Training - Wild West Hackin’ Fest | Hacking Training Conference in Deadwood

TWO-DAY TRAINING

All training sessions will be held in Mountain Daylight Time

A WWHF conference ticket is included with the training hosted on the WWHF website.

Registration will open on Tuesday, March 10th at 7:30 AM.

Training will be held on Tuesday, March 10th from 9 AM to 4 PM and Wednesday, March 11th from 9 AM to 4 PM.

To register for the Hosted Training: Please click the link and register for both the con and training using the above orange button.

SANS Update: Wild West Hackin’ Fest – Way West has been changed to a virtual conference and, as a result, SANS training will no longer be offered. The SANS Training Guarantee allows for a full refund or you can delay your training to take the course at an event later in the year. Please feel free to contact us with any questions.

Guide to Active Defense, Cyber Deception & Hacking Back

A GUIDE TO ACTIVE DEFENSE, CYBER DECEPTION AND HACKING BACK

Instructor: John Strand

$1500 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between.

In this class, you will learn how to force an attacker to take more moves to attack your network. These moves may increase your ability to detect them. You will learn how to gain better attribution as to who is attacking you and why. You will also find out how to get access to a bad guy’s system. And most importantly, you will find out how to do the above legally.

The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. Some of the things we talk about you may implement immediately, others may take you a while to implement. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, attribute who is attacking you and, finally, attack the attackers.

This class is based on the DARPA funded Active Defense Harbinger Distribution live Linux environment. This VM is built from the ground up for defenders to quickly implement Active Defenses in their environments. This class is also very heavy with hands-on labs. We will not just talk about Active Defenses. We will be doing hands-on labs and through them in a way that can be quickly and easily implemented in your environment.

KEY TAKEAWAYS

Non-standard defenses
Full free environment with all tools and instructions for those tools
Understand legal issues

WHO SHOULD TAKE THIS COURSE

General security practitioners
Penetration testers
Ethical hackers
Web application developers
Website designers and architects

An Introduction to Developing Phishing Malware

Instructors: Christopher Truncer & Matt Grandy

$1750 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: One of the most critical aspects of any red team assessment is obtaining initial access into your target’s environment. The ability to capture valid credentials or execute code within your target’s environment is the first step toward accomplishing the rest of your assessment goals.

In this course, students will learn a variety of techniques used by attackers to phish companies and then write their own malware in a hands-on environment.

This class will cover a wide range of topics over a two-day period:

• Development Environment Prep – We start by building multiple development environments (within virtual machines) for writing malware. We discuss the different tools, languages, and operating system configurations that our malware developers use when writing code and then set them up in our virtual machines.

• Malware/Campaign Goals – When writing phishing malware, we typically have one of two goals: harvest credentials from our victim or execute arbitrary code on their workstation.

For our intro class, we explore how we can accomplish both goals:

o Credential Harvesting – Harvesting account credentials can be very dependent upon the type of services your target has publicly available. Is there a VPN portal, outlook web access, HR self-service portal, Citrix access? Ultimately, your goal is to entice the user to enter their credentials into a web form that securely saves their information and possibly their multi-factor token. We’ll look at both custom code and existing open source tooling which helps to accomplish this objective.

o Arbitrary Code Execution – Code execution typically will result in a Meterpreter or Cobalt Strike Beacon connecting back to your command and control servers when your attack vector is executed by the targeted employee. To accomplish the code execution objective, we discuss and customize browser-based attacks that attackers use to accomplish this objective.

• Code Execution Deep Dive – After looking at examples of how attackers can leverage web browsers to execute code on their target’s systems, we do a deep-dive into different methods of customizing code execution malware.

o Process Injection Techniques – There are many ways that an attacker can inject code not only into its current process, but also other processes that are running on the targeted system. We discuss the pros and cons of injecting into remote processes and walk through the different API calls that enable these capabilities.

o DotNetToJScript – The tool DotNetToJScript has changed how the industry writes phishing malware. It has extended the functionality of “low capability” browser-compatible languages to match that of fully functional development languages. We walk through how you can use different process injection techniques within a browser-based attack with DotNetToJScript.

At the conclusion of the class, students will have a strong understanding of different techniques used by modern attackers in phishing attacks. Additionally, all students will have learned various methods to extend basic phishing attacks to include process injection techniques that are used to avoid detection.

Note: While this is an introductory class, attendees should have an understanding of basic programming concepts to get the most out of this class. Experience with .NET would be extremely beneficial. This course is geared toward attacking Window’s environments and all malware written during class will be for Window’s targets.

