Deep Dive Into Threat Hunting & Purple Teaming



4 days

Delivery Method




Seats Available



4 days

Delivery Method




ATTEND IN-PERSON: Onsite in Phuket

DATE: 21-24 August 2023

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
21 Aug Monday 0900-17:00 ICT/GMT+7 8 Hours
22 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
23 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours
24 Aug Thursday 0900-17:00 ICT/GMT+7 8 Hours

With the rise of APT attacks and targeted ransomware attacks, there’s a huge need for in-depth investigation & threat hunting skills to detect these attacks early on before the cost of the breach gets tripled every day.

In this training, you will learn how real APT attacks and targeted attacks work, how to in-depth investigation through collecting key artifacts, performing live forensics, memory forensics, and how to automate this across the whole enterprise in Powershell.

As well, you will learn how to perform threat hunting based on the MITRE ATT&CK framework and powered by threat intelligence. Not the Attackers’ IoCs but their tactics, techniques and procedures



Intro to APT Attacks & MITRE ATT&CK
• What is an APT Attack?
• review over the kill chain
• MITRE ATT&CK map with techniques and sub techniques
• Examples of real APT Attack
• Red Team Tools & Frameworks (PowerSploit, Powershell EMPIRE, Cobalt Strike, Metasploit, Kali Linux)

Intro to Incident Response & Threat Hunting
• The Incident Response Lifecycle
• how attacks are being discovered (SOC, 3rd party & threat hunting)
• Security Controls and types of logs in an organization
• What’s Threat hunting & why threat hunting?
• Types of Threat hunting
• The threat hunting process step by step
• Intelligence-based Threat hunting

Building Your Purple Team Cloud Lab
• Build Your honeypot Domain in the Cloud (AWS & Terraform)
• Intro to Threat Hunting ELK (HELK) for Log Analysis
• Intro to Atomic Red Team For Purple Teaming
• Intro to Caldera For Advanced Red Teaming Activities
• Access The Lab (Hands-on)

Initial Access & Log Analysis:
• Spearphishing Attacks with malicious attachment
• Spearphishing attacks with links
• Spearphishing attacks using social media
• Credential pharming
• Detecting Spearphishing using EDR Logs
• Advanced execution techniques
• Analyze attacks using sysmon & Splunk (Hands-on)
• Convert your threat hunting hypothesis into an alert
• Write your own SIGMA rules (Hands-on)


DAY 2:

Packet Analysis & Malware Exfiltration:
• Hunting the evil in packets
• Hunting for Malware Exfiltration methods
• Hunting for Downloaders, malicious documents, exploits and others
• Detecting IP Flux, DNS Flux, DNS over HTTPS
• Malicious bits transfer, malware communicating through legitimate websites
• Detecting peer-to-peer communication, Remote COM Objects and suspicious RDP Tunneling
• Hands-on analysis using Wireshark & Microsoft Network Monitor
• Hunting the evil in Zeek logs
• In-Depth Packet Investigation using Zeek logs (Hand-on)

Malware In-Depth & Malware Functionalities
• Types of Malware
• Malware Functionalities in-depth: Downloaders & Droppers
• Malware Functionalities in-depth: Keyloggers
• Malware Functionalities in-depth: Banking Trojans & Man-In-The-Browser
• Malware Functionalities in-depth: Ransomware
• Basic Static Analysis: Strings
• Basic Static Analysis: APIs
• Basic Static Analysis: Packing & Obfuscation
• Write Your Own Yara Rule

Maintaining Persistence In-Depth (Advanced Techniques)
• Maintain Persistence in the victim machine
• Advanced Persistence methods
• Disguise the malware inside a legitimate process (Malware-as-a-DLL)
• Persistence through DLL Injection

DAY 3:

In Depth Investigation & Forensics
• Why in-depth investigation?
• Detecting malware persistence: Autoruns registry keys and options
• Detecting malware persistence: Scheduled tasks and jobs
• Detecting malware persistence: BITs jobs
• Detecting malware persistence: Image File Execution Options & File Association
• Detecting Malware & Malicious Documents Execution (Prefetch, MRU, Shims … etc)
• $MFT structure and cavity searching
• How to perform Forensics Triage With KAPE (Hands-on)

