WHO SHOULD TAKE THIS COURSE

General security practitioners
Penetration testers
Ethical hackers
Web application developers
Website designers and architects

SANS Registration Link: Click Here

An Introduction to Developing Phishing Malware

Instructors: Christopher Truncer & Matt Grandy

$1750 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: One of the most critical aspects of any red team assessment is obtaining initial access into your target’s environment. The ability to capture valid credentials or execute code within your target’s environment is the first step toward accomplishing the rest of your assessment goals.

In this course, students will learn a variety of techniques used by attackers to phish companies and then write their own malware in a hands-on environment.

This class will cover a wide range of topics over a two-day period:

• Development Environment Prep – We start by building multiple development environments (within virtual machines) for writing malware. We discuss the different tools, languages, and operating system configurations that our malware developers use when writing code and then set them up in our virtual machines.

• Malware/Campaign Goals – When writing phishing malware, we typically have one of two goals: harvest credentials from our victim or execute arbitrary code on their workstation.

For our intro class, we explore how we can accomplish both goals:

o Credential Harvesting – Harvesting account credentials can be very dependent upon the type of services your target has publicly available. Is there a VPN portal, outlook web access, HR self-service portal, Citrix access? Ultimately, your goal is to entice the user to enter their credentials into a web form that securely saves their information and possibly their multi-factor token. We’ll look at both custom code and existing open source tooling which helps to accomplish this objective.

o Arbitrary Code Execution – Code execution typically will result in a Meterpreter or Cobalt Strike Beacon connecting back to your command and control servers when your attack vector is executed by the targeted employee. To accomplish the code execution objective, we discuss and customize browser-based attacks that attackers use to accomplish this objective.

• Code Execution Deep Dive – After looking at examples of how attackers can leverage web browsers to execute code on their target’s systems, we do a deep-dive into different methods of customizing code execution malware.

o Process Injection Techniques – There are many ways that an attacker can inject code not only into its current process, but also other processes that are running on the targeted system. We discuss the pros and cons of injecting into remote processes and walk through the different API calls that enable these capabilities.

o DotNetToJScript – The tool DotNetToJScript has changed how the industry writes phishing malware. It has extended the functionality of “low capability” browser-compatible languages to match that of fully functional development languages. We walk through how you can use different process injection techniques within a browser-based attack with DotNetToJScript.

At the conclusion of the class, students will have a strong understanding of different techniques used by modern attackers in phishing attacks. Additionally, all students will have learned various methods to extend basic phishing attacks to include process injection techniques that are used to avoid detection.

Note: While this is an introductory class, attendees should have an understanding of basic programming concepts to get the most out of this class. Experience with .NET would be extremely beneficial. This course is geared toward attacking Window’s environments and all malware written during class will be for Window’s targets.

Hacking Enterprises – 2020 Release

Instructors: Will Hunt and Owen Shearing

$2100 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: This is an immersive hands-on course aimed at a technical audience. The training covers a multitude of security topics, is based around modern operating systems and using modern techniques, with an emphasis on exploiting configuration weaknesses rather than throwing traditional exploits. This means logical thinking and creativity will definitely be put to the test.
Students will access a cloud-based LAB configured with multiple networks, some easily accessible, others not so. Course material and exercise content has been designed to reflect real-world challenges and students will perform numerous hands-on exercises including using OSINT skills to retrieve useful data, perform host/service enumeration and exploitation as well as perform phishing
attacks against our live in-LAB users’ to gain access to new networks, bringing new challenges and in the process teaching new sets of skills in post exploitation, network reconnaissance, lateral movement and data exfiltration.

We also like to do things with a difference. In this training you’ll be provided access to an in LAB Elastic instance, where logs from all targets get pushed and processed. This allows you, as an attacker, as a blue teamer, to understand the types of artifacts your attacks leave, therefore understanding how you might catch, or be caught in the real word.

