Applied Purple Teaming w/ Kent Ickler & Jordan Drysdale 4 Sessions – 4 Hour Classes
Instructors: Kent Ickler & Jordan Drysdale
- Four days of fast-paced interactive learning
- Continuous security hardening framework (Applied Purple Teaming)
- Discussion of Design and implementation network optics and logging
- A Review of Enterprise OSINT Awareness
- Active Directory Best Practices for Securing your Environment
- Interactive Exercises (Labs)
- Plan, Attack, Defend, Hunt, Document Lifecycle-Driven Methodology
- Live-fire attack tactics such as SMB/NTLM Relay, Command and Control, and BloodHound!
- Live hunt-detection methodology using Logstash, Elasticsearch, and Kibana!
- Implementation of continuous security improvement by leveraging MITRE ATT&CK
- Integration of the Atomic Red Team framework in Purple Teaming exercises
You’ve heard this story before. Bad actor walks into a network and pillages the place in swift action. CIO asks: “Where did we go wrong?” SysAdmin replies “our password, remote access, workstation restriction, and lack of application whitelisting policies. Oh, and our SIEM didn’t notify us. We just weren’t ready for that attack.”
Applied Purple Teaming (APT) will first introduce students to threat optics on Windows systems. This course will provide instruction for configuring and installing Sysmon to gather endpoint logs. Students will also be introduced to Windows Audit Policies and will get to deploy a high visibility audit policy stack. Windows Event Collection and Forwarding will be implemented to demonstrate the free Windows logging stack built in and licensed under the existing agreement you have with Microsoft. The event collector will finally be configured to ship logs to the Hunting ELK (HELK) where students will get to review threat optics using Kibana. The majority of the class will be iterating through the TTPs of a standard pentest to demonstrate effective logging and detections against some attacks that are challenging to detect. The Atomic Purple Team lifecycle will be used to attack, hunt and detect, and defend against all of the attacks! Come join us for another round of APT with updated materials and to have a great time in the Wild West!
Students will have an opportunity to attack their own in-class Active Directory environment with Red Team tactics, implement Blue Team defensery, and manage an environment designed to prevent, slow, identify, and highlight attacks. Additionally, the course will guide students through configuring no-nonsense attack identification and alerting that is essential to an effective SOC operation.
In a live environment, students will have the opportunity to demonstrate a secured enterprise by utilizing the MITRE ATT&CK Framework, Red Team tactics and Blue Team defenses to identify, slow, and stop attacks.
Implement better security and tell your CIO how everything went right!
- Build a continuously improving IT security lifecycle of responsible network administration
- Understand and implement “Best Practice” Security configurations for Windows and Active Directory.
- Utilize Modern red team and hacker tactics to audit security posture.
- Kill the LLMNR, NTLM, and SMB Relay attack sequence.
- Understand current frameworks in use by attackers, script kiddies, and nation-state actors.
- Understand business impact and residual risk in balancing security.
- Ability to demonstrate command and control infrastructures and relative defense mechanisms.
WHO SHOULD TAKE THIS COURSE
- IT System Administrators
- IT Security Management and Leadership
- Helpdesk Technicians and Analysts
- Network Engineers
- Defenders and BlueTeamers
- General security practitioners
- Penetration testers
- Network / Domain Architects
AUDIENCE SKILL LEVEL
WHAT A STUDENT SHOULD BRING
- Remote Desktop Protocol (RDP) Client
WHAT STUDENTS WILL BE PROVIDED WITH
- Digital Copy of Book
- Best Practice guides, cheat sheets, and syntax cards
- 6 Months free access to Cyber Range
Applied Purple Team Course Overview
Applied Purple Team Lifecycle (APTLC) Overview
APT Lab Overview
Windows Threat Optics
- Lab: Sysmon
- Lab: Audit Policies
- Lab: Windows Event Collection / Windows Event Forwarding
- Lab: Log Shipping
Windows Security Best Practices
Active Directory Enumeration – PowerShell Hack Tools
- Lab: PowerShell Execution
- Lab: Hunt / Defend PowerShell
- APT Lifecycle Report: AD Enumeration via PowerShell Hack Tools
Attack Team C2 Infrastructure – SILENTTRINITY
- Lab: Establish Command and Control
- Lab: Hunt / Defend C2
- APT Lifecycle Report: Command and Control with SILENTTRINITY
Credential Abuse: Domain Password Spray
- Lab: Domain Password Spray
- Lab: Hunt / Defend Domain Password Spray
- APT Lifecycle Report: Credential Abuse
Privilege Escalation: Pass the Hash (NTLMRelayx / CrackMapExec)
- Lab: Poisoning Shares with LNK Files and Hash Attacks (SMB Relay)
- Lab: Hunt / Defend Pass the Hash
- APT Lifecycle Report: Lateral Movement via SMB Relay
NTDS Enumeration: Cracking Hashes
- Lab: NTDS Enumeration and Password Cracking
- APT Lifecycle Report: NTDS Enum and Password Cracking
Kerberoasting: Kerberoast Detection
- Lab: Preemptive Detection of Kerberoast
- APT Lifecycle Report: Kerberoasting
Adversary Emulation with Atomic Red Team
- Lab: Mimikatz, SquibblyDoo
- Lab: Choose Your Own Hunting Adventure
TRAINER & AUTHOR
Kent started his Information Technology career working for an Internet Service Provider supporting the MidWest’s broadband initiatives of the early 2000s. His interest in technology and business operations drove his career into working for multiple Fortune 500 companies and equipping their organizational leadership with business analytical data that would support their technology initiatives. With his continued interest in Business Operations, Kent completed his postgraduate education in Business Management. With an understanding of Information Technology, System Administration, Accounting, and Business Law, Kent has helped businesses leverage technology for competitive advantage while balancing the risks associated with today’s dynamic network environments. Kent has been with Black Hills Information Security for three years in security and administration roles.
Join the Wild West Hackin’ Fest Discord server to stay updated on future training and webcasts: Join Our Server!