security training courses

Adversary Tactics:
Tradecraft Analysis

Explore All Training

  • Sign Up For Training Updates

  • This field is for validation purposes and should be left unchanged.

introduction to tradecraft analysis

Adversarial Training & Detection Analytics

Explore All Training

Your organization has just implemented the leading threat detection and response products. Are they configured with default configuration? How much faith should you have in your ability to detect sophisticated cybersecurity attacks? How would you simulate attacks to ensure robust detections are in place? Adversary Tactics: Tradecraft Analysis teaches the importance of understanding the inner workings of adversarial techniques and telemetry availability and provide a workflow for developing robust detection analytics or data driven evasion decisions. Focusing on various Windows components and adversary tactics, techniques, and procedures (TTPs), you will dive deep into how software abstracts underlying capabilities and how attackers can interact with deeper layers to bypass superficial detection capabilities.

Trainings
April 2 – 5, 2025 9:00am – 5:00pm ET   |   hybrid
Tradecraft Analysis at SO-CON 2025
training course summary

Tradecraft Analysis

In Adversary Tactics: Tradecraft Analysis, we present and apply a general analytical tradecraft methodology for offensive TTPs, focused on Windows components. We discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various adversarial training techniques, we identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course culminates with participants creating their own adversary technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust threat detection coverage across your organization, and truly assess the efficacy of that security coverage.

  • Understanding Abstraction
  • Adversarial Attack and Detection Strategies
  • Naive PSExec Overview
  • Tradecraft Analysis Process
  • Capability Identification
  • Capability Deconstruction
  • IPC Mechanisms
  • Understanding Telemetry
  • Securable Objects
  • Identifying Choke Points
  • Telemetry Source Identification
  • How EDR Tools Work
  • Organic Logging
  • SACLs
  • Function Hooking
  • Kernel Callback Functions
  • ETW
  • Operationalizing Detection and Evasion Concepts
  • Operationalizing Telemetry
  • Understanding Attacker Controlled Fields
  • Operationalizing Detection Research
  • Operationalizing Evasion Research
  • Understanding the Triage, Investigation, and Remediation Process
  • Evading the Response Process
  • Documentation and Evaluation Metrics
  • Threat Detection Documentation
  • Evasion Documentation
  • Adversary Training Capstone
  • Defensive Capstone
  • Offensive Capstone
Overview: Tradecraft Analysis

Overview: Tradecraft Analysis

Organizations often make the mistake of trusting default configurations in threat detection and response products to provide robust protection from even the most sophisticated cyber attacks. Knowledgeable detection engineers and red team operators know that while there are many effective products, all of them have gaps that can be exploited by a sophisticated adversary.

A mature security program must continuously test and enhance product detection configurations to have an effective response capability. By the end of this adversary training course, you will have a comprehensive understanding of several attack chains and will be equipped with an approach to analyzing offensive tooling and evasions, as well as a strategy for how to craft robust detections and better detect families of cyber attacks.

Training Participants

Who Should Take This Training Course
Training Participant Requirements
What Participants Should Bring to Class
Participants Receive

Who Should Take This Training Course

The Tradecraft Analysis course is intended for expert blue teamers, detection engineers, and red team operators. Participants should be familiar with detection engineering and/or red team operations, and be generally comfortable with Windows internals, adversarial attack technique analysis, offensive security tools and techniques.

OUR ECOSYSTEM

Other Adversary Tactics Training We Offer

Private Training

If a public offering of the training classes does not fit your busy schedule, our team of experts are available to provide a private training offering to your organization. This is by far the best way for your team to get one on one access to the instructors and solidify the material. We provide all training material as well as laptops and classroom locations if needed.

Private Trainings