Hacking Enterprises – 2020 Release

Instructors: Will Hunt and Owen Shearing

$2100 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: This is an immersive hands-on course aimed at a technical audience. The training covers a multitude of security topics, is based around modern operating systems and using modern techniques, with an emphasis on exploiting configuration weaknesses rather than throwing traditional exploits. This means logical thinking and creativity will definitely be put to the test.
Students will access a cloud-based LAB configured with multiple networks, some easily accessible, others not so. Course material and exercise content has been designed to reflect real-world challenges and students will perform numerous hands-on exercises including using OSINT skills to retrieve useful data, perform host/service enumeration and exploitation as well as perform phishing
attacks against our live in-LAB users’ to gain access to new networks, bringing new challenges and in the process teaching new sets of skills in post exploitation, network reconnaissance, lateral movement and data exfiltration.

We also like to do things with a difference. In this training you’ll be provided access to an in LAB Elastic instance, where logs from all targets get pushed and processed. This allows you, as an attacker, as a blue teamer, to understand the types of artifacts your attacks leave, therefore understanding how you might catch, or be caught in the real word.

Course Promo Video: https://youtu.be/mr5ZfN-MrsQ

Each Student Will Receive:

We realize that training courses are limited for time and therefore students are also provided a complementary In.security hackpack! This includes:

14-day extended LAB access after the course finishes
• 14-day access to a CTF platform with subnets/hosts not seen during training!
• Slack support channel access where our security consultants are available
• A hard copy of the RTFM
• A Hak5 LAN Turtle

Agenda:
Day 1: 9 AM to 5:30 PM
• Getting familiar with the MITRE ATT&CK framework
• An introduction into monitoring and alerting using our in-LAB ELK stack
• Leveraging OSINT activities
• Enumerating and targeting IPv4 and IPv6 hosts
• Remote/local Linux enumeration and living off the land
• Linux shells, post exploitation and privilege escalation
• P@ssw0rd cracking (*nix specifics)
• Kubernetes and container security
• Creating and executing Phishing campaigns against our simulated enterprise users
• Living off the land tricks and techniques in Windows

Day 2: 8:30 AM to 4:30 PM
• P@ssw0rd cracking (Windows specifics)
• Remote/local Windows enumeration
• Windows exploitation and privilege escalation techniques
• Windows Defender/AMSI and UAC bypasses
• Bypassing AppLocker, PowerShell CLM and Group Policy restrictions
• Enumerating and extracting LAPS secrets
• RDP hijacking
• Lateral movement, pivoting, routing, tunnelling and SOCKS proxies
• Application enumeration and exploitation via pivots
• Leveraging domain trusts
• Gaining persistence using Scheduled Tasks and WMI Event Subscriptions
• Data exfiltration over OOB channels (ICMP and DNS)
• Domain Fronting and C2

Who Should Attend:
This training is suited to a variety of students, including:
• Penetration testers
• SOC analysts
• Security professionals
• IT Support, administrative and network personnel
Prerequisite Knowledge:
• A firm familiarity of Windows and Linux command line syntax
• Understanding of networking concepts
• Previous pentesting and/or SOC experience is advantageous, but not required

Hardware / Software Requirements:
• Students will need to bring a laptop to which they have administrative/root access, running
either Windows, Linux or Mac operating systems
• Students will need to have access to VNC, SSH and OpenVPN clients on their laptops (these
can be installed at the start of the training)

BIOs:
Will Hunt
Will (@Stealthsploit) is a cyber security consultant who has worked in IT security for over 10 years. He co-founded In.security Ltd., a specialist cyber security company delivering high-end consultancy and training services. He’s delivered hacking courses at Black Hat USA/EU, Wild West Hackin’ Fest, NolaCon, 44CON and others, and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

Owen Shearing
Owen (@rebootuser) is a co-founder of in.security Ltd., a specialist cyber security consultancy offering technical and training services based in the UK. He is a CREST CCT level security consultant with a strong background in networking and IT infrastructure and has over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke
events and various conferences. He runs the blog https://rebootuser.com and keeps projects at https://github.com/rebootuser.

Trainers/Contact Information:

Will Hunt / @stealthsploit

Owen Shearing / @rebootuser

Preferred Twitter @insecurity_ltd

Network Threat Hunting With Security Onion

Instructor: Chris Brenton

$1500 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: We have a gaping hole in our security posture that few people are talking about. When an adversary successfully compromises a target network, it is typically six months or more before that compromise is detected. Further, a majority of the time the compromise is first discovered by an external third party. Network threat hunting has become an effective technique at identifying when our protections have failed and incident handling needs to be initiated.

In this course, you will learn how to threat hunt the network using open source tools. The focus will be on detection techniques that target the command and control (C2) channel. By targeting C2, we can successfully hunt for adversaries on desktops, servers, network hardware, and even IoT and IIoT devices.

