Timeline
Course Start Date: 03 January 2021
Lab Duration: 90 Days
Exam Pass Date: 01 April 2021
Digital Certificate: https://www.credly.com/badges/eb115023-69bf-40fd-b22c-ee94f1f65592
Introduction
Here comes the new Offensive Security course which is intended as the next progression of the infamous OSCP! The course is called Evasion Techniques and Breaching Defenses (ETBD) with course code PEN-300. Upon the completion of the course and exam, the student will be granted the Offensive Security Experienced Professional (OSEP). This course is one of three courses (OSWE, OSEP, and OSED) which upon completion of those three will grant the student the Offensive Security Certified Expert 3 (OSCE3) that replaces the Legacy OSCE. As reflected in the course name, it focuses more on techniques to remain stealth and advanced pentesting. The Offensive Security itself does not consider the course as a "Red Team" course as the objective of the red team is to train the blue team on detecting and responding to the attacks which are not really covered on most called "Red Team" courses out there, fair enough.
Course and Lab
The course syllabus can be found at the following URL: https://www.offensive-security.com/documentation/PEN300-Syllabus.pdf. The PDF course contains 18 chapters including the Introduction and Wrapping Up. The videos have around a total of 20 and half hours that complement the PDF course. Following are the topics that are covered in the course.
0. Evasion Techniques and Breaching Defenses: General Course Information
This chapter consists of generic information about the course, how to access the course and lab, how to access the forum and live support, as well as the information about the exam.
1. Operating System and Programming Theory
As in this course we will do a lot of programming to build custom scripts and tools that evade the detection, this chapter starts with explaining the concept of programming (what is high-level and low-level programming language, Compiled and Interpreted, Object-Oriented Programming), Windows on Windows (WOW64), Win32 APIs, and Windows Registry.
2. Client-Side Code Execution With Office
This chapter explains how to leverage MS Office to gain unauthorized access to a system by tricking users into running malicious code. It explains the differences between staged vs non-staged payloads, how to perform HTML Smuggling for payload delivery, Phishing PreTexting to increase the success chance, performing phishing with MS Office by leveraging the VBA and PowerShell, executing shellcode in MS Word memory, VBA Shellcode Runner, calling Win32 APIs from PowerShell, porting Shellcode Runner to PowerShell, Reflection Shellcode Runner in PowerShell, etc. At the end of this chapter, students should be equipped with the skillset to craft convincing phishing pre-text and perform client-side Code Execution with Office while remaining stealthy.
3. Client-Side Code Execution With Windows Script Host
his chapter explains how to leverage Windows Script Host such as JScript to gain unauthorized access to a system. The same purpose as the one covered in Chapter 2 but uses different payload delivery since PowerShell has gained more attention from security providers. This chapter explains how to execute C# Assembly from JScript to achieve an in-memory shellcode runner. It also covered the automated tools that accomplish the same objective which is Sharpshooter: https://github.com/mdsecactivebreach/SharpShooter. At the end of this chapter, students should be equipped with the skillset to craft malicious JScript that evades the common endpoint detections as an alternative for MS Office.
4. Process Injection and Migration
Once we are able to gain access to a system, we might need to migrate to different processes to have more stable connection, maintain persistence, as well as evade the detection. This chapter started with explaining the code injection and migration theory then moved up to the practical part such as C# code injection into the local process, DLL injection into a remote process, Reflective DLL injection that did not write to disk, and Process Hollowing to inject our code into a process that is known to generate network activity in order to minimize the detection. At the end of this chapter, students should be equipped with the skillset to minimize the chances of detection once gain a foothold in the system.
5. Introduction to Antivirus Evasion
This chapter starts with an explaining of how AV detection works (Signature-based and Heuristics/Behavioral analysis), how to simulate the target environment through the use of VirusTotal and AntiScan, Bypassing the signature-based AV with Metasploit and via C#, Bypassing the heuristics/behavioral analysis using the non-emulated APIs, study case on bypassing AV in VBA through custom encryption and hiding PowerShell inside VBA. At the end of this chapter, students should be equipped with the skillset and basics to bypass AV detection (signature-based and heuristical).
6. Advanced Antivirus Evasion
AMSI! Antimalware Scan Interface! Technology introduced by Microsoft to allow run-time inspection of all PS commands or scripts. This chapter explains what's AMSI and how it works, and AMSI bypass techniques. At the end of this chapter, students should be equipped with the skillset and basics to bypass the AMSI.
