Live Online Training
Presented by Alfie Champion
Description and Syllabus
In this training you’ll be performing attacker actions against a sandbox environment. We’ll map the actions to the MITRE ATT&CK framework to contextualize our offensive activities, and understand how they fit into the complete life cycle of an attack:
We’ll then deconstruct each technique and look into ways they can be detected leveraging different log sources:
To support the hands-on exercises, a dedicated sandbox will be provisioned to each participant via our Playground training platform. This includes an Active Directory environment of domain controllers and workstations, as well as a mail server, firewall and pre-configured logging capabilities. You’ll have full control of the environment, which we’ll modify to improve detective and preventative capabilities as we proceed on our journey.
Syllabus
- Module 1 – Introduction
- MITRE ATT&CK framework
- Sandbox environment
- Module 2 – Initial Access
- Setting up a Covenant listener and deploying a Grunt binary payload
- Deconstructing the attack: process creation and network events
- Hunting for the Grunt launcher in the logs
- HTA payloads and MSHTA
- Module 3 – Execution
- LOLBins
- Launching Grunt with MSBuild
- Meterpreter / Powershell
- Hardening Powershell (Constrained Language Mode, Script Block Logging, AMSI)
- Detecting malicious Powershell payloads
- Module 4 – Persistence
- Common persistence techniques
- Startup folders and registry keys
- SysInternals Autoruns
- Hunting for persistence
- Least frequency analysis
- Module 5 – Credential Access & Discovery
- Performing a Kerberoasting attack
- Deconstructing Kerberoasting (LDAP Queries, TGS Ticket Requests)
- Detecting kerberoasitng (Windows Event Logs, Sysmon and ETW)
- Using Shaprshares for fileshare enumeration
- Hunting for fileshare enumeration
- Module 6 – Lateral Movement
- Common lateral movement techniques
- Deconstructing PSExec
- Hunting for PSExec activity
- Windows Management and Instrumentation and WMIEXEC
- Hunting for WMIEXEC
- Module 7 – Command & Control
- C2 channel types and beaconing
- HTTP/S and C2 traffic profiles
- Grunt HTTP profiles in Covenant
- Establishing a DNS C2 channel with DNSCAT2
- Hunting for DNSCAT2
Target Audience
This course is suitable for beginners and intermediate IT security professionals in the following roles:
- Blue and Purple teamers
- SOC analysts and threat hunters
- Offensive security professionals that want to get a better insight into detection
What students will be provided with
- Access to a dedicated training sandbox on F-Secure’s Playground training platform (including 40 hours in the lab that can be used within 1 year)
- The sandbox can be accessed from anywhere either via a Remote Desktop Gateway from the browser (no tools need to be installed locally) or via a dedicated VPN connection
- The sandbox contains the full training environment
- Life-time access to the training material in interactive, searchable HTML-format
- Teams link for the instructor-led sessions and chat functionality
Trainer Bio
Alfie Champion
Alfie has a background in software development and DevOps and now leads the global delivery of attack detection services at F-Secure Consulting. He has a keen interest in adversary simulation and offensive tradecraft, developing tooling to emulate attacker activity and ultimately aid clients in testing and developing their detective capability.
