In & Out – Windows Attack, Detection & Hunting with PurpleLabs [HITB+ CYBERWEEK 2021]

Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules (and eventually bypassing them).



2 days

Delivery Method




Seats Available



2 days

Delivery Method





ATTEND IN-PERSON: Onsite in Abu Dhabi

ATTEND ONLINE: Virtual via Zoom and Discord

DATE: 23-24 November 2021

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
23 Nov Tuesday 0900-17:00 GST/GMT+4 8 Hours
24 Nov Wednesday 0900-17:00 GST/GMT+4 8 Hours


Full access to the PurpleLabs environment for 30 days post-training!

Make sure you’re choosing the right course. This is the Windows version. The Linux version is HERE. Or do both as a COMBO 4-day HERE!

The primary goal of this training is to show and teach you how to generate offensive attack events/symptoms against Windows Active Directory boxes that you will detect in parallel by using PurpleLABS SOC stack powered by Sigma Rules – the open standard event description ruleset – and the rest of the dedicated, Open Source security solutions in use.

Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions in Windows AD subsystems, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules (and eventually bypassing them).

This course takes on an “Adversary Simulations vs Hunting” approach in a condensed format. This will allow a gradual escalation of the level of knowledge in the scope of red / blue / purple teaming to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performing tasks. Windows AD detection and hunting does not have to be boring and tedious!

● Realistic 100% pure lab-oriented Windows AD offensive and defensive security use cases.
● Minimum theory, maximum hands -on with high level of expertise.
● A lot of accumulated knowledge in one place with a focus on high priority elements.
● Focused on Open Source Security


Go HERE to join the Linux course version instead. Or,
Go HERE to join the Combo course for both Linux and Windows


  • Windows Red vs Blue Hands-On Labs - TACTIC SCENARIOS:

    • Initial Access (TA001) • Execution (TA002) • Persistence (TA003) • Privilege Escalation (TA004) • Defense Evasion (TA005) • Credential Access (TA006) • Discovery (TA007) • Lateral Movement (TA008) • Collection (TA009) • Command and Control (TA0011) • Exfiltration (TA0010) • Impact (TA0040) • Breach and Attack Simulations • Forensics

  • Windows Red vs Blue Hands-On Labs INDEX:

    ● Introduction to PurpleLabs ● Current state of Windows malware / APT campaigns ● Analysis of Windows C2 implants and interesting post-exploitation modules (execute-shellcode, execute-assembly) ● Using malleable C2 profiles over Empire Framework ● LOLbins / one-liners for bind & reverse shells, download/upload, file compression tricks ● Active Directory Network / local Enumeration ● AD Kerberos password spraying and brute-forcing ● Windows Integrity Levels ● Evil-WinRM pivoting + Ghostpack enumeration ● Bypassing UAC over Koadic C3, Empire, Metasploit ● Dump lsass at scale and detection ● AD Credential Dumping using Impacket’s secretsdump ● Dumping DC Hashes via wmic and Vssadmin Shadow Copy ● PPID spoofing and command argument spoofing ● DLL Hijacking against MSDTC service for persistence ● Windows OCI DLL Hijacking ● Windows Process Injection / Hollowing Techniques ● Windows CMSTP + Rundll Network Connection ● Windows MSBuild In-memory Code Execution ● Windows MSHTA + Windows Script Component ● Windows Bitsadmin ● Windows New Firewall Rule ● Windows Sharpshooter + Metasploit Framework + SMB Named Pipe Pivoting ● Windows Schtasks Persistence ● Windows Application Shimming Persistence ● Windows AMSI-Provider for Persistence ● Windows Winlogon Helper DLL Persistence ● Windows ADS NTFS persistence and hiding ● Windows AD Skeleton Key Persistence ● Differences in behavior between dcomexec / psexec / wmiexec / smbexec / atexec /wmiexec + Pass The Hash ● Evading Sysmon and Windows Event Logging ● SMB named pipes for Lateral movement ● RDP no-GUI Remote Command Execution ● Ask for Windows passwords from Powershell ● Shad0w beacons ● Donuts, donuts, anyone? ● The power of SharpDPAPI ● Windows Pcap driver installation ● AD Silver and Golden tickets ● Kerberoasting / DCsync / DCShadow ● Tunneling traffic into internal networks ● Mutual TLS / SSL C2 communication ● SNI-based TLS data exfiltration ● Clone, armor, and phish popular websites and use them for covert channel ● Playing “QUIC” network exfil game ● Local network scanning from the pwned OS/browser through XSS ● Octopus AES-256 Encrypted C2 ● Playing with PoshC2 post-exploitation modules ● Network/exfiltration modules of Nishang, PowerSploit, Powercat, Empire ● Infection Monkey Automated Adversary Simulations ● Network Flight Simulator / testIDS ● Purple Team ATT&CK Automation ● Atomic Red Team Simulations ● PurpleSharp Simulations ● Playing with CME + atsvc ● Analysis of a collection of Windows print spooler exploits ● Word Exploitation and detection (CVE-2021-40444) ● PetitPotam – NTLM Relay to AD CS ● Sliver C2 extensions ● Process scanning at scale against malicious behavior - Velociraptor + hollow_hunter ● APT Lazarus simulation vs hunting ● Emulating and hunting for APT29 / FIN7 / FIN6 / menuPass / Hafnium / Carbanak ● Windows Rapid Triage using Velociraptor IR ● The power of Mordor and EVTX-ATTACK-SAMPLES vs HELK ● DNSStager for payload delivery over DNS vs dns.log ● and more

