Date | Day | Time | Duration |
21 Aug | Monday | 0900-17:00 ICT/GMT+7 | 8 Hours |
22 Aug | Tuesday | 0900-17:00 ICT/GMT+7 | 8 Hours |
23 Aug | Wednesday | 0900-17:00 ICT/GMT+7 | 8 Hours |
24 Aug | Thursday | 0900-17:00 ICT/GMT+7 | 8 Hours |
In this training, you will learn how real APT attacks and targeted attacks work, how to in-depth investigation through collecting key artifacts, performing live forensics, memory forensics, and how to automate this across the whole enterprise in Powershell.
As well, you will learn how to perform threat hunting based on the MITRE ATT&CK framework and powered by threat intelligence. Not the Attackers’ IoCs but their tactics, techniques and procedures
Intro to APT Attacks & MITRE ATT&CK
• What is an APT Attack?
• review over the kill chain
• MITRE ATT&CK map with techniques and sub techniques
• Examples of real APT Attack
• Red Team Tools & Frameworks (PowerSploit, Powershell EMPIRE, Cobalt Strike, Metasploit, Kali Linux)
Intro to Incident Response & Threat Hunting
• The Incident Response Lifecycle
• how attacks are being discovered (SOC, 3rd party & threat hunting)
• Security Controls and types of logs in an organization
• What’s Threat hunting & why threat hunting?
• Types of Threat hunting
• The threat hunting process step by step
• Intelligence-based Threat hunting
Building Your Purple Team Cloud Lab
• Build Your honeypot Domain in the Cloud (AWS & Terraform)
• Intro to Threat Hunting ELK (HELK) for Log Analysis
• Intro to Atomic Red Team For Purple Teaming
• Intro to Caldera For Advanced Red Teaming Activities
• Access The Lab (Hands-on)
Initial Access & Log Analysis:
• Spearphishing Attacks with malicious attachment
• Spearphishing attacks with links
• Spearphishing attacks using social media
• Credential pharming
• Detecting Spearphishing using EDR Logs
• Advanced execution techniques
• Analyze attacks using sysmon & Splunk (Hands-on)
• Convert your threat hunting hypothesis into an alert
• Write your own SIGMA rules (Hands-on)
Packet Analysis & Malware Exfiltration:
• Hunting the evil in packets
• Hunting for Malware Exfiltration methods
• Hunting for Downloaders, malicious documents, exploits and others
• Detecting IP Flux, DNS Flux, DNS over HTTPS
• Malicious bits transfer, malware communicating through legitimate websites
• Detecting peer-to-peer communication, Remote COM Objects and suspicious RDP Tunneling
• Hands-on analysis using Wireshark & Microsoft Network Monitor
• Hunting the evil in Zeek logs
• In-Depth Packet Investigation using Zeek logs (Hand-on)
Malware In-Depth & Malware Functionalities
• Types of Malware
• Malware Functionalities in-depth: Downloaders & Droppers
• Malware Functionalities in-depth: Keyloggers
• Malware Functionalities in-depth: Banking Trojans & Man-In-The-Browser
• Malware Functionalities in-depth: Ransomware
• Basic Static Analysis: Strings
• Basic Static Analysis: APIs
• Basic Static Analysis: Packing & Obfuscation
• Write Your Own Yara Rule
Maintaining Persistence In-Depth (Advanced Techniques)
• Maintain Persistence in the victim machine
• Advanced Persistence methods
• Disguise the malware inside a legitimate process (Malware-as-a-DLL)
• Persistence through DLL Injection
In Depth Investigation & Forensics
• Why in-depth investigation?
• Detecting malware persistence: Autoruns registry keys and options
• Detecting malware persistence: Scheduled tasks and jobs
• Detecting malware persistence: BITs jobs
• Detecting malware persistence: Image File Execution Options & File Association
• Detecting Malware & Malicious Documents Execution (Prefetch, MRU, Shims … etc)
• $MFT structure and cavity searching
• How to perform Forensics Triage With KAPE (Hands-on)
Malware Defense Evasion Techniques
• Process Injection (DLL & Shellcode Injection)
• Advanced Process Injection (APC Queue Injection)
• Network Defense Evasion: HTML Smuggling
• Network Defense Evasion: Legitimate Websites
• Network Defense Evasion: Cohort Channels
• Use of legitimate applications for Applocker bypass
• Detecting & preventing the abuse of the legitimate applications
• Sysmon & EDR Bypass Techniques
Memory Forensics
• Intro to Memory Forensics & Volatility
• Capture a full memory dump
• Extract suspicious & hidden processes
• Detecting memory injection, process hollowing & API hooking
• Detect suspicious network communication & extract network packets
• Detect malware persistence Functionalities using registry hives
• Detect the initial access using Prefetch files & MFT extraction
• Extract windows event logs from memory
Privilege Escalation Techniques
• UAC bypass techniques
• Abuse services for privilege escalation
• DLL Order Hijacking
• Best practicies for detecting & preventing privilege escalation
Incident Response in an Enterprise: Powershell Intro
• Intro to Powershell
• Powershell Remoting
• Logon Types and Powershell vs RDP
• Collect & Analyze Malicious Artifacts using Kansa
• Collect Minidumps using Powershell
• Detect suspicious processes using Powershell
• Automating Artifacts collection & analysis for threat intelligence
Impersonating Users: Credential Theft & Token Impersonalization
• Detecting & Hunting Lsass Memory dump
• Detecting & Hunting Token Impersonation
• Hands-on AD Vulnerability Scanning using PingCastle
Detection & Prevention Lateral Movements
• Intro Authentication Mechanisms in Active Directory (NTLM & Kerberos)
• Understand domain account permissions and access level
• NTLM Attacks: Pass The Hash
• Kerberos Attacks: Pass The Ticket
• Kerberos Attacks: Overpass The Hash
• Silver & Golden Tickets and Kerberoasting Attacks
• Hardening Your AD (LAPS, gMSA … etc)
• Building a Secure Multi-Tiered Environment
My name is Grant Knoetze, and I am a full-time cybersecurity analyst and part time writer for articles on IT and cybersecurity for various websites and businesses internationally.
I develop and teach courses and programs in Python and PowerShell for cybersecurity as part of my current responsibilities as a cybersecurity analyst.
My work also includes coaching and mentoring students at various levels in their cybersecurity career, and I assist students with basic to advanced IT skills, core cybersecurity knowledge and awareness, and programming languages, including Python, PowerShell, C++, and web, and I am available for consultation in general.
I am also a senior instructor and consultant at a US based company part time, where I develop and teach a network forensics course to US students, and I am part of the coaching and continuous development of the students, who are mostly in law enforcement and practicing digital forensics.
Please visit my website which is a technical blog and includes links to all my social media and other projects at
www.grantknoetze.com