@Kleared4: Tunneling & Tradecraft Course

Description

We provide hands-on instruction on performing tunneling from SSH tunnels, proxy tunnels, TOR tunneling over SOCKS and other tunneling mechanisms through open-source projects and commercial systems. Participants of this course will be able to tunnel traffic using our cyber-range to become adept and familiarized with tunneling techniques by the first day. The second day of this course focuses on tradecraft associated with tunneling techniques learned. We provide the tools to visualize and understand how network defenders can identify tunneling techniques and how they can prevent such activity.

Learning objectives

1. Tunneling over SSH
2. Tunneling over Proxies
3. Tunneling over TOR with SOCKS
4. Tunneling over open-source projects
5. Tunneling over commercial systems
6. Tunneling tradecraft
7. Identification and mitigation of malicious tunneling activity

Course Length: 2 Days

Languages: English or Spanish options for instruction. Please select correct date and language for course instruction.

Benefits: 3-years course material updates. 60 day access to Kleared4 after course completion.

Standard support over business hours EST/EDT 0800-1700 8am-5pm

Government PO accepted.

10% discounts available for groups of 10 participants or more.

16 hours of instruction with continuing education certificate upon complete attendance

Syllabus:

Day 1: Core Tunneling Techniques and Hands-On Labs

• Introduction to Network Tunneling: (2:30 Hours) Overview of tunneling concepts and how attackers use tunnels to bypass security controls. Discuss real world examples of state sponsored hackers leveraging tunnels for covert communication vs red team tradecraft. Establish the threat landscape and why tunneling is a critical skill for cyber operators, red teams and network defenders.
  • Nation-State Tactics and Legal Challenges: Discuss the technical and legal aspects of tunneling abuse by nation states. Using case studies of known advanced persistent threat groups, the class will explore how state sponsored hackers route their attacks through global infrastructure to exploit legal. Learn how nation-state actors take advantage of jurisdictional challenges and how it used to deter and delay attribution and clandestine action.
• Tunneling Tradecraft (1 Hour): Examine how nation state threat actors, and black hats combine and customize tunneling techniques to evade detection. Labs include multi-hop tunneling, blending tunnel traffic with common protocols and maintaining persistent covert channels on compromised systems.
• Proxy and Encrypted Tunnels: (1:30 Hours) Deep dive into SSH tunneling for secure communication. Learn local port forwarding, reverse port forwarding, and dynamic SOCKS proxy forwarding.
• Proxy Tunneling Techniques: (3:00 Hours) Understand how proxy servers and chains can tunnel traffic. Cover HTTPS, DNS tunneling using SOCKS proxies to relay connections. Learn about modern tools and configurations to route traffic through multiple connection paths or hops with network redirection.
  • Open-Source Tunneling Tools: Use additional open-source projects for tunneling and secure communications. This includes tools and methods like VPNs using open-source software for wrapping traffic with encryption and specialized tunneling tools that have been used by threat actors.  Use multiple open source tunneling tools together.

Day 2: Tunneling Tradecraft, Detection, and Defense

• C2 Forwarding and Tunnel Management: (2 Hours) Explore Tor for tunneling and anonymity in conjunction with cloud providers. Explain how Tor routes traffic through nodes to obscure origin, and how attackers leverage Tor to hide their operations. Understand the tradecraft security benefits and weaknesses of Tor for attackers and how defenders can stop them.
  • Commercial Tunneling Systems: Discuss the features of commercial tunneling and remote access systems often abused by advanced attackers. Compare open source versus commercial solutions in terms of capability and detection. Examine how a typical enterprise VPN or a commercial command-and-control framework can tunnel traffic and how it blends with normal network use.
• C2 Frameworks – Labs: (2 Hours) Open-source command-and-control tools that implement advanced tunneling capabilities. The labs demonstrate how C2 Frameworks operate and why they are designed to help evade detection tools. Participants will then engage in a hands-on lab deploying various C2 servers and agents in the cyber range. Establish C2 channels and use them to tunnel commands and files, experiencing first-hand how an advanced actor might control a system without detection.
• Visualization and Detection of Tunneling: (2 Hours) Shift to the defender’s perspective by analyzing network traffic and system logs for signs of tunneling to help improve your tradecraft. The course uses open-source analysis to identify the tunnels created on Day 1 and in the C2 labs. Students will learn common indicators: unusual port usage, consistent encrypted traffic to unknown endpoints, DNS queries patterns for data tunneling, or the presence of Tor node connections. This course guides participants in visualizing how normal vs. tunneled traffic appears, helping them recognize anomalies.
• Mitigation Strategies and Countermeasures: (2 Hours) Learn how network defenders can prevent or disrupt malicious tunneling using egress filtering, firewall rules, open-source technologies that can detect unauthorized tunnels, intrusion detection system signatures for common tunneling tools, and network policies. Learn about responding to active tunnels terminating sessions, isolating affected hosts, and monitoring for persistence.