Hands-on workshop : Be The Threat

13:00-15:00 PDT Friday | Aug 8^th 2025
Adversary Village workshop stage | Las Vegas Convention Center
Adversary Emulation

This session will walk the participants through the tenants of threat emulation culminating in them emulating a threat actor of their choice.

This workshop will give participants a chance to get hands on with threat emulation by covering: How To Define The Threat: What is likely and what are we afraid of?

Gather Intel: Is there any historic reporting of said threat? Students will research a threat actor and gather actionable Behaviors.

Capability Development: We will use that intel gathered to engineer a threat emulation scenario to fit our needs using modern frameworks, scripts, payloads, and even customizing our delivery infrastructure.

Put It To Work: You will get a chance to test your threat against a live environment.

Detailed workshop outline :

This workshop will give participants a chance to get hands on with threat emulation by covering:

• How To Define The Threat: What is most likely and what are we afraid of?
  • Participants will choose between 5 different threats to research and emulate during the workshop.
    • APT33
    • APT41
    • Volt Typhoon
    • BlackSuit Ransomware
    • COLDRIVER SPICA
  • They will choose one based on the market or vertical they work in (finance, enery, gov, edu, ect.)
  • Participants will get familiar with common CTI resources and frameworks and how to threat model their organizaton.
  • As they progress through this workshop, we will pay attention to and try to answer specific questions:
    • What are their motivations?
    • What capabilities have they showcased?
    • What opportunities (vulnerabilities, misconfigurations, etc.) are they taking advantage of?
    • How can I turn this information into actionable procedures?
    • How would I detect and defend against these behaviors?
• Gather Intel: Is there any historic reporting of said threat? Students will research a threat actor and gather actionable Behaviors.
  • Participants will begin to gather open source intelligence to build a threat outline based on the Threat Actor chosen.
  • resources used will include MITRE ATT&CK, CISA, DFIR Report, Malpedia, and major security vendor reporting.
  • Participants will practice CTI collection, interpretation, and enrichment utilizing resources from CTID, MITRE, and other open-source resources.
  • Participants will create graphical attack flows for use in further reporting.
• Capability Development: We will use that intel gathered to engineer a threat emulation scenario to fit our needs using modern frameworks, scripts, payloads, and even customizing our delivery infrastructure.
  • Participants will get hands on experience with common open source frameworks and tools to develop capability sets to use during the threat plan.
  • Participants will stage C2, malicious payloads, and common tooling used by threat actors.
  • Participants will learn about the different stages of an attack and how they could emulate common behaviors in each.
• Put It To Work: You will get a chance to test your threat against a live environment.
  • Participants will utilize the capabilities developed based on their CTI research to execute a threat campaign against a vulnerable domain.
  • Participants will gain hands on experience with manual and automated tools commonly used for threat emulation.
    • Empire/Starkiller
    • Bloodhound
    • BoFs
    • and some custom made scripts and payloads.

This workshop will be executed in a custom made domain in which the students can participate and practice their Adversary Emulation Skills.