On This Page

Adversary Tactics

SpecterOps | March 20 - 21


As organizations scramble for a way to keep from becoming the next breach headline, they've begun looking for ways to simulate the sophisticated attackers they now face. Organizations that have started to adopt an "assume breach" mentality understand that it's not a matter of if they're compromised by these advanced adversaries, but when. The best way to test modern environments against sophisticated threats is with a red team that leverages the same tactics, techniques and procedures (TTPs) as the adversaries themselves.

This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems, modern defenses, and active network defenders responding to Red Team activities. We will cover several phases of a Red Team engagement in depth: user profiling and phishing, host enumeration and "safety checks", advanced lateral movement, Active Directory domain enumeration and escalation, persistence, Kerberos attacks, data mining, and exfiltration. Come learn to use some of the most well-known offensive tools from the authors themselves, including co-creators and developers of PowerView, PowerShell Empire, PowerSploit, PowerUp, and BloodHound.

The following topics will be covered in this course:

Day 1:
  • Red Team philosophy/overview
  • Engagement management
  • Cobalt Strike Tutorial
  • "Offense-in-depth"
  • Initial access methods
  • Privilege escalation methods through abuse of misconfigurations
  • User and network resource mining

Day 2:
  • Credential abuse
  • Active Directory enumeration and abuse - intelligence gathering, domain escalation, covert persistence, and BloodHound
  • Kerberos attacks
  • Pivoting through the target network

Who Should Take this Course

This course includes a team-based, on-keyboard execution of a simulated red team engagement in a complex network scenario. Participants should be comfortable with penetration testing concepts and tools, Active Directory, and attacking Microsoft Windows environments.

Student Requirements

Please see the "Who Should Take This Course" section.

What Students Should Bring

Students will be supplied with a customized attack virtual machine that includes all tools needed to perform the training. Students need to bring a laptop with at least 8 gigabytes of RAM, the ability to run a virtual machine (VMWare Fusion, Player, or workstation), and a wireless network adapter.

What Students Will Be Provided With

Please see the "What Students Should Bring" section.


Andy is an active red teamer and co-author of BloodHound, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has performed numerous red team oeprations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security. He is also a veteran Black Hat trainer.

Matt Nelson (@enigma0x3) is an active red teamer and security researcher. He brings a passion for researching and pushing new offensive and defensive techniques into the security industry. He is the primary developer on the PowerSCCM toolkit, a co-developer on the Empire framework, a veteran Black Hat trainer, and contributes to many other open source security projects. Matt has spoken at numerous security conferences, and has been recognized by Microsoft for his discovery of new offensive techniques and bypasses.

Lee is a senior red team operator, threat hunter, and capability engineer for SpecterOps. Lee has performed red team and hunt engagements against Fortune 500 companies for several years, and has trained on offensive/defensive tactics at events throughout the world. Lee enjoys building tools to support red team and hunt operations. Lee is the author of several offensive tools and techniques, including UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets), and KeeThief. He is also a veteran Black Hat trainer.