Adversary Tactics- Red Team Ops


As organizations scramble for a way to keep from becoming the next breach headline, they've begun looking for ways to simulate the sophisticated attackers they now face. Organizations that have started to adopt an "assume breach" mentality understand that it's not a matter of if they're compromised by these advanced adversaries, but when. The best way to test modern environments against these more advanced threats is with a Red Team that leverages the same tactics, techniques and procedures (TTPs) as the adversaries themselves. If you want to learn how to perform Red Team operations, sharpen your technical skillset, or understand how to defend against modern adversary tradecraft, Adversary Tactics: Red Team Ops is the course for you.

This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems, modern defenses, and active network defenders responding to Red Team activities. We will cover all phases of a Red Team engagement in depth: advanced attack infrastructure setup and maintenance, user profiling and phishing, host enumeration and "safety checks", advanced lateral movement, sophisticated Active Directory domain enumeration and escalation, persistence (userland, elevated, and domain flavors), advanced Kerberos attacks, data mining, and exfiltration.

A focus will be on "offense-in-depth", i.e. the ability to rapidly adapt to defensive mitigations and responses with a variety of offensive tactics and techniques. To drive this concept home, students will go up against live incident responders that will actively hunt for and block malicious activity in the environment. The responders will provide real-time feedback to students to demonstrate what artifacts attackers can leave behind, and how students can adapt their tradecraft to minimize their footprint. Come learn to use some of the most well-known offensive tools from the authors themselves, including co-creators and developers of PowerView, PowerShell Empire, PowerSploit, PowerUp, and BloodHound.

Day 1:

  • Red Team philosophy/overview

  • Engagement management

  • Covert infrastructure deep dive - setup, protection, maintenance

  • Initial external reconnaissance and OSINT

  • "Offense-in-depth"

  • Evading network detections and active incident responders ("hunting")

Day 2:

  • Initial access

  • Host triage and offensive "safety checks"

  • Detection and evasion of host-based defenses

  • Maintaining your foothold (short vs. long term and userland vs elevated persistence strategies)

  • Privilege escalation methods through abuse of misconfigurations

Day 3:

  • User and network resource mining

  • Credential abuse

  • Active Directory enumeration and abuse - intelligence gathering, domain escalation, covert persistence, and BloodHound

  • Kerberos attacks in depth

  • Pivoting through the target network

Day 4:

  • Providing value to client

  • Blue team training objectives

  • Data movement and external exfiltration

  • Complete lab debrief

Who Should Take this Course

This course is not for beginners and includes a team-based, on-keyboard execution of a simulated red team engagement in a complex network scenario. Participants should be comfortable with penetration testing concepts and tools, Active Directory, and attacking Microsoft Windows environments.

Student Requirements

Please see the "Who Should Take This Course" section.

What Students Should Bring

Students will be supplied with a customized attack virtual machine that includes all tools needed to perform the training. Students need to bring a laptop with at least 8 gigabytes of RAM, the ability to run a virtual machine (VMWare Fusion, Player, or workstation), and a wireless network adapter.

What Students Will Be Provided With

Students will be provided with a Virtual Machine for labs and all course materials in PDF form.


Andy is an active red teamer and co-author of BloodHound, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security. He is also a veteran Black Hat trainer.

Jeff has several years of offensive security experience, with a concentration in leading red team operations and penetration tests. He provides leadership across concurrent offensive security assessments and serves as a technical lead for multiple Fortune 500 commercial companies and U.S. government agency assessments. Jeff holds a master's degree in Information Security Assurance and several information security certifications. He is an active blogger at, where he writes about offensive tradecraft development and attack infrastructure.

Lee is a senior red team operator, threat hunter, and capability engineer for SpecterOps. Lee has performed red team and hunt engagements against Fortune 500 companies for several years, and has trained on offensive/defensive tactics at events throughout the world. Lee enjoys building tools to support red team and hunt operations. Lee is the author of several offensive tools and techniques, including UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets), and KeeThief.

Advanced Windows Exploitation


Writing exploits on modern Windows based platforms over the years has become a complex dance of memory manipulation to circumvent modern mitigations Microsoft has put in place. Offensive Security's Advanced Windows Exploitation Techniques (AWE) challenges you to develop creative solutions that work in today's increasingly difficult exploitation environment.

Covering techniques ranging from precision heap spraying, to DEP, ASLR, CFG, and ACG bypass, real-world 64-bit kernel exploitation, and sandbox escapes, in a hands-on lab focused environment, AWE makes a point of introducing a concept and then allowing you to work through a case study applying what you learned, with multiple instructors on hand for help with any problems. The case studies covered include vulnerabilities discovered by our research team or exploits written by Offensive Security.

Topics covered include:

  • NX/ASLR Bypass - Using different techniques to bypass Data Execution Prevention and Address Space Layout Randomization protection mechanisms on modern operating systems

  • Function Pointer Overwrites - Overwriting a function pointer in order to get code execution

  • Precision Heap Spraying - Spraying the heap for reliable code execution

  • CFG/ACG Bypass - Vulnerabilities and design flaws are exploited to bypass Control Flow Guard and Arbitrary Code Guard

  • Sandbox Escape - Performing browser sandbox escapes to gain true arbitrary code execution

  • 64-bit Windows Kernel Driver Exploitation - Exploring 64 bit kernel exploitation from low integrity

  • Kernel memory disclosure, arbitrary kernel callback overwrite along with Page Table de-randomization

Who Should Take this Course

Advanced Windows Exploitation is NOT an entry level course. We expect students to have previous exploitation experience in a Windows environment and understand their way around a debugger. Additionally, to get the most out of the class you will want to spend time in the evenings working through case studies and reviewing the provided reading material. This is the hardest course Offensive Security offers. Abandon all hope, ye who enter here.

Student Requirements

Students should be experienced in exploit development for Windows and understand how to operate a debugger. Familiarity with WinDbg, Immunity Debugger, and Python scripting is highly recommended. A willingness to work and put in real effort will greatly help students succeed in this course.

What Students Should Bring

You want to bring a *serious* laptop along--one able to run 3 virtual machines with ease. Please do not bring netbooks or other low resolution systems.

  • 64-bit host operating system (Important)

  • Administrative access to the host operating system

  • VMware Workstation / Fusion version 14 or newer

  • CPU must support SMEP, VT-x/EPT and IOMMU

  • At least 100 GB HD free

  • At least 16 GB of RAM and 4 cores

  • Wired network support

  • USB 2.0 support or better

  • A will to suffer intensely

What Students Will Be Provided With

Students will be provided with virtual machines for use in class. Additionally, the Advanced Windows Exploitation lab guide will be provided. An in-class "Hint System" will provide electronic distribution of all scripts, POCs, and so on.

Black Hat does NOT include the exam. This can be purchased after the class for a discount.


Alexandru Uifalvi has been a part of the Advanced Windows Exploitation class over the past 5 years. His passion for vulnerability research and exploit writing comes through in his teaching and course content creation. Alex is well versed in Windows Internals, Windows Kernel Exploitation, and reverse engineering.

Morten Schenk is content developer and trainer at Offensive Security with a focus on exploit development and mitigation bypasses on Windows. His recent work includes bypasses of exploit mitigations and exploitation vectors against the Windows 10 kernel as presented at Black Hat USA 2017 and DEF CON 25. Morten loves to build exploits against difficult targets and continuously discover new techniques to combat mitigations.