See the Forest and the Trees
Your organization has just implemented the leading detection and response products. Are they configured with default configuration? How much faith should you have in your ability to detect sophisticated attacks? How would you simulate attacks to ensure robust detections are in place? Adversary Tactics: Tradecraft Analysis teaches the importance of understanding the inner workings of attack techniques and telemetry availability and provide a workflow for developing robust detection analytics or data driven evasion decisions. Focusing on various Windows components and attacker tactics, techniques, and procedures (TTPs), you will dive deep into how software abstracts underlying capabilities and how attackers can interact with deeper layers to bypass superficial detection capabilities.
In Adversary Tactics: Tradecraft Analysis, we present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course culminates with participants creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage.
- Understanding Abstraction
- Attack and Detection Strategies
- Naive PSExec Overview
- Tradecraft Analysis Process
- Capability Identification
- Capability Deconstruction
- IPC Mechanisms
- Understanding Telemetry
- Securable Objects
- Identifying Choke Points
- Telemetry Source Identification
- How EDR Tools Work
- Organic Logging
- Function Hooking
- Kernel Callback Functions
- Operationalizing Detection and Evasion Concepts
- Operationalizing Telemetry
- Understanding Attacker Controlled Fields
- Operationalizing Detection Research
- Operationalizing Evasion Research
- Understanding the Triage, Investigation, and Remediation Process
- Evading the Response Process
- Documentation and Evaluation Metrics
- Detection Documentation
- Evasion Documentation
- Defensive Capstone
- Offensive Capstone
Organizations often make the mistake of trusting default configurations in detection and response products to provide robust protection from even the most sophisticated attacks. Knowledgeable detection engineers and red team operators know that while there are many effective products, all of them have gaps that can be exploited by a sophisticated adversary.
A mature security program must continuously test and enhance product detection configurations to have an effective response capability. By the end of this course, you will have a comprehensive understanding of several attack chains and will be equipped with an approach to analyzing offensive tooling and evasions, as well as a strategy for how to craft robust detections and better detect families of attacks.
Who Should Take This Course
This course is intended for expert blue teamers, detection engineers, and red team operators. Participants should be familiar with detection engineering and/or red team operations, and be generally comfortable with Windows internals, attack technique analysis, offensive tools and techniques
Participants must provide their own computer with a modern web browser installed to access training materials and complete the course’s labs. The SpecterOps training platform URL (https://specterops.training) must be accessible from the participant’s computer throughout the duration of the course.
What Participants Should Bring
Participants will need a laptop with a modern web browser. All labs are completed through a training portal that contains a range with simulated enterprise networks under attack and defensive workstations from which participants will operate.
There are no local virtual machines or special software required to fully participate in the course or labs.
During the course, participants will be provided access to a comprehensive range to perform course labs and goals.
Upon completion of the course, participants are provided with a copy of course slides and a certificate of completion.
See What Else We Have to Offer
If a public offering of the training classes does not fit your busy schedule, our team of experts are available to provide a private training offering to your organization. This is by far the best way for your team to get one on one access to the instructors and solidify the material. We provide all training material as well as laptops and classroom locations if needed.Private Trainings