c0c0n 2026

c0c0n is a 19 years old platform that is aimed at providing opportunities to showcase, educate, understand and spread awareness on Information Security, data protection, and privacy...

Venue & Date

Contact Us

  • Home
  • Trainings
  • Red Team: Identity Exploitation & Nation-State Implant Tradecraft

Red Team: Identity Exploitation & Nation-State Implant Tradecraft

c0c0n 3-Day Professional Training

Red Team: Identity Exploitation & Nation-State Implant Tradecraft

Course Abstract:

How are NSA-style stealth backdoors engineered to persist inside enterprise environments without triggering detection?

This three-day, hands-on red team workshop walks you through building that capability end-to-end. Day one focuses on designing stealth infrastructure that operates behind enterprise defenses, enabling controlled interception and long-term operations. Day two shifts to identity compromise, where you execute live MFA interception, ClickFix and ConsentFix attacks, and run full identity attack chains across Multi-Cloud.

On day three, you build and understand an NSA-style stealth backdoor, focusing on fileless execution, persistence inside trusted Windows processes, and operating without traditional outbound beaconing. The emphasis is on how modern tradecraft minimizes detection surface while maintaining reliable control inside target environments.

Every technique is grounded in real-world adversary playbooks, providing a practical understanding of how identity, cloud, and endpoint layers are abused together in modern operations.

Build the backdoor. Own the identity. Leave no trace.

Identity & Authentication Abuse Fundamentals
  • Identity as the primary attack surface in modern enterprise environments
  • OAuth 2.0, OpenID Connect (OIDC), and SAML 2.0 from an attacker's perspective
  • Token structures and abuse
    • JWT access tokens
    • Refresh tokens
    • Session cookies
  • Redirect URI misconfigurations and OAuth scope over-permissioning
  • Device Code flow abuse and user-fatigue-based attacks
  • Consent grant abuse and post-consent token exfiltration
  • Conditional Access and MFA policy gaps observed in real-world environments
  • Phishing-resistant authentication mechanisms
    • FIDO2
    • Windows Hello for Business (WHfB)
    • PIV/CAC
Ghost Infrastructure: Redirectors, C2 & OPSEC
  • Identity-focused phishing infrastructure design
  • Stealth Redirectors
    • Domain Fronting: Multi-Cloud
    • Nginx Reverse Proxy
  • Deploying operationally secured open source C2s
  • Malleable C2 Profiles [Lab]
    • Customizing C2 Profiles
    • Dynamic (Rotating) C2 Profiles
  • Serverless Phishing Infrastructure [Lab]
    • Cloudflare Workers based reverse proxies
    • Integration with productivity platforms (Slack)
  • OPSEC Controls [Lab]
    • CAPTCHA and Turnstile filtering
    • Geo-fencing and target validation
  • Automating the entire Red Team Infrastructure using RedInfraCraft
Advanced Phishing: ClickFix, ConsentFix & AiTM
  • Adversary-in-the-Middle (AiTM) attacks [Lab]
    • Real-time MFA token interception
    • Session cookie hijacking
  • ClickFix Attack Vector [Lab]
    • Fake browser error lure construction
    • JavaScript clipboard hijacking via navigator.clipboard API
    • Self-executing PowerShell delivery without macros or downloads
  • ConsentFix Attack Vector [Lab]
    • Malicious OAuth application registration
    • Illicit consent URL crafting and delivery
    • Post-consent token exfiltration and persistent delegated access
    • Chaining ConsentFix into FOCI token replay
  • Authentication downgrade techniques [Lab]
    • Windows Hello for Business (WHfB) fallback abuse
    • FIDO2 to SMS/TOTP fallback on misconfigured IdPs
Enterprise Identity Attack Chains [Hands-On Labs]
  • Microsoft Entra ID attack chain [Lab]
    • FOCI abuse and token replay across Microsoft 365 application family
  • AWS identity attacks [Lab]
    • Device Code phishing via AWS SSO
  • Google Cloud identity abuse [Lab]
    • Illicit OAuth consent via excessive permissions
    • Dumping GCP identities and service account keys
Phantom Persistence: Building a NSA-Style Windows Implant
  • Environmental Profiling (Sandbox Evasion)
    • Detecting sandboxes, honeypots and analyst environments before execution
    • Score-based execution guardrails to confirm a real enterprise target.
  • Beaconless C2 (Hidden Command & Control)
    • Operating without outbound beacons to survive firewall and proxy inspection.
    • Hiding C2 instructions inside standard network traffic.
    • TCP/IP Stack Evasion via Driver-Level Sniffing.
  • EDR Evasion (Staying Invisible)
    • Bypassing user-land API hooks monitored by modern EDR solutions.
    • In-memory payload staging without noisy memory write operations.
    • Stealthy thread execution avoiding common detection signatures.
  • Persistence & Privilege (The DoublePulsar Technique)
    • Hijacking a trusted Windows system process for fileless execution.
    • Operating as NT AUTHORITY\SYSTEM without explicit privilege escalation calls.
    • Leaving no child processes, no registry writes and no artifacts on disk.
Why Attend?

