The first workshop of the PurpleLabs series generated a great deal of interest in the scope of detection and threat hunting!
For the first 5 registrations, Leszek will provide 7 days of full access to the PurpleLabs environment supplied with a set of 60+ hands-on lab instructions in the purple teaming structure.
During the #1 session, we have covered how to get network and OS visibility/telemetry needed for advanced detection with Open Source / free tools. We’ve run few simple hunting examples and demonstrated how to use Sigma / Sentinel rules as hints/guides to learn more in the ‘detection vs attack’ formula.
We need to keep learning how adversaries are operating, so after a good introduction to the subject, it’s time for the next step.
During hands-on session #2*, Leszek is going to demonstrate how to create and simulate chain attack steps:
Rundll32 communicating with public IP addresses
Mshta executing VBScript
Disabling Windows Defender / modifying Windows Firewall
Suspicious non-browser attempts to access suspicious URL
Suspicious scheduled task creation
Powershell execution with IP arguments
Malicious Named Pipe
Suspicious Linux Reverse Shell Command Line
Linux kernel space rootkit
and provide detection coverage for the tools, techniques, and procedures by using PurpleLabs stack:
HELK + ElastAlert
Sysmon + Windows Events
* This is a continuation of the topic from the first session.
For those who want to know more about this hands-on cyber range project, here’s the all-in-one picture:
Why You Should Take This Course
Who Should Attend
Key Learning Objectives
Find out how Detection / Hunting Open Source Software can support your SOC infrastructure & team.
Learn ways to improve detection and sharpen your event correlation skills across many different data sources
Generate evil, find the malicious activities, and identify threat details on the network
Prepare your SOC team for fast filtering out network noise and allow for better incident response handling
Understand values of a manual and automated approach to simulate attackers and generate anomalies