7. Application Whitelisting
This chapter explains the Application Whitelisting theory and setup, how to perform basic bypasses such as using trusted folders, DLLs, ADS, and 3rd party execution, and how to perform bypass with PowerShell, C#, and JScript. At the end of this chapter, students should be equipped with the skillset and basics to bypass the Application Whitelisting (AppLocker) with various techniques.
8. Bypassing Network Filters
This chapter seems like a filler that talks about various network filtering and how to bypass it such as DNS Filters, Web Proxies, IDS and IPS sensors, Full Packet Capture Devices, HTTPS inspection, Domain Fronting, and DNS tunneling. At the end of this chapter, students should have the knowledge of advanced enterprise defensive layers and their strengths and weaknesses.
9. Linux Post-Exploitation
Although most of the advanced pentest or "red team" courses out there only focused on AD or Windows environment, Offensive Security think otherwise. This chapter explains how to perform Linux Post-Exploitation such as abusing the User Configuration Files, performing AV evasion in Linux, and Shared Libraries attacks. At the end of this chapter, students should have equipped with the knowledge to perform some potential attacks on Linux systems.
10. Kiosk Breakouts
This chapter focused on the exploitation of Kiosk machines that are generally used by the public for simple tasks. It started with the Kiosk browser enumeration, command execution, post-exploitation, and privilege escalation as well as the Windows Kiosk breakout techniques. At the end of this chapter, students should have the basic knowledge to escape a restricted kiosk machine and compromise the system.
11. Windows Credentials
Going back to the Windows environment! This chapter covered the Windows credentials such as Local Credentials (SAM database), Access Tokens, How to elevate privilege by impersonation, having fun with Incognito, Kerberos and Domain Credentials (Kerberoast and ASREProast), and cracking the credentials offline (memory dump). At the end of this chapter, students should have basic knowledge of credentials in Windows and how to perform certain attacks on it.
12. Windows Lateral Movement
Consists of using native tools such as RDP and also fileless lateral movement as alternatives for PsExec and DCOM that require service and files to be written on the target system that may increase the detection.
13. Linux Lateral Movement
Consists of techniques to move laterally via SSH (SSH Keys, SSH Persistence, SSH Hijacking with ControlMaster, SSH Hijacking using SSH-Agent and SSH Agent Forwarding), abusing the DevOps misconfiguration (Ansible and Artifactory), and Kerberos on Linux.
14. Microsoft SQL Attacks
Consists of enumeration of MS SQL server in Active Directory environment, UNC path injection, pass-the-hash against the SQL server, privilege escalation using MS SQL server, and lateral movement using the Linked SQL servers. In this chapter, we also learn how to create our custom executables or tools to perform all the attack techniques here while remaining stealthy to avoid detection.
15. Active Directory Exploitation
Consists of explaining the concepts of AD and the ways to attack it. Started with the AD Object Security Permissions and how to abuse them, Kerberos Delegation (Unconstrained Delegation, Constrained Delegation, and Resource-based constrained delegation), and Active Directory Forest theory and how to attack it.
16. Combining the Pieces
This chapter will walk through the attack against a network of machines with all techniques that have been covered in the previous chapters.
17. Trying Harder: The Labs
This is a wrap-up chapter that introduces the challenge labs that are available through the student control panel. There are six (6) challenge labs that are used to practice all concepts and theories taught in the PDF course and videos.
I took around 1 month to run through the PDF course and videos and do the exercises and extra miles. I didn't complete all the exercises and extra miles. In the 2nd month, I start doing the challenge labs and took me around another 1 month to finish all the 6 challenge labs and redo them to improve my methodologies.
Personally, I really like the way the course has been structured and explained in the basic details. I think this is what differentiates Offensive Security from the other training providers. Based on my experiences with other training providers, usually, they will only explain briefly the techniques and show the student how to do it without explaining the basic and fundamentals of why the techniques works and why. This will be less beneficial to the students when the techniques no longer work and has been patched. In PEN-300 ETBD, Offensive Security did it differently by explaining the core and fundamentals of the techniques, so the student will be equipped with the basic knowledge to "adjust" to any changes made by the defensive team in the future.
Exam
I scheduled my exam for 24 March 2021 at 22:00 SGT. The exam is 48-hours + 24 hours reporting with proctored. Personally, I found the exam itself is less challenging and seems straightforward (it could be due to the way the course has been structured and explained very well?, probably). I think the six challenge labs will prepare the student enough to pass the exam. I submitted the exam report on 27 March 2021 and received the pass confirmation on 01 April 2021.
Conclusion
The course is really good at structuring the topics and explaining well the fundamentals. The strong point in this course is the evasion techniques which I found really fun to do and interesting. While the exam seems straightforward, the course and labs are totally satisfying.