Why You Should Take This Course

The “In & Out – Windows AD Attack, Detection & Hunting with PurpleLabs” is an intermediate hands-on PurpleLABS training focuses on Windows AD / Network Security and created to present:
  • The value of the Assume Breach approach and simulation of threats after getting early access to the Windows 10 target. (Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access)
  • The importance of Blue and Red team cooperation and how to effectively run hunting activities and write security notes.
  • “Feel the network and systems” approach to get and understand the low-level baseline behavior of Windows devices and networks
  • Different ways for playing with many important data sources including Sysmon, Powershell events, Windows Event Logs, Zeek IDS, Suricata IDS, OSQuery, Velociraptor IR, Memory dumps and Full Packet Captures.
  • How to run adversary simulations effectively including a development of Attack Paths and Chain Attack scenarios by combining the attacker’s techniques, tactics and procedures within Windows AD infrastructure
  • Visibility, detection methods and capabilities of well recognized Hunting and Detection tools including HELK, Splunk, Elastiflow, Moloch FPC, Kolide Fleet, Wazuh, Graylog, theHive and MISP.
  • The potential of Sigma rules (+ElastAlert) and their values for SIEM engines and DFIR
  • Engineering and analytical skills required to work in the Security Operation Center environment.
  • Verification methods and techniques for Cyber Security product and service providers → in terms of internal testing and supporting PoC / PoV programs.

Who Should Attend

  • Red and Blue team members
  • Penetration testers
  • Security / Data Analytics
  • CSIRT / Incident Response Specialists
  • IT Security Professionals, Experts & Consultants
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts

Key Learning Objectives

  • Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access against AD Windows machines.

  • Learn ways to improve Windows detection and sharpen your event correlation skills across many different data sources.

  • Find the malicious activities and identify threat details on the Windows AD network.

  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling.

  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure.

  • Understand values of manual and automated approach to simulate attackers and generate anomalies in Windows Active Directory networks.

  • Identify blind spots in your Windows network security posture.
  • Prerequisite Knowledge

    • An intermediate level of Windows command-line syntax / powershell experience
    • Fundament knowledge of TCP/IP network protocols
    • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
    • Basic programming skills are a plus, but not essential

    Hardware / Software Requirements

    This training is based on dedicated PurpleLABS Cyber Range virtual infrastructure (, so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days after the training.
    • VPN client installed according to VPN Setup instructions
    • Slack account as an invite to dedicated training channel will be sent
    • Stable internet connection
    • Zoom client installed
    • HD Camera to have 1:1 access to an instructor and the rest of the participants.

    Your Instructor

    No data was found