Attack Detection and Threat Hunting

£1,320.00 inc VAT

A practical journey through the kill chain

This training will teach you the fundamentals of attack detection. You will get a dedicated sandbox environment in the cloud in which you’ll perform a number of modern, offensive activities from across the Cyber Kill Chain against a representative corporate domain. We’ll then contextualize each technique within the MITRE ATT&CK framework, looking at the fundamental detection principles we can apply to various, widely available log sources, identifying ways we could spot malicious activity.

The 2 day course will take place online over four half days on the 6th to 9th December 2021.

Out of stock

SKU: 44CON-TRN-D21-ADT Category: Tags: , , ,

Live Online Training

Presented by Alfie Champion

Description and Syllabus

In this training you’ll be performing attacker actions against a sandbox environment. We’ll map the actions to the MITRE ATT&CK framework to contextualize our offensive activities, and understand how they fit into the complete life cycle of an attack:

We’ll then deconstruct each technique and look into ways they can be detected leveraging different log sources:

To support the hands-on exercises, a dedicated sandbox will be provisioned to each participant via our Playground training platform. This includes an Active Directory environment of domain controllers and workstations, as well as a mail server, firewall and pre-configured logging capabilities. You’ll have full control of the environment, which we’ll modify to improve detective and preventative capabilities as we proceed on our journey.


  • Module 1 – Introduction
    • MITRE ATT&CK framework
    • Sandbox environment
  • Module 2 – Initial Access
    • Setting up a Covenant listener and deploying a Grunt binary payload
    • Deconstructing the attack: process creation and network events
    • Hunting for the Grunt launcher in the logs
    • HTA payloads and MSHTA
  • Module 3 – Execution
    • LOLBins
    • Launching Grunt with MSBuild
    • Meterpreter / Powershell
    • Hardening Powershell (Constrained Language Mode, Script Block Logging, AMSI)
    • Detecting malicious Powershell payloads
  • Module 4 – Persistence
    • Common persistence techniques
    • Startup folders and registry keys
    • SysInternals Autoruns
    • Hunting for persistence
    • Least frequency analysis
  • Module 5 – Credential Access & Discovery
    • Performing a Kerberoasting attack
    • Deconstructing Kerberoasting (LDAP Queries, TGS Ticket Requests)
    • Detecting kerberoasitng (Windows Event Logs, Sysmon and ETW)
    • Using Shaprshares for fileshare enumeration
    • Hunting for fileshare enumeration
  • Module 6 – Lateral Movement
    • Common lateral movement techniques
    • Deconstructing PSExec
    • Hunting for PSExec activity
    • Windows Management and Instrumentation and WMIEXEC
    • Hunting for WMIEXEC
  • Module 7 – Command & Control
    • C2 channel types and beaconing
    • HTTP/S and C2 traffic profiles
    • Grunt HTTP profiles in Covenant
    • Establishing a DNS C2 channel with DNSCAT2
    • Hunting for DNSCAT2

Target Audience

This course is suitable for beginners and intermediate IT security professionals in the following roles:

  • Blue and Purple teamers
  • SOC analysts and threat hunters
  • Offensive security professionals that want to get a better insight into detection

What students will be provided with

  • Access to a dedicated training sandbox on F-Secure’s Playground training platform (including 40 hours in the lab that can be used within 1 year)
    • The sandbox can be accessed from anywhere either via a Remote Desktop Gateway from the browser (no tools need to be installed locally) or via a dedicated VPN connection
    • The sandbox contains the full training environment
  • Life-time access to the training material in interactive, searchable HTML-format
  • Teams link for the instructor-led sessions and chat functionality

Trainer Bio

Alfie Champion

Alfie has a background in software development and DevOps and now leads the global delivery of attack detection services at F-Secure Consulting. He has a keen interest in adversary simulation and offensive tradecraft, developing tooling to emulate attacker activity and ultimately aid clients in testing and developing their detective capability.