Course Promo Video: https://youtu.be/mr5ZfN-MrsQ

Each Student Will Receive:

We realize that training courses are limited for time and therefore students are also provided a complementary In.security hackpack! This includes:

14-day extended LAB access after the course finishes
• 14-day access to a CTF platform with subnets/hosts not seen during training!
• Slack support channel access where our security consultants are available
• A hard copy of the RTFM
• A Hak5 LAN Turtle

Agenda:
Day 1
• Getting familiar with the MITRE ATT&CK framework
• An introduction into monitoring and alerting using our in-LAB ELK stack
• Leveraging OSINT activities
• Enumerating and targeting IPv4 and IPv6 hosts
• Remote/local Linux enumeration and living off the land
• Linux shells, post exploitation and privilege escalation
• P@ssw0rd cracking (*nix specifics)
• Kubernetes and container security
• Creating and executing Phishing campaigns against our simulated enterprise users
• Living off the land tricks and techniques in Windows

Day 2
• P@ssw0rd cracking (Windows specifics)
• Remote/local Windows enumeration
• Windows exploitation and privilege escalation techniques
• Windows Defender/AMSI and UAC bypasses
• Bypassing AppLocker, PowerShell CLM and Group Policy restrictions
• Enumerating and extracting LAPS secrets
• RDP hijacking
• Lateral movement, pivoting, routing, tunnelling and SOCKS proxies
• Application enumeration and exploitation via pivots
• Leveraging domain trusts
• Gaining persistence using Scheduled Tasks and WMI Event Subscriptions
• Data exfiltration over OOB channels (ICMP and DNS)
• Domain Fronting and C2

Who Should Attend:
This training is suited to a variety of students, including:
• Penetration testers
• SOC analysts
• Security professionals
• IT Support, administrative and network personnel
Prerequisite Knowledge:
• A firm familiarity of Windows and Linux command line syntax
• Understanding of networking concepts
• Previous pentesting and/or SOC experience is advantageous, but not required

Hardware / Software Requirements:
• Students will need to bring a laptop to which they have administrative/root access, running
either Windows, Linux or Mac operating systems
• Students will need to have access to VNC, SSH and OpenVPN clients on their laptops (these
can be installed at the start of the training)

BIOs:
Will Hunt
Will (@Stealthsploit) is a cyber security consultant who has worked in IT security for over 10 years. He co-founded In.security Ltd., a specialist cyber security company delivering high-end consultancy and training services. He’s delivered hacking courses at Black Hat USA/EU, Wild West Hackin’ Fest, NolaCon, 44CON and others, and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

Owen Shearing
Owen (@rebootuser) is a co-founder of in.security Ltd., a specialist cyber security consultancy offering technical and training services based in the UK. He is a CREST CCT level security consultant with a strong background in networking and IT infrastructure and has over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke
events and various conferences. He runs the blog https://rebootuser.com and keeps projects at https://github.com/rebootuser.

Trainers/Contact Information:

Will Hunt / @stealthsploit

Owen Shearing / @rebootuser

Preferred Twitter @insecurity_ltd

Network Threat Hunting With Security Onion

Instructor: Chris Brenton

$1500 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: We have a gaping hole in our security posture that few people are talking about. When an adversary successfully compromises a target network, it is typically six months or more before that compromise is detected. Further, a majority of the time the compromise is first discovered by an external third party. Network threat hunting has become an effective technique at identifying when our protections have failed and incident handling needs to be initiated.

In this course, you will learn how to threat hunt the network using open source tools. The focus will be on detection techniques that target the command and control (C2) channel. By targeting C2, we can successfully hunt for adversaries on desktops, servers, network hardware, and even IoT and IIoT devices.

Students will learn how to stand up Security Onion, along with some additional open-source tools, as an effective threat hunting platform. The process of network threat hunting will be discussed and students will go hands-on with pcap samples of many different C2 channels. The goal will be to hone the student’s threat hunting skills, as opposed to simply learning how to detect a few specific C2 channels. By the end of the course, the student will be able to stand up a threat hunting platform in their own environment and begin hunting adversaries.

