Announcements   |   Aug 3 2022 | Andy Robbins

Demystifying Adversary Tactics: A Look at the SpecterOps Training Catalog


Learning is fun. There’s something incredibly invigorating about besting a problem or discovering a better way of doing things, and that’s not even to mention all the “new” that’s still out there to find. Since our inception, SpecterOps has been a proponent of pushing oneself to learn more and, in turn, teach what you discover to pass it on. In fact, half of our six company values relate directly to that very ideal; Passionate Curiosity, Consistent Improvement, and Empowerment Through Transparency if you’re curious. Given that, it probably wouldn’t surprise you to hear Specters love giving training. It’s hard to describe how great it feels to see that spark in our training participant’s eyes when a concept or new practice ‘clicks’ and the subsequent excitement of them running loose with a new capability in their tool bag, but if you’ve seen (or better, experienced) that reaction before, you know what we’re talking about.

At SpecterOps, we hold the training philosophy that learning growth thrives with guidance, hands-on practice, and feedback. Accordingly, each of our training courses are built up from that foundation. We look to provide real-life guidance and feedback by leveraging our practitioners as instructors and focusing on incorporating the most practical content into our course material. Hands-on practice, of course, requires a hands-on lab, so we invest a good amount of resources into building realistic labs that reflect the complexity and situations found in enterprise environments.

With Black Hat USA 2022 rapidly approaching, we thought it’d be a good time to give an overview of not just what topics our courses cover but why we built them in the way we did, and who we think stands to benefit the most from taking the course.

Adversary Tactics: Red Team Operations

Red Team Operations, or RTO as we call it internally, was SpecterOps’s first training course. Though we first debuted the course in 2017, we regularly update it with new and relevant tradecraft to ensure we’re equipping red teamers with the most practical content we can. RTO is designed from the ground-up to leverage a realistic lab environment that both reflects the situations found in modern production enterprise networks and serves as a capstone project in which training participants can practice and demonstrate the skills covered in the course material. And you can’t have a production network without defenders, so we built detection and response elements right into the lab; overly noisy tradecraft can get participants bounced off some capstone lab hosts, just like in the real world!

Red Team Operations was built for working red team practitioners with, generally, two to three years active testing experience, but we’ve taught countless participants of varied backgrounds and experience levels. So, if you’re up to the challenge and want to level up your red team tradecraft, check it out!

Adversary Tactics: Detection

Adversary Tactics: Detection, or ATD, is our second oldest course and we’ve been proudly delivering it at Black Hat since 2018. ATD was conceived as training to enable detection teams to move from relying on easily evaded (“brittle”) indicators of compromise to incorporating a more fundamental understanding of threats based on techniques. Throughout the course, we look to instill a fundamental understanding of the role alerting and detection strategies, based on hypothesis-driven threat hunting, serve in strengthening organizations’ security posture. Further, we build on this foundation through hands-on labs to equip participants with a practical approach they can walk away from the course with and begin to implement in their day-to-day work.

Our Detection course was built with detection teams, engineers and managers, in mind; though, we’ve heard from many non-detection information security professionals (including those pesky red teamers) who’ve taken the course that it provided insight that contextualized the work they do outside of detection functions. Join us for one of our future offerings if you want to see beyond what those blinking boxes tell you!

Adversary Tactics: Tradecraft Analysis

Tradecraft Analysis is one of our more recent courses, debuting at SO-CON 2021. The course aims to burst the bubble of abstraction around adversary tradecraft. Participants are led through an in-depth analysis of Windows attack techniques and shown how to deconstruct it, evaluating its underlying technical workings. Students are then led through a discussion and hand-on labs to explore available telemetry sources, which can be used to identify potential detection points that are effective against multiple technical implementations or tooling. In addition to the practical methodology taught and multiple hands-on labs, Tradecraft Analysis also covers numerous philosophical topics aimed at illustrating an analytical mindset that complements the practical approaches.

Tradecraft Analysis was designed to equip information security professionals to better understand adversarial tradecraft through a practical analysis methodology that can help identify gaps in existing approaches. It’s our hope that participants coming out of the course can see the forest and the trees, whether they’re protecting an organization directly through detection and response or indirectly through offensive testing. If you’d like to dig deeper into tradecraft and its countless offensive or defensive implications, join us for one of our upcoming offerings and see where the rabbit hole leads!

Adversary Tactics: Mac Tradecraft

macOS doesn’t get viruses. macOS is just fancy Linux. macOS is extremely secure. You’ve probably heard at least one of these statements at some point about macOS, but how true are they? Our Mac Tradecraft course starts from the ground floor and dives into what Apple makes tough for attackers, where opportunities remain, and how you can operate offensively on a macOS device. By the end of the course, participants will have a solid foundation for operating against modern macOS versions as well as insight into how to develop new techniques for future releases of macOS. This course, like all of our Adversary Tactics courses, includes a hands-on lab for participants that includes all of the Mac hosts needed to practice the course material in a capstone manner; no need to bring your own Mac!

Mac Tradecraft is focused on enabling penetration testers and red teamers looking to start operating against macOS and defensive engineers looking to detect attacks in environments with macOS hosts. We hope to see you at one of our future offerings if you’re looking to bridge the Mac gap.

Adversary Tactics: Vulnerability Research for Operators

Most red team operators and penetration testers, if they’re honest, will tell you they’ve been in the position of seemingly nowhere to go on a test, no more tricks in the bag to pull out. In these situations, an operator’s ability to quickly find and triage previously undisclosed vulnerabilities can be the difference between achieving assessment objectives or stagnating on a host with no avenues forward. SpecterOps set out to demystify the methodologies needed to find new vulnerabilities when you need them most, enabling participants to take advantage of complex environments with custom applications or configurations.

Our Vulnerability Research for Operators course leverages hands-on exercises to teach participants a practical methodology to identify, triage, and exploit vulnerability classes SpecterOps operators routinely find in mature environments. Exercises range from beginner to advanced difficulties, allowing participants of all skill levels to strengthen their ability to keep moving forward on a test. If you’d like to expand your bag of tricks and simulate more advanced adversaries, join us in one of our future offerings!

Black Hat USA 2022

As mentioned above, Black Hat is rapidly approaching. We’re hosting in-person offerings of all five of our courses at Black Hat USA this year and we’d love to have you come out and take one; we’re all excited to finally emerge from our collective basements!

Adversary Tactics: Red Team Operations (August 6 – 9, 2022)
Adversary Tactics: Detection (August 6 – 9, 2022)
Adversary Tactics: Tradecraft Analysis (August 6 – 9, 2022)
Adversary Tactics: Mac Tradecraft (August 6 – 7, 2022 & August 8 – 9, 2022)
Adversary Tactics: Vulnerability Research for Operators (August 6 – 7, 2022 & August 8 – 9, 2022)

SO-CON 2022

If you’re unable to make it to Vegas for Black Hat this year, we’re also hosting hybrid offerings of all five of our courses the week of October 24th in Reston, VA and live online. Details can be found in our announcement if you’re interested. We’ll be announcing workshops that will be hosted at the end of that week soon.

Announcing SO-CON 2022: Oct 24 – 28, 2022

As we said at the start of this post, learning is fun. We hope you think so too, and if so- we hope to see you at one of our upcoming courses! We know scheduling is tough and that availability doesn’t always align with a live event’s timing, so if you’d like to talk further about a private offering or would like to hear about other future training dates, please feel free to use the Contact Us form above or email us at training [at] specterops [dot] io

We hope to see you at a training event soon!