3-Day Training | 15-17 Nov

[HITB CYBERWEEK] In & Out (Purple Edition) – Detection as Code vs Adversary Simulations

  • Leszek Miś Founder,
    Defensive Security
Duration 3 days
Capacity 15 pax
Seats Available 15
Difficulty advanced

$4,299.00 $3,299.00

Register Now

Overview

Class mode: VIRTUAL LIVE STREAM  


DATE: 15-17 November 2020

TIME: 09:00 to 18:00 CET

This special In & Out – Detection as Code vs Adversary Simulations – Purple Edition (Red and Blue on Steroids) is an advanced, fast-track, lab-based training created to present participants:

  • The importance of Blue and Red team cooperation
  • Advanced detection methods and techniques against exfiltration and lateral movement including event mapping, grouping, and tagging
  • Understand the tactics and behaviors of the adversary after gaining initial access to the network (Linux/Windows)
  • Detection methods of C2 traffic, tunneling, hiding, pivoting and custom, simulated malicious network events
  • Capabilities of many popular Open Source tools and integration with 3rd party security (IDS/IPS/WAF/EDR/FPC) and analytics solutions against adversaries C2-based actions
  • Verification methods and techniques for product and service providers from IT Security space in terms of internal testing and PoC / PoV programs

The primary goal of this training is to generate offensive attack events/symptoms within PurpleLABS infrastructure that later should be detected by Open Source SOC stack including Sigma – the open standard event description rule set and the rest of dedicated, open-source security solutions in use.

Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules and eventually bypassing them.

 

Why should you take this course?

This unique approach of ‘Detection as Code vs Adversary Simulations’ in a condensed format will allow increasing the level of knowledge in the field of RED / BLUE / PURPLE to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performed tasks – detection does not have to be boring and tedious!

 

Who Should Attend

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

 

Key Learning Objectives

  • Learn ways to improve your detection and event correlations skills across many different data sources
  • Find the malicious activities and identify threats details on the network
  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling
  • Learn current trends, techniques, and tools for network exfiltration and lateral movements
  • Find out how DFIR / IR Open Source Software can support your SIEM infrastructure
  • Understand the value of DLP / IDS / IPS / FW / WAF / Memory Forensics against real adversary lab scenarios
  • Understand values from an automated approach to simulating attackers and generating anomalies
  • Identify blind spots in your network security posture

Prerequisite Knowledge

  • An intermediate level of command-line syntax experience using Linux and Windows
  • Fundament knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

 

What students say about this training

 

“The content of in and out was great. Lots of gained knowledge and hands on!”

 

“Great course! A truly huge number of topics and tools covered”

 

“Leszek was a really good trainer, he covered a lot of material, and had a very good personality.”

 

“Leszek Miś is very knowledge in the topics covered in the course. He also shares real life scenario which were useful for participant to better understand application of material presented. Contents were very good, it covers many leading open source project which i find it useful. I would recommend this course to my colleagues.”

 

Hardware / Software Requirements

  • VPN client installed according to VPN Setup instructions
  • Slack account as an invite to dedicated training channel will be sent
  • Stable internet connection
  • Recommended:
    • Zoom client installed
    • HD Camera to have 1:1 access to an instructor and the rest of the participants.

This training is based on dedicated PurpleLABS cloud infrastructure, so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience!

Agenda

Expand All

1. Introduction:

Introduction to Adversary Simulations and Open Source Attack Emulation projects:
● Atomic Red Team
● PurpleSharp
● RTA
● APT simulator
● Dumpster Fire
● Firebolt
● Flightsim
● BYOB
● Metta
● Infection Monkey
● Caldera and more

2. MITRE Attack Framework & Sigma rules →

MITRE Attack Framework & Sigma rules → detection map based on recent examples of chained attack scenarios.

3. Finding malicious artifacts using yara, ssdeep, Volatility and memtriage:

● How yara works and why it could be your best friend
● Yarascan + Volatility Framework
● memtriage
● Yara vs webshells

4. Collecting, analyzing and correlating data from different data sources using:

● Splunk
● Hunting ELK
● Wazuh
● Graylog
● Netflow
● Zeek IDS
● Suricata IDS
● Moloch FPC
● Auditd / go-audit
● eBPF
● OSquery
● Velociraptor

5. Windows Sysinternals Suite:

● Sysmon:○ Process execution events
○ Network connection events
○ Image load events
○ Named pipe events
○ WMI events
○ PSexec events
○ Process Explorer
○ Process Monitor
○ Autoruns
● Evidence traces of file download and execution:
○ cmd.exe
○ HTA
○ JS
○ VBS
○ WSF
○ JSE
○ CSharp
○ certutil
○ Powershell
○ Bitsadmin
● Shellcode injection techniques
● WebDAV / SMB / NFS share mapping

6. Low level Linux security tracing and profiling for critical services:

● eBPF
● sysdig

7. Playing with Zeek IDS / Suricata IDS for anomaly detection → finding malicious artifacts at the network level:

● The importance of network baseline for high-risk environments
● Virtual SPAN / TAP and Netflow → OpenVswitch
● Feature definition and extraction
● Bro-cut syntax
● Bro Script Index
● Client / server Fingerprinting:
○ JA3
○ HASSH
● Security feature extraction per many different network protocols

8. Detection and traces of C2 and network exfiltration techniques → use cases:

● ICMP
● TCP / UDP
● SSL / TLS
● DNS / DoH / DGA / anomalies
● HTTP / HTTP2 / QUIC
● LDAP Exfil
● Dropbox / Twitter / Google / Mozilla / Discord / Slack
● SMB bind named pipes
● Legitimate website covert channel
● Intelligent HTTP C2 Redirection
● Port knocking
● Domain fronting
● ngrok / shooter
● Egress testing and common network traffic on non-standard ports

9. Detection and traces of C2 post-exploitation, lateral movements → use cases:

● AD Reconnaissance / AD Snapshot
● Bloodhound artifacts
● Golden Ticket
● Silver Ticket
● Kerberoasting
● RPC over TCP/IP
● DCsync / DCShadow
● Mimikatz agent/server
● Pass The Hash
● SMBexec
● Invoke-WMI
● WinRM
● Invoke-PSexec
● PSRemoting
● RDP wrapping
● Offensive Powershell:
○ WMI multiple sessions
○ Remote network relaying
○ Copy VSS
○ Keylogging
○ LSA secrets extraction
○ Sandbox / virtual environment detection
○ UAC bypassing
○ Poisoning LLMNR, NBT-NS, MDNS, WPAD and WSUS
○ SMB ransomware detection.
○ Browser pivoting
○ SSH Tunneling and pivoting
○ RDP Tunneling and pivoting / RDP Inception

10. Detection of brute-force attacks → use cases:

● SQL
● AD / Kerberos
● SSH
● Web Apps

11. Windows Malware Persistence Methods:

● Service
● Winlogon registry entries
● Run / RunOnce
● Scheduled Tasks
● Startup Folder
● WMI
● DLL

12. Linux Malware Persistence Methods:

● Service
● Startup scripts
● SSH magic password
● Port knocking / iptables
● Kernel modules

13. Describing and creating relevant log events in generic and open signature → Sigma rules:

● Application
● APT
● Linux
● Network
● Proxy
● Web
● Windows

Sign Up For an Account

to track your favorites

Sign Up

Want a Training Not Seen Here?

Write to Us

Contact Us