Explore Stealth powered Red Teaming with CSCO

The Stealth Cyber Operator [CSCO] course is designed to train individuals who want to break through in core offensive red teaming, an exponentially growing market with average salary of $145,000 - $250,000. Enabling them to explore latest and well researched techniques of stealthy exploitation & evasion in enterprise networks with practical demonstrations and hands-on labs.

About CSCO

Module 1 : Red Team Resource Development

The first module lays the foundation for understanding and implementing robust security measures within an enterprise environment.

Content includes exploring HTML smuggling, and EDR features like AMSI, UAC, Applocker etc. We also learn about directory-level controls and Linux-specific security measures.

Complementing this defensive stance, we explore setting up command and control (C2) servers, and simulating phishing attacks for initial access.

Module 2 : Offensive C# Tradecraft

Here in this module, we explore the critical aspects of C# programming from a Red Team perspective.

It begins with understanding the significance of C# in offensive security strategies and covers foundational concepts such as the Common Language Runtime (CLR) and managed versus unmanaged code, identifying process architecture and states.

The module covered through six hands-on labs focusing on offensive C# trade-craft, where we develop custom Meterpreter payloads, invoke PowerShell without powershell.exe, write obfuscated C# reverse shells, and analyse case studies of Initial Access Tactics, Techniques, and Procedures (TTPs) employing C# trade-craft.

Module 3 : Abusing Windows API

Now in Module 3, provides us with a comprehensive understanding of process injection techniques crucial for Red Team operations.

It starts off with an introduction to the topic and essential Windows API theory, highlighting the relevance in Red Team operations. Then we explore alternative shellcode execution methods, listing DLLs loaded by processes and writing data to process memory, essential for DLL injections.

The module covers various process injection techniques such as Process Hollowing, Process DoppleGanging, Process Herpaderping, and Process Ghosting. Additionally, we learn some Bullet-Proof AV Evasion strategies, including loading shellcode from project files, through practical exercises.

Module 4 : Abusing / Evading Security Controls

In Module 4, evading and exploiting host-level security measures are well elaborated. We explore a wide range of techniques for bypassing host-level defences, including custom methods to disarm AMSI, bypass CLM, and evade Script Block Logging. Some techniques for bypassing ASR rules, impeding JavaScript and VBS from launching executables, and blocking potentially obfuscated scripts.

Additionally, this module also covers strategies for blocking office applications from creating child processes and Win32 API calls from office macros along with advanced tactics like bypassing AppLocker in an Initial Access TTP and exploiting credential access vulnerabilities.

Module 5 : Enterprise Grade Lab Environment [Practice Lab]

This practice lab includes a simulated enterprise secure network with workstations equipped with web and email servers, endpoint security controls. These controls include firewalls, anti-malware software, and intrusion detection systems to prevent unauthorised access.

The user posing as a stealth operator is tasked with using the knowledge from previous modules to evade all the cyber security measures, gain access to workstations, and do lateral movement inside the network trying to compromise other servers/machines using skills inherited from previous modules.

Lab Architecture

Experience under CSCO Practice Labs

Stealth Cyber Operator Course [CSCO] gives us 13 well established hand-on labs. Under these vast spectrum of topics are covered, designed to bypass and manipulate network defences such as methods for abusing Resource Based Constrained Delegation (RBCD), both with and without adding computer accounts. Exploiting Microsoft Monitoring & Patching Solutions like SCCM, SCOM, and LAPS. Cross Forest Abuse Techniques are covered extensively, including Kerberoasting, Cross-Forest ACL Abuse, Foreign Security Principal Abuse, and Trust Key exploitation.

Additionally through practical exercises and case studies, we also learn about Linux Environment Abuse focusing on AppArmor, as well as basics of Event Tracing for Windows (ETW), EDR Internals, and evasion strategies.