s          ..                                 
    :8    < .z@8"`        ..                       
   .88     !@88E         @L             u.    u.   
  :888ooo  '888E   u    9888i   .dL   x@88k u@88c. 
-*8888888   888E u@8NL  `Y888k:*888. ^"8888""8888" 
  8888      888E`"88*"    888E  888I   8888  888R  
  8888      888E .dN.     888E  888I   8888  888R  
  8888      888E~8888     888E  888I   8888  888R  
 .8888Lu=   888E '888&    888E  888I   8888  888R  
 ^%888*     888E  9888.  x888N><888'  "*88*" 8888" 
   'Y"    '"888*" 4888"   "88"  888     ""   'Y"   
             ""    ""           88F                
                               98"                 
                             ./"                   
                            ~`
Musings from a mediocre hacker

SpecterOps Offensive SCCM DEF CON Workshop Review


I love this time of year when workshops, talks and research gets released from DEF CON and Black Hat. Just so happens I was lucky enough to catch this tweet and get access to a sick SpecterOps workshop that they had been presenting at DEF CON.

Got access to the workshop materials after reaching out to the organizer on Twitter (X)

TL;DR: A well-organized and thoroughly researched workshop, complete with detailed slides and hands-on labs, created by the developers of many industry-standard tools. The challenges were excellent, and while I rarely needed help, the support was quick and responsive when I did reach out. I would highly recommend this workshop to anyone interested!

Throughout the workshop they talk about utilizing SCCM from the aspect of each stage of an engagement.
Module 0: Intro and Lab Access
Module 1: SCCM Crash Course Module 2: Recon
Module 3: Initial Access
Module 4: Client Push Installation
Module 5: Hierarchy Takeover
Module 6: Lateral Movement

Each topic includes a dedicated section on detection and mitigation strategies. If you’ve taken other SpecterOps trainings, you’ll recognize this as a major focus and for good reason. It’s one of the most valuable takeaways that often gets overlooked in offensive focused training.

Slides:

The slides effectively simplified complex topics and gave adequate context for how and why SCCM is used within larger organizations.
To avoid “death by PowerPoint,” they themed the entire workshop around Portal. Things here and there went a long way to keep attention while not impeding the message.

Labs:

The lab environment felt familiar, as it closely resembles the infrastructure used in CRTO and CRTL if you’ve gone through that. The main difference here was the lack of direct access to victim machines through the UI, which didn’t pose any significant issues for what I was doing. Guacamole was responsive throughout my experience, though I’m aware that others have encountered problems in the past. Copying and pasting is always annoying but an unavoidable challenge with the platform. Each module is accompanied by a lab that lets you attempt attacks on real machines. Reading syntax and understanding how the underlying tech works can only take you so far.

Challenges:

These were a more open-ended version of the labs, allowing for plenty of experimentation and deviation from the provided material. I feel that this approach allowed me to gain a deeper understanding cause I was forced to go off script. We got the walkthrough for the challenges a couple days after getting access to the labs and slides. It worked to give me a chance to struggle through the problems, try a couple solutions and attempt to figure it out on my own without falling back on the writeups. This may be a quirk of having gone through the workshop virtually however.
Both the labs and the challenges accompanied the written material very well, showing how these things look in practice.

Resources:

They are sure to give you plenty of links to check out after the fact to up your toolkit, learn more on your own, and setup your own lab. Huge starting point on starting your own research after the fact!