top of page

Advanced Red Team Operations by White Knight Labs

Date: April 10 & 11 2024
Virtual & On-Site (In-Person)
2 Day


The Advanced Red Team Operators course is an advanced-to-expert level simulated lab environment hosted in Azure and AWS, designed for experienced students to gain practical experience in advanced red team operations using Cobalt Strike. Over the course of three days, students will learn how to build infrastructure to simulate a real-life red team operation using Cobalt Strike, a powerful tool for executing red team operations. The course includes topics such as redirectors, C2 channels, vulnerability identification, network enumeration, process injection, and privilege escalation. With Terraform scripts provided to set up the lab environment and a simulated real-life attack path to navigate, the Advanced Red Team Operators course is essential for experienced professionals seeking to hone their advanced red team operations skills using Cobalt Strike.

Who Should Attend

This course is intended for advanced students with a strong understanding of the fundamentals of cybersecurity, experience with penetration testing, and experience in executing red team operations. It is designed for individuals who want to take their red team skills to the next level and challenge themselves with practical experience in advanced red team operations using Cobalt Strike. Current red team operators will thrive here and have the opportunity to expand their skill set and learn new techniques to stay ahead of the curve.  

Key Learning Objectives

▪ Learn how to set up and configure Cobalt Strike with Docker
▪ Understand C2 channels and learn how to build HTTPS redirectors using Apache Mod-rewrite
▪ Gain practical experience in Azure configurations and setup
▪ Learn how to use AWS Lambda with Python
▪ Utilize GCP and Azure CDNs for custom traffic redirection
▪ Learn how to protect your infrastructure and team server
▪ Develop expertise in process injection and payload development
▪ Learn how to perform attack path enumeration and execution for red team operations.

Prerequisite Knowledge

Students should have experience in advanced cybersecurity fundamentals and a strong understanding of penetration testing and execution of red team operations. However, this course is designed to challenge you across areas that you may not be comfortable with, and that is the point. A willingness to learn and not give up is essential. Students should also be familiar with Cobalt Strike  and have a working knowledge of AWS and Azure cloud platforms, GCP, Docker, Apache web server configurations, HTTPS redirectors using Apache Mod rewrite, shellcode development for bypassing AV/EDR, and advanced network design for red team operations. Comfort with Terraform is also expected for deploying necessary infrastructure.

Lab Environment

Students will be given multiple Terraform scripts to spin up their own lab environment in AWS/Azure that consists of the following:
▪ Ubuntu Cobalt Strike Team Server
▪ Ubuntu Cobalt Strike Redirector Server
▪ Windows 10 Development Machine
▪ Kali Linux
▪ Windows Server 2019 (Domain Controller)
▪ Windows Server 2019 (PKI Server)
▪ Windows Server 2019 (Application Server)
▪ Windows Server 2019 (SQL Server)

Hardware/Software Requirement

▪ Students must have an active AWS admin account with programmatic access.
▪ Students must have an
active Azure admin account
▪ Students must have a GCP admin account
▪ Students must be able to run terraform from local laptops


Day 1:
▪ Introduction to the course and lab environment setup
▪ Setting up Cobalt Strike with Docker
▪ Understanding C2 channels and HTTPS redirectors using Apache Mod-rewrite
▪ Building infrastructure in Azure and AWS to protect the Cobalt Strike team server
▪ Utilizing AWS Lambda with Python for custom traffic redirection
▪ Using GCP and Azure CDNs for custom traffic redirection
▪ Protecting your infrastructure and team server
▪ Process injection techniques and payload development for gaining a foothold on a simulated 
attack target

Day 2:
▪ Hiding shellcode for bypassing AV/EDR
▪ Footholds in 2023
▪ Terraform setup and configuration for a simulated Active Directory 
environment in AWS
▪ Breaching a simulated Active Directory environment and overcoming challenges using real life examples from 2022 and 2023 engagements
▪ Attack path enumeration and execution for red team operations


Note: Please note that the syllabus provided is intended to be a general outline of the course content and does not reflect the true nature of the course guide or starting and ending points. This course is a hyper-current and changes are always made at the last minute to ensure that students receive the most up-to-date and relevant content possible. As a result, the syllabus is subject to change, and course content may be modified based on student skill level, course progression, and other factors.

White Knight Labs_FF-01.png
bottom of page