Full Report
BlackOps you say? At SensePost we have quite a range of courses in our Hacking by Numbers series. We feel each one has its own special place. I’ve delivered almost all the courses over the years, but my somewhat biased favourite is our relatively new BlackOps Edition. Myself (Glenn) and Vlad will be presenting this course at BlackHat Vegas in July. Where Does BlackOps fit in? Our introductory courses (Cadet and Bootcamp) are meant to establish the hacker mindset – they introduce the student to psychological aspects of an attacker, and build on that to demonstrate real world capability. BlackOps is designed for students who understand the basics of hacking (either from attending Bootcamp/Cadet, or from other experience) and want to acquire deeper knowledge of techniques. We built the course based on our 12 years of experience of performing security assessments.
Analysis Summary
The provided article describes a security training course called "BlackOps Edition" offered by SensePost, detailing the advanced techniques covered. It does not detail specific malware families, named exploit tools, or C2 frameworks, but rather focuses on categories of advanced hacking techniques.
Therefore, the summary below focuses on the *Techniques and Procedures* (TTPs) taught in the course, mapping the general concepts to relevant MITRE ATT&CK tactics where possible, as specific named tools were not mentioned.
# Tool/Technique: BlackOps Course Techniques (SensePost)
## Overview
This summary outlines the advanced offensive security techniques covered in SensePost's "BlackOps Edition" training course, designed for experienced penetration testers seeking deeper knowledge in post-exploitation and advanced evasion methods, based on 12 years of security assessment experience.
## Technical Details
- Type: Technique Collection/Training Curriculum
- Platform: General (Covers Windows, IPv6, Network Pivoting, Client-Side)
- Capabilities: Advanced targeting, post-compromise maneuvers, evasion, and data exfiltration.
- First Seen: Course presented around May/July 2013 (contextualized by the article date).
## MITRE ATT&CK Mapping
Since the content covers a broad methodology, multiple tactics are relevant:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Implied by general compromise discussion)
- T1566 - Phishing
- **TA0003 - Persistence** (Implied by post-compromise discussions)
- **TA0004 - Privilege Escalation**
- (Techniques used to achieve root/EASM)
- **TA0008 - Lateral Movement**
- T1090 - Proxy
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol
- **TA0011 - Command and Control** (Implied by pivoting and persistence)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied heavily by Camouflage module)
## Functionality
### Core Capabilities
- **Scripting:** Automation for efficiency and effectiveness.
- **Advanced Targeting:** Identifying targets using non-standard methods (mDNS, IPv6 reconnaissance, Pastebin scraping).
- **Compromise:** Exploiting systems using lesser-utilized methods (WPAD injection, rogue routers in IPv6, SMBrelay attacks).
- **Privilege Escalation:** Elevating access to high-level accounts (root or Enterprise Admin).
- **Pivoting:** Bouncing through compromised hosts (e.g., a receptionist PC or test server) deep inside secured network segments (DMZs).
### Advanced Features
- **Data Exfiltration:** Smuggling data out of networks using non-standard communication channels designed to bypass expensive Data Loss Prevention (DLP) solutions.
- **Client-Side Attacks:** Focus on the human layer (social engineering/phishing techniques, specifically noting relevance to APT activity like Unit 61398).
- **Camouflage/Evasion:** Techniques, methods, and software used by threat actors to achieve Antivirus (AV) immunity during code execution on target systems.
## Indicators of Compromise
*No specific IOCs (hashes, domains, IPs) are provided as the article focuses purely on training methodologies, not specific malware artifacts.*
## Associated Threat Actors
- The text explicitly mentions **Unit 61398 in action** in relation to client-side attacks, implying training content is relevant to nation-state or sophisticated actors capable of widespread attacks.
## Detection Methods
*The article does not specify known detection methods for the techniques, but the Camouflage section implies the subject matter aims to bypass Host-Based Protection Software (HIPS) and AV.*
## Mitigation Strategies
*General mitigation strategies implied by the topics covered would involve:*
- Strengthening host-based security solutions (AV/EDR).
- Network segmentation and egress filtering to detect non-standard exfiltration channels.
- Training on social engineering/phishing awareness (for Client-Side Attacks).
- Hardening common vulnerability vectors (e.g., SMB, WPAD configuration).
## Related Tools/Techniques
- **Metasploit:** Mentioned as baseline knowledge, suggesting the course builds upon standard framework use with advanced modules.
- **General Exploitation Frameworks:** Required for implanting payloads discussed in the Camouflage module.
- **IPv6 Security Tools:** Necessary for the IPv6-specific targeting and rogue router techniques.