Defending Enterprises for Threat Hunters

• A firm familiarity of Windows and Linux command line syntax
• Understanding of networking concepts
• Suited to system/network administrators, response analysts, penetration testers and anyone working in a technical IT role
• You will need a laptop with local administrator/root access

Over the 2 days well cover the following topics:

• MITRE ATT&CK framework primer
• Defensive OSINT
• Linux auditing and logging overview
• Windows events, logging and configuring Sysmon
• Configuring ELK, Splunk and data forwarders
• Filters, regex and visualisations
• Configuring monitoring and alerting
• Identifying IOC’s and IOA’s
• Detecting phishing attacks (Office macros, HTA’s and suspicious links)
• Detecting credential exploitation (Kerberoasting, PtH, PtP, DCSync)
• Detecting lateral movement (WinRM, WMI, SMB, DCOM, MSSQL)
• Detecting data exfiltration (HTTP/S, DNS, ICMP)
• Detecting persistence (userland methods, WMI Event Subscriptions)
• Identifying C2 communications

Day 1

Module 1: Defensive OSINT

Data scraping techniques, using certificate transparency logs and Shodan to identify company infrastructure exposure and utilising publicly disclosed data breaches

Module 2: Linux auditing, events and logging

• Filebeat (Elastic)
• Auditd and Auditbeat (Elastic)
• Using default tools and utilities to query event data

Module 3: Windows auditing, events and logging

• Enforcing event logging via Group Policy (GPO)
• Common and useful event logs
• Deploying Sysmon
• Windows Event Forwarding (WEF)

Module 4: Sigma rules

• Rule creation and structure
• SIEM Integration

Module 5: Overview of and configuring Elastic/Logstash, Splunk and data forwarders

• Splunk forwarders
• Using Logstash (Elastic) and Grok for data processing
• Forwarding data from Logstash to Elastic and Microsoft Azure Sentinel

Module 5: Configuring alerting and monitoring

• Event ID triggers
• Multiple criteria triggers (also continues within next section)

Module 6: Using filters, RegEx and visualisations

• Viewing and querying for events in Kibana
• Viewing and querying for events in Microsoft Azure Sentinel
• Creating visualisations for activity mapping
• Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC)
• From this stage onwards the trainers will be performing live attacks within the lab using popular C2 tooling and other open source code and toolsets
• Detecting Initial Access
• Access

Module 7: Detecting Phishing attacks

• Office macros
• HTA’s
• Suspicious links

Module 8: Detecting Phishing attacks (targeting one or more of the above techniques)

• Detecting malicious links
• Detecting suspicious network activity
• Detecting living off the land (LOLBAS) abuse

Module 9: Detecting Credential Exploitation

Part 1: Kerberoasting

• Identifying Kerberoasting attacks

Part 2: Pass-the-Hash (PtH)

• Identifying PtH attacks

Part 3: Pass-the-Ticket (PtT)

• Identifying PtT attacks

Day 2

Duration

Part 4: DCSync Theory

• Identifying DCSync attacks

Module 10: Detecting Lateral Movement

Part 1: WinRM / PowerShell Remoting / SSH

• Ports and processes
• Common attacker tooling and executing commands on remote systems
• Event IDs and useful IOC’s to detect lateral movement via WinRM
• Identifying WinRM abuse

Part 2: WMI

• Ports and processes
• Common attacker tooling and executing commands on remote systems
• Event IDs and useful IOC’s to detect lateral movement via WMI
• *Further content within the persistence modules

Part 3: SMB

• SMB versions, weaknesses and signing
• Common attacker tooling and executing commands on remote systems
• Event IDs and useful IOC’s to detect lateral movement via SMB

Module 11: Identifying SMB abuse Practical

Part 4: DCOM

• Overview of DCOM and its place in a modern attack chain
• Event IDs and useful IOC’s to detect lateral movement via DCOM

Part 5: MSSQL

• Using MSSQL servers for lateral movement (linked servers, trustworthy DBs)
• Common attacker tooling and executing commands on remote systems
• Event IDs and useful IOC’s to detect lateral movement via MSSQL

Module 12: Identifying MSSQL abuse Practical

Module 13: Detecting Data Exfiltration

Part 1: HTTP/S Communications

• Overview of Domain Fronting
• SNI, ESNI overview
• C2 tooling and traffic detection

Part 2: DNS Communications

• DNSSEC, DoT and DoH
• Data exfiltration over DNS channels
• OOB shells over DNS (dnscat2 / iodine)
• C2 tooling and traffic detection

Part 3: ICMP communications

• ICMP types
• OOB Shells over ICMP (icmpsh)
• C2 tooling and traffic detection

Module 14: Identifying OOB channels, shells and data exfiltration

Detecting Persistence Activities

Part 1: Identifying common persistence activities, including:

• Scheduled tasks
• Windows Registry
• Living off the Land and other techniques

Module 15: Identifying common persistence TTP’s Practical

Part 2: Identifying the presence of Permanent WMI Event Subscriptions and associated activities

• Overview of configuring Event Subscriptions in PowerShell and by using MOF files
• Interesting consumer classes (ActiveScriptEventConsumer and
• CommandLineEventConsumer)

Module 16: Identifying Permanent WMI Event Subscriptions Practical

• Course wrap-up and extended lab time information

* Students will use a combination of ELK and Microsoft Azure Sentinel platforms to perform practical exercises.

In each instance, filters and/or expressions will be supplied for both platforms (where applicable), so students

are able to experiment as they so wish within the supplied exercise and extended after training lab time.