Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules (and eventually bypassing them).
$3,299.00
Date | Day | Time | Duration |
23 August | Monday | 0900-17:00 SGT/GMT+8 | 8 Hours |
24 August | Tuesday | 0900-17:00 SGT/GMT+8 | 8 Hours |
25 August | Wednesday | 0900-17:00 SGT/GMT+8 | 8 Hours |
The primary goal of this training is to show and teach you how to generate offensive attack events/symptoms that you will detect in parallel by using PurpleLABS SOC stack powered by Sigma Rules – the open standard event description ruleset – and the rest of the dedicated, Open Source security solutions in use.
Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules (and eventually bypassing them).
Agenda has been prepared based on the list of modular hands-on labs and use-cases. You will gain skills that allow you to create and execute your own chained attack scenarios and run detection/hunting activities. By default, all hands-on lab scenarios have been categorized by Tactic: • Initial Access (TA001) • Execution (TA002) • Persistence (TA003) • Privilege Escalation (TA004) • Defense Evasion (TA005) • Credential Access (TA006) • Discovery (TA007) • Lateral Movement (TA008) • Collection (TA009) • Command and Control (TA0011) • Exfiltration (TA0010) • Impact (TA0040) • Breach and Attack Simulations • Forensics RED VS BLUE HANDS-ON LABS INDEX: • LOLbins / one-liners for bind & reverse shells, download/upload, file compression tricks • AD and Network Enumeration • AD Kerberos password spraying and brute-forcing • Windows Integrity Levels • Evil-WinRM pivoting + Ghostpack enumeration • Bypass UAC over Koadic C3 • Dump lsass at scale • AD Credential Dumping using Impacket's secretsdump • Dumping DC Hashes via wmic and Vssadmin Shadow Copy • PPID spoofing and command argument spoofing • DLL Hijacking against MSDTC service for persistence • OCI DLL Hijacking • Windows Process Injection / Hollowing Techniques • Windows CMSTP + Rundll Network Connection • Windows MSBuild In-memory Code Execution • Windows MSHTA + Windows Script Component • Windows Bitsadmin • Windows New Firewall Rule • Windows Sharpshooter + Metasploit Framework + SMB Named Pipe Pivoting • Windows Schtasks Persistence • Windows Application Shimming Persistence • Windows Winlogon Helper DLL Persistence • AD Skeleton Key Persistence • Pass The Hash over dcomexec / psexec / wmiexec / smbexec • Evading Sysmon and Windows Event Logging • SMB named pipes for lateral movement • RDP no-GUI Remote Command Execution • Ask for Windows passwords from Powershell • Shad0w beacons • Donuts, donuts, anyone? • ADS NTFS • The power of SharpDPAPI • Windows Pcap driver installation • AD Silver and Golden tickets • AD Kerberoasting / DCsync / DCShadow • Linux ELF in-memory code execution for running network events • Linux syscall faulting for C2 agent execution • Injecting an ELF file into a remote Linux process • Linux GDB Shared Library Injection • Linux sshd Injection + password extraction • Linux Apache rootkit + command execution over HTTP • Linux kernel space rootkits and backdoors vs LKRG • Invoking Linux Reverse shell from kernel space in response to ICMP • Hidden channel over ICMP! • Customize dnscat2, tunnel, and exfiltrate data over DNS • In-memory DNS AAAA implant for Linux • DNS AXFR Payload Delivery • DNS Fast-flux domains • DNS dictionary and random characters DGA • HTTP2 Exfiltration and DNS over HTTPS C2 • DLP validation through data exfiltration using multiple network channels at once • Playing with LDAP as payload delivery channel / hidden storage • Tunneling traffic into internal networks • Mutual TLS / SSL C2 communication • SNI-based TLS data exfiltration • Stageless and staged payloads in different formats + whitelist bypassing + armoring + sandbox detection • C2 and data exfiltration over clouds (Dropbox, Google Drive, Slack, Discord) • NTLM Multi-relaying and command execution + BadPDF • HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies, WebDAV, WebSockets • Clone, armor, and phish popular websites and use them for covert channel • Playing “QUIC” exfil game • Local network scanning from the pwned OS/browser through XSS • Looping, port forwarding, pivoting, and routing tricks through Covenant / Meterpreter / Empire and other C2 Frameworks • Pivot and pwn over HTTP Socks Proxy Tunneling • Web categorization | Domain fronting for SharpChisel • Pwn remote docker host over DNS rebinding • Octopus AES-256 Encrypted C2 • Playing with PoshC2 post-exploitation modules • Slow exfil - sending data in small "chunks" • Port Knocking • Punching holes in your NAT • Youtube-based command delivery and execution • Google Translator as a C2 Proxy • Auditing and exfiltrating data against layer 7 inspection rules on NG-firewalls • Network/exfiltration modules of Nishang, PowerSploit, Powercat, Empire • The world of web shells • Network hops chaining and hiding behind open proxies. • TOR network traffic simulations • P2P network traffic simulations • Network flooding • DHCP Starvation • Text-based steganography and hiding data in images • SSH tunneling tips and tricks • Network and OS artifacts for upgrading the shells and changing the transport on the fly • Request throttling, behavior tuning, and profile customization of beacon/shell connections • Memory Forensics • Infection Monkey Automated Adversary Simulations • Network Flight Simulator • Purple Team ATT&CK Automation • Atomic Red Team Simulations • Falco vs Linux / docker auditing • Playing with CME + atsvc • NTP Exfiltration vs Moloch • Hello to my PupyRAT, Grat2 C2 & NinjaC2