training courses

Adversary Tactics:
Tradecraft Analysis

  • Sign Up For Training Updates

  • This field is for validation purposes and should be left unchanged.


See the Forest and the Trees

Your organization has just implemented the leading detection and response products. Are they configured with default configuration? How much faith should you have in your ability to detect sophisticated attacks? How would you simulate attacks to ensure robust detections are in place? Adversary Tactics: Tradecraft Analysis teaches the importance of understanding the inner workings of attack techniques and telemetry availability and provide a workflow for developing robust detection analytics or data driven evasion decisions. Focusing on various Windows components and attacker tactics, techniques, and procedures (TTPs), you will dive deep into how software abstracts underlying capabilities and how attackers can interact with deeper layers to bypass superficial detection capabilities.

course summary

Tradecraft Analysis

In Adversary Tactics: Tradecraft Analysis, we present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course culminates with participants creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage.

  • Understanding Abstraction
  • Attack and Detection Strategies
  • Naive PSExec Overview
  • Tradecraft Analysis Process
  • Capability Identification
  • Capability Deconstruction
  • IPC Mechanisms
  • Understanding Telemetry
  • Securable Objects
  • Identifying Choke Points
  • Telemetry Source Identification
  • How EDR Tools Work
  • Organic Logging
  • SACLs
  • Function Hooking
  • Kernel Callback Functions
  • ETW
  • Operationalizing Detection and Evasion Concepts
  • Operationalizing Telemetry
  • Understanding Attacker Controlled Fields
  • Operationalizing Detection Research
  • Operationalizing Evasion Research
  • Understanding the Triage, Investigation, and Remediation Process
  • Evading the Response Process
  • Documentation and Evaluation Metrics
  • Detection Documentation
  • Evasion Documentation
  • Capstone
  • Defensive Capstone
  • Offensive Capstone


Organizations often make the mistake of trusting default configurations in detection and response products to provide robust protection from even the most sophisticated attacks. Knowledgeable detection engineers and red team operators know that while there are many effective products, all of them have gaps that can be exploited by a sophisticated adversary.

A mature security program must continuously test and enhance product detection configurations to have an effective response capability. By the end of this course, you will have a comprehensive understanding of several attack chains and will be equipped with an approach to analyzing offensive tooling and evasions, as well as a strategy for how to craft robust detections and better detect families of attacks.

Training Participants

Who Should Take This Course
Participant Requirements
What Participants Should Bring
Participants Receive

Who Should Take This Course

This course is intended for expert blue teamers, detection engineers, and red team operators. Participants should be familiar with detection engineering and/or red team operations, and be generally comfortable with Windows internals, attack technique analysis, offensive tools and techniques


See What Else We Have to Offer