A laptop with the following specifications:

  • Understand how adversaries abuse identity to move through cloud and hybrid environments undetected.
  • Build and operate a full phishing infrastructure with real-world OPSEC controls.
  • Execute live attack chains across Microsoft Entra ID, AWS and Google Cloud.
  • Learn ClickFix and ConsentFix, two of the most effective social engineering vectors in active.
  • Walk away having built a Windows implant inspired by nation-state tradecraft.

Student Requirements

  • Basic understanding of networking, web and API technologies.
  • Fundamentals of C/C++, python3
  • Familiarity with command line tools.
  • An open mind.

Ideal Experience Level

Minimum 3 to 4 years in penetration testing or a related security domain.

What to Bring?

  • Laptop with at least 16GB RAM and VMware Workstation installed.
  • Updated web browser.
  • Course VM with active internet connectivity.

Exact details to be provided 2 weeks prior to the training.

What You Will Receive?

  • Soft copy of all course material.
  • Practical knowledge of offensive identity, cloud techniques used by real adversaries.
  • Develop evasive nation state style implants.
  • Defensive countermeasures and detection guidance for every technique covered.

Trainer(s)

Yash Bharadwaj

Yash Bharadwaj

Security R&D Director
CyberWarFare Labs

Training Information

  • Duration 3 Day Training
  • Dates 6th Oct, 2026 to 8th Oct, 2026
  • Time 09:30 IST - 17:30 IST
  • Venue Grand Hyatt, Bolgatty, Kochi, Kerala

Trainings

Oct 6–8 Pre-Conference
T1
Hook, Line, and Sinker: Exploring the Phishing Abyss
T2
Applied Infrastructure Security Assessment
T3
Creating Custom Tooling for Offensive Security after 2025 - Beyond Autopilot Pentesting
T4
Operational Open Source Intelligence (OSINT), From Online Data to Real-World Impact.
T5
AI Security Engineering Masterclass
T6
Practical AI Security: Attacking and Defending LLMs, Agents and MCP
T7
Practical Fuzzing: A Hands-On Learning Experience for Uncovering Vulnerabilities on Linux
T8
Attacking and Defending GitHub CI CD Pipelines
T9
Threat Tradecraft: Infrastructure Hunting & Malware Analysis
T10
Telecom Network Exploitation: Pentesting Across 4G/5G Stacks
T11
Hacking Android, iOS and IoT apps by Example - 2026 Edition
T12
Multi-Cloud Security (AWS, Azure, GCP) - AI Edition
T13
Red Team: Identity Exploitation & Nation-State Implant Tradecraft
T20
Invite Only (For Law Enforcement)
Oct 11–13 Post-Conference
T14
Hack the IoT
T15
Automotive Security in Practice: Exploitation, Risk Assessment & CAN IDS!
T16
HuntOps: From Telemetry to Adversary Detection
T17
HackTheWeb: Pentest Smarter with AI
T18
Weaponizing Defense: Attacking Windows 11 Kiosks Using Enterprise Hardening Solutions
T19
The Art of Finding Bugs: Advanced Techniques in Vulnerability & 0-Day Research

Register Now