Attack Detection and Threat Hunting
£1,320.00 ex VAT
A practical journey through the kill chain
This training will teach you the fundamentals of attack detection. You will get a dedicated sandbox environment in the cloud in which you’ll perform a number of modern, offensive activities from across the Cyber Kill Chain against a representative corporate domain. We’ll then contextualize each technique within the MITRE ATT&CK framework, looking at the fundamental detection principles we can apply to various, widely available log sources, identifying ways we could spot malicious activity.
The 2 day course will take place online over four half days on the 6th to 9th December 2021.
Out of stock
Live Online Training
Presented by Alfie Champion
Description and Syllabus
In this training you’ll be performing attacker actions against a sandbox environment. We’ll map the actions to the MITRE ATT&CK framework to contextualize our offensive activities, and understand how they fit into the complete life cycle of an attack:
We’ll then deconstruct each technique and look into ways they can be detected leveraging different log sources:
To support the hands-on exercises, a dedicated sandbox will be provisioned to each participant via our Playground training platform. This includes an Active Directory environment of domain controllers and workstations, as well as a mail server, firewall and pre-configured logging capabilities. You’ll have full control of the environment, which we’ll modify to improve detective and preventative capabilities as we proceed on our journey.
Syllabus
- Module 1 – Introduction
- MITRE ATT&CK framework
- Sandbox environment
- Module 2 – Initial Access
- Setting up a Covenant listener and deploying a Grunt binary payload
- Deconstructing the attack: process creation and network events
- Hunting for the Grunt launcher in the logs
- HTA payloads and MSHTA
- Module 3 – Execution
- LOLBins
- Launching Grunt with MSBuild
- Meterpreter / Powershell
- Hardening Powershell (Constrained Language Mode, Script Block Logging, AMSI)
- Detecting malicious Powershell payloads
- Module 4 – Persistence
- Common persistence techniques
- Startup folders and registry keys
- SysInternals Autoruns
- Hunting for persistence
- Least frequency analysis
- Module 5 – Credential Access & Discovery
- Performing a Kerberoasting attack
- Deconstructing Kerberoasting (LDAP Queries, TGS Ticket Requests)
- Detecting kerberoasitng (Windows Event Logs, Sysmon and ETW)
- Using Shaprshares for fileshare enumeration
- Hunting for fileshare enumeration
- Module 6 – Lateral Movement
- Common lateral movement techniques
- Deconstructing PSExec
- Hunting for PSExec activity
- Windows Management and Instrumentation and WMIEXEC
- Hunting for WMIEXEC
- Module 7 – Command & Control
- C2 channel types and beaconing
- HTTP/S and C2 traffic profiles
- Grunt HTTP profiles in Covenant
- Establishing a DNS C2 channel with DNSCAT2
- Hunting for DNSCAT2
Target Audience
This course is suitable for beginners and intermediate IT security professionals in the following roles:
- Blue and Purple teamers
- SOC analysts and threat hunters
- Offensive security professionals that want to get a better insight into detection
What students will be provided with
- Access to a dedicated training sandbox on F-Secure’s Playground training platform (including 40 hours in the lab that can be used within 1 year)
- The sandbox can be accessed from anywhere either via a Remote Desktop Gateway from the browser (no tools need to be installed locally) or via a dedicated VPN connection
- The sandbox contains the full training environment
- Life-time access to the training material in interactive, searchable HTML-format
- Teams link for the instructor-led sessions and chat functionality
Trainer Bio
Alfie Champion
Alfie has a background in software development and DevOps and now leads the global delivery of attack detection services at F-Secure Consulting. He has a keen interest in adversary simulation and offensive tradecraft, developing tooling to emulate attacker activity and ultimately aid clients in testing and developing their detective capability.