Empire Operations: Tactics (Turla)

In this course, we will explore how to leverage Empire to emulate Turla, a notorious Russian APT. Leveraging a case study of a recent campaign, students will use Empire to deploy TTPs such as IronPython tradecraft, Office Doc exploitation, and more.

Course Overview

1. Empire Ops: Turla
2. Notices
3. Course Material
4. Snap Labs
1. Threat Emulation Basics
2. Command and Control Theory
3. Overview of Turla's History and Modern TTPs
1. Emulating Turla with Empire
2. File Hosting Services as a C2 Channel
3. Leveraging DropBox with Empire
4. IronPython for Evasion
1. Office Doc Exploitation
2. Establishing Persistence and Leveraging Exclusions
3. Pivoting with Win-RM
1. 1. Turla Quiz
2. 2. Agent Deployment
3. 3. Module Execution
4. 4. Dropbox C2
5. 5. Building Maldocs with Macros
6. 6. Follina (CVE-2022-30190)
7. 7. Invoking IronPython in C# with Visual Studio Community
8. 8. AMSI Bypass with IronPython
9. 9. Lateral Movement

Key Takeaways

Learn what defines a Turla Operation
Deploy IronPython with Empire
Leverage Dropbox as a C2 Channel

Empire Operations: Tactics (Turla)

Course Overview

Introduction

Intro to Threat Emulation- Turla

Turla's Attack Infrastructure and Tools

Exploiting the Target

Exercises

Key Takeaways

Interested in Taking This Course