Malware Defense Evasion Techniques
• Process Injection (DLL & Shellcode Injection)
• Advanced Process Injection (APC Queue Injection)
• Network Defense Evasion: HTML Smuggling
• Network Defense Evasion: Legitimate Websites
• Network Defense Evasion: Cohort Channels
• Use of legitimate applications for Applocker bypass
• Detecting & preventing the abuse of the legitimate applications
• Sysmon & EDR Bypass Techniques

Memory Forensics
• Intro to Memory Forensics & Volatility
• Capture a full memory dump
• Extract suspicious & hidden processes
• Detecting memory injection, process hollowing & API hooking
• Detect suspicious network communication & extract network packets
• Detect malware persistence Functionalities using registry hives
• Detect the initial access using Prefetch files & MFT extraction
• Extract windows event logs from memory


DAY 4:

Privilege Escalation Techniques
• UAC bypass techniques
• Abuse services for privilege escalation
• DLL Order Hijacking
• Best practicies for detecting & preventing privilege escalation

Incident Response in an Enterprise: Powershell Intro
• Intro to Powershell
• Powershell Remoting
• Logon Types and Powershell vs RDP
• Collect & Analyze Malicious Artifacts using Kansa
• Collect Minidumps using Powershell
• Detect suspicious processes using Powershell
• Automating Artifacts collection & analysis for threat intelligence

Impersonating Users: Credential Theft & Token Impersonalization
• Detecting & Hunting Lsass Memory dump
• Detecting & Hunting Token Impersonation
• Hands-on AD Vulnerability Scanning using PingCastle

Detection & Prevention Lateral Movements
• Intro Authentication Mechanisms in Active Directory (NTLM & Kerberos)
• Understand domain account permissions and access level
• NTLM Attacks: Pass The Hash
• Kerberos Attacks: Pass The Ticket
• Kerberos Attacks: Overpass The Hash
• Silver & Golden Tickets and Kerberoasting Attacks
• Hardening Your AD (LAPS, gMSA … etc)
• Building a Secure Multi-Tiered Environment

Why You Should Take This Course

In this training, you will learn how real APT attacks and targeted attacks work, how to in-depth investigation through collecting key artifacts, performing live forensics, memory forensics, and how to automate this across the whole enterprise in Powershell.
As well, you will learn how to perform threat hunting based on the MITRE ATT&CK framework and powered by threat intelligence. And as well simulate different activities using Purple Teaming, uncover the gaps in your visibility and write new detection rules

Who Should Attend

  • Cyber Security Professionals
  • ​Penetration Testers
  • Purple Teamers & Threat Hunters
  • Incident Handlers
  • ​SOC Analysts

Key Learning Objectives

  • An The Ability to perform purple teaming exercises that simulates APT attacks, fileless malware, and targeted ransomware attacks from initial access until the lateral movement and domain overtake.

  • How to perform an in-depth digital investigation through live forensics, triaging, memory forensics, or using Powershell to automate the analysis of key artifacts to detect malicious activities.

  • How to build a threat hunting process that is powered by MITRE ATT&CK framework and threat intelligence information
  • Prerequisite Knowledge

    • Good IT administration background in Windows mainly (Linux is preferred)
    • Good cybersecurity background
    • Preferred: Good scripting skills in Powershell

    Hardware / Software Requirements

    • Laptop with minimum 8GB RAM and 10GB free hard disk space
    • Delegates will be given a set of tools to install prior to the training

    Your Instructor

    My name is Grant Knoetze, and I am a full-time cybersecurity analyst and part time writer for articles on IT and cybersecurity for various websites and businesses internationally.

    I develop and teach courses and programs in Python and PowerShell for cybersecurity as part of my current responsibilities as a cybersecurity analyst.

    My work also includes coaching and mentoring students at various levels in their cybersecurity career, and I assist students with basic to advanced IT skills, core cybersecurity knowledge and awareness, and programming languages, including Python, PowerShell, C++, and web, and I am available for consultation in general.

    I am also a senior instructor and consultant at a US based company part time, where I develop and teach a network forensics course to US students, and I am part of the coaching and continuous development of the students, who are mostly in law enforcement and practicing digital forensics.

    Please visit my website which is a technical blog and includes links to all my social media and other projects at