Contact Us

Course Summary – 4 Day Offering

Enterprise networks are under constant attack from adversaries of all skill levels. Blue teamers are facing a losing battle; the attacker only needs to be successful once in order to gain access. Since the scales are heavily tipped in the attacker’s favor, a new defensive mindset is required. Rather than focusing just on preventing attacks from being successful, assume a breach could occur and proactively search for evidence of compromise in the environment. Malicious techniques used to laterally spread, pivot and privilege escalate are not normal activities and can be detected. A proper Breach Assessment methodology is focused on maximizing the effectiveness of scarce network defense resources to protect against a potentially limitless threat.

Breach Assessments take a different perspective on performing network defense, relying on skilled operators to investigate and find the presence of malicious activity. This course builds on standard network defense and incident response (which target flagging known malware) by focusing on abnormal behaviors and the use of attacker Tactics, Techniques, and Procedures (TTPs). We will teach you how to detect the most significant issues as soon as possible, rather than rushing to address the most obvious indicator first. In addition, we will cover how to use existing Windows tools (i.e. PowerShell, WMI, Sysinternals), in conjunction with various tools developed by SpecterOps team members (i.e. PSInvestigate, CimSweep, PowerForensics), to gather and analyze large amounts of host information to detect malicious activity. You will use these techniques and toolsets to conduct a breach assessment in a simulated enterprise network undergoing active compromise from various types of threat actors.

Day 1
  • Breach Assessment Overview
  • PowerShell Scripting Basics
  • Understanding and Utilizing WinRM
  • Understanding and Utilizing WMI
  • Environment Preparation
Day 2
  • Host Discovery
  • Data Collection with WMI
  • Data Collection with WinRM
  • Data Collection with Sysmon
  • Windows Event Forwarding
Day 3
  • Incorporating Threat Intelligence
  • Gathering Existing Logs
  • Ingest into SIEM
  • Analyzing Collected Data
  • Investigating Indicators
Day 4
  • Configure Hunt in an Enterprise
  • Gather Host Information in an Enterprise
  • Analyze for Indicators in an Enterprise
  • Investigate Activity in an Enterprise

Private Onsite Training

If a public offering of the training classes does not fit your busy schedule, our team of experts are available to provide a private training offering to your organization. This is by far the best way for your team to get one on one access to the instructors and solidify the material. We provide all training material as well as laptops and classroom locations if needed.

Ready To Get Started?