Catch me if you can – Seeing the Red through the Blue Workshop

Instructors: Will Hunt and Owen Shearing

Workshop Duration: 120 minutes

This workshop will help improve both red and blue skillsets through a series of hacks, where you as an
attendee will have to identify malicious activities on a series of targets.

The trainer (Red Team) will perform a series of attacks on the hosts within the LAB, running
commands, tools and utilising techniques used in the field. You (the Blue Team) will then need to use
the in-LAB ELK stack to identify the malicious activities and raise the alarm! This will upskill both
attackers in understanding the various attack flows that could compromise their cover and defenders
in understanding how to detect them.

“The best defence is a good offence” applies as much in cyber as it does in sport. Understanding the
attack flow is important in consolidating knowledge, so you’ll get to see every attack the trainer
carries out before you’re set off to hunt down the evidence. This heightened mindset will then up
your game in the field to better detect the traces, logs and data that can give an attacker away.

This is what you can expect in the intensive 120 minute workshop:

Lab and Scenario Intro

• Connectivity and network overview
• Auditing Windows, Linux and network devices
• Intro to the ELK stack, Sysmon, logging, alerting and monitoring

• Port/vulnerability scans
• Brute-force attacks

• Identify targeted and compromised user accounts

• Sending emails with malicious content
• Landing a shell!

• Catching a Phish!

• Credential theft
• Lateral movement and pivoting within the enterprise

• Identifying credential based attacks
• Identifying compromised hosts

• Using Out of Band (OOB) channels
• Data exfiltration

• Identifying suspicious connections

Who Should Attend:
This workshop is suited to a variety of students, including:

• Blue/Red team members
• SOC analysts
• Penetration testers
• Security professionals
• IT Support, administrative and network personnel

Technical / Hardware / Software Requirements:

• Students will need a laptop with a web browser installed


Will Hunt
Will (@Stealthsploit) is a cyber security consultant who has worked in IT security for over 10 years. He co-founded Limited, a specialist cyber security company delivering high-end consultancy and training services. He’s delivered hacking courses at Black Hat USA/EU, Wild West Hackin’ Fest, NolaCon, 44CON and others, and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

Owen Shearing
Owen (@rebootuser) is a co-founder of Limited, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure and has over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events and various conferences. He keeps projects at