What’s covered in this course:

Threat hunting, the basics
Threat hunting as a process
Security Onion – A quick overview
Deploying security onion
Manual techniques for C2 detection
Automated techniques for C2 detection
Multiple C2 detection labs

Atomic Purple Teaming

Instructors: Jordan Drysdale & Kent Ickler

$1500 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: You’ve heard this story before. Bad actor walks into a network and pillages the place in swift action. CIO asks “Where did we go wrong?” SysAdmin replies “our password, remote access, workstation restriction, and lack of application whitelisting policies. Oh, and our SIEM didn’t notify us. We just weren’t ready for that attack.”

Atomic Purple Teaming (APT) will guide students through attack and defense methodology using the MITRE ATT&CK Framework and the Atomic Red Team tactics to produce a secure enterprise environment. The course covers secure network designs, OSINT based reconnaissance, basic command and control (C2) operations and modern defenses that stop or slow down current adversarial techniques. Network and Active Directory Best Practices will be leveraged as a framework for implementing network and domain protections to harden networks.

Students will have an opportunity to attack their own in-class Active Directory environment with Red Team tactics, implement Blue Team defensery, and manage an environment designed to prevent, slow, identify and highlight attacks. Additionally, the course will guide students through configuring no-nonsense attack identification and alerting that is essential to an effective SOC operation.

In a live-environment, students will have the opportunity to demonstrate a secured enterprise environment by utilizing the MITE ATT&CK Framework, Red Team tactics and Blue Team defenses to slow, stop, and identify attacks.

Implement better security and tell your CIO how everything went right!

Course Objectives

Understand MITRE ATT&CK and Atomic Red Team frameworks.
Develop Secure Network Designs
Understand Enterprise OSINT
Demonstrate Attack Tactics
Understand and Implement Defensive Strategies
Deploy Baseline Security Logging for Active Directory Systems
Implement continuous security improvement by leveraging the MITRE ATT&CK Matrix and Deploy Atomic Red Team frameworks.

Who should take this course

Information Technology (IT) administrators, help desk, defenders, security professionals, blue-teamers with minimal red-team background, red-teamers with minimal blue-team background. People interested in learning how to red team to drive home the risks of failing to implement improved password policies. Anyone interested in understanding and executing an LLMNR and NTLM relay attack against open SMB services on a network should join us. Any analyst, sysadmin, or network architect looking to build a security team focused on continual improvement should take this course.

IT System Administrators
IT Security Management and Leadership
Helpdesk Technicians and Analysts
Network Engineers
Defenders and BlueTeamers
General security practitioners
Penetration testers
Network / Domain Architects

Key Take-aways

Build a continuously improving IT security lifecycle of responsible network administration
Understand and implement “Best Practice” Security configurations for Windows and Active directory.
Utilize Modern red team and hacker tactics to audit security posture.
Kill the LLMNR, NTLM, and SMB Relay attack sequence.
Understand current frameworks in use by attackers, script kiddies, and nation-state actors.
Understand business impact and residual risk in balancing security.
Ability to demonstrate command and control infrastructures and relative defence mechanisms.

Audience Skill Level

The audience should have nominal Windows / Linux / Mac operating knowledge.
An ideal candidate is in a position to make lasting changes in a Windows Domain environment.
A motivated student will be ready to deploy command and control infrastructure, infect Windows systems, escalate their privileges, and learn defensive strategies to kill these attack chains.

Student Requirements

Laptop capable of RDP, Web-browser,
Exposure to Active Directory

What students will be provided

90-Day Cloud-Based Linux Instance
Courseware USB
Digital Copy of Book
Windows/Linux ISOs
Bound Course Book
Best Practice guides, cheatsheets, and syntax cards