Students will learn how to stand up Security Onion, along with some additional open-source tools, as an effective threat hunting platform. The process of network threat hunting will be discussed and students will go hands-on with pcap samples of many different C2 channels. The goal will be to hone the student’s threat hunting skills, as opposed to simply learning how to detect a few specific C2 channels. By the end of the course, the student will be able to stand up a threat hunting platform in their own environment and begin hunting adversaries.

What’s covered in this course:

Threat hunting, the basics
Threat hunting as a process
Security Onion – A quick overview
Deploying security onion
Manual techniques for C2 detection
Automated techniques for C2 detection
Multiple C2 detection labs

Students will need the following to complete all of the labs:

4 GB of free RAM that can be allocated to a VM
30 GB of free storage that can be allocated to a VM
USB port
VM software;l steps will document VirtualBox but VMWare should work as well

There is a little bit of wiggle room here. For example, a system that only has 4GB total RAM will still work but be very slow.

Atomic Purple Teaming

Instructors: Jordan Drysdale & Kent Ickler

$1500 + taxes & fees

Registration Instructions: Please Click Here to register for the training. If you’ve already purchased a con ticket, please email at thebank at wildwesthackinfest dot com for a partial refund.

Course Overview: You’ve heard this story before. Bad actor walks into a network and pillages the place in swift action. CIO asks “Where did we go wrong?” SysAdmin replies “our password, remote access, workstation restriction, and lack of application whitelisting policies. Oh, and our SIEM didn’t notify us. We just weren’t ready for that attack.”

Atomic Purple Teaming (APT) will guide students through attack and defense methodology using the MITRE ATT&CK Framework and the Atomic Red Team tactics to produce a secure enterprise environment. The course covers secure network designs, OSINT based reconnaissance, basic command and control (C2) operations and modern defenses that stop or slow down current adversarial techniques. Network and Active Directory Best Practices will be leveraged as a framework for implementing network and domain protections to harden networks.

Students will have an opportunity to attack their own in-class Active Directory environment with Red Team tactics, implement Blue Team defensery, and manage an environment designed to prevent, slow, identify and highlight attacks. Additionally, the course will guide students through configuring no-nonsense attack identification and alerting that is essential to an effective SOC operation.

In a live-environment, students will have the opportunity to demonstrate a secured enterprise environment by utilizing the MITE ATT&CK Framework, Red Team tactics and Blue Team defenses to slow, stop, and identify attacks.

Implement better security and tell your CIO how everything went right!

Course Objectives

Understand MITRE ATT&CK and Atomic Red Team frameworks.
Develop Secure Network Designs
Understand Enterprise OSINT
Demonstrate Attack Tactics
Understand and Implement Defensive Strategies
Deploy Baseline Security Logging for Active Directory Systems
Implement continuous security improvement by leveraging the MITRE ATT&CK Matrix and Deploy Atomic Red Team frameworks.

Who should take this course

Information Technology (IT) administrators, help desk, defenders, security professionals, blue-teamers with minimal red-team background, red-teamers with minimal blue-team background. People interested in learning how to red team to drive home the risks of failing to implement improved password policies. Anyone interested in understanding and executing an LLMNR and NTLM relay attack against open SMB services on a network should join us. Any analyst, sysadmin, or network architect looking to build a security team focused on continual improvement should take this course.

IT System Administrators
IT Security Management and Leadership
Helpdesk Technicians and Analysts
Network Engineers
Defenders and BlueTeamers
General security practitioners
Penetration testers
Network / Domain Architects

Key Take-aways

Build a continuously improving IT security lifecycle of responsible network administration
Understand and implement “Best Practice” Security configurations for Windows and Active directory.
Utilize Modern red team and hacker tactics to audit security posture.
Kill the LLMNR, NTLM, and SMB Relay attack sequence.
Understand current frameworks in use by attackers, script kiddies, and nation-state actors.
Understand business impact and residual risk in balancing security.
Ability to demonstrate command and control infrastructures and relative defence mechanisms.

Audience Skill Level

The audience should have nominal Windows / Linux / Mac operating knowledge.
An ideal candidate is in a position to make lasting changes in a Windows Domain environment.
A motivated student will be ready to deploy command and control infrastructure, infect Windows systems, escalate their privileges, and learn defensive strategies to kill these attack chains.

Student Requirements

Laptop capable of RDP, Web-browser,
Exposure to Active Directory

What students will be provided

90-Day Cloud-Based Linux Instance
Courseware USB
Digital Copy of Book
Windows/Linux ISOs
Bound Course Book
Best Practice guides, cheatsheets, and syntax cards