Applied Purple Teaming w/ Kent Ickler and Jordan Drysdale – (16 Hours)

Applied Purple Teaming w/ Kent Ickler & Jordan Drysdale 4 Sessions – 4 Hour Classes

Instructors: Kent Ickler & Jordan Drysdale

Includes:

  • Four days of fast-paced interactive learning 
  • Continuous security hardening framework (Applied Purple Teaming)
  • Discussion of Design and implementation network optics and logging
  • A Review of Enterprise OSINT Awareness
  • Active Directory Best Practices for Securing your Environment
  • Interactive Exercises (Labs)
    • Plan, Attack, Defend, Hunt, Document Lifecycle-Driven Methodology 
    • Live-fire attack tactics such as SMB/NTLM Relay, Command and Control, and BloodHound!
    • Life hunt-detection methodology using Logstash, Elasticsearch, and Kibana!
    • Implementation of continuous security improvement by leveraging MITRE ATT&CK
    • Integration of the Atomic Red Team framework in Purple Teaming exercises

You’ve heard this story before. Bad actor walks into a network and pillages the place in swift action. CIO asks: “Where did we go wrong?” SysAdmin replies “our password, remote access, workstation restriction, and lack of application whitelisting policies. Oh, and our SIEM didn’t notify us. We just weren’t ready for that attack.”

Applied Purple Teaming (APT) will first introduce students to threat optics on Windows systems. This course will provide instruction for configuring and installing Sysmon to gather endpoint logs. Students will also be introduced to Windows Audit Policies and will get to deploy a high visibility audit policy stack. Windows Event Collection and Forwarding will be implemented to demonstrate the free Windows logging stack built in and licensed under the existing agreement you have with Microsoft. The event collector will finally be configured to ship logs to the Hunting ELK (HELK) where students will get to review threat optics using Kibana. The majority of the class will be iterating through the TTPs of a standard pentest to demonstrate effective logging and detections against some attacks that are challenging to detect. The Atomic Purple Team lifecycle will be used to attack, hunt and detect, and defend against all of the attacks! Come join us for another round of APT with updated materials and to have a great time in the Wild West!

Students will have an opportunity to attack their own in-class Active Directory environment with Red Team tactics, implement Blue Team defensery, and manage an environment designed to prevent, slow, identify, and highlight attacks. Additionally, the course will guide students through configuring no-nonsense attack identification and alerting that is essential to an effective SOC operation.

In a live environment, students will have the opportunity to demonstrate a secured enterprise by utilizing the MITRE ATT&CK Framework, Red Team tactics and Blue Team defenses to identify, slow, and stop attacks.

Implement better security and tell your CIO how everything went right!

KEY TAKEAWAYS

  • Build a continuously improving IT security lifecycle of responsible network administration
  • Understand and implement “Best Practice” Security configurations for Windows and Active directory.
  • Utilize Modern red team and hacker tactics to audit security posture.
  • Kill the LLMNR, NTLM, and SMB Relay attack sequence.
  • Understand current frameworks in use by attackers, script kiddies, and nation-state actors.
  • Understand business impact and residual risk in balancing security.
  • Ability to demonstrate command and control infrastructures and relative defense mechanisms.

WHO SHOULD TAKE THIS COURSE

People interested in learning how to red team to drive home the risks of failing to implement improved password policies. Anyone interested in understanding and executing an LLMNR and NTLM relay attack against open SMB services on a network should join us. Any analyst, sysadmin, or network architect looking to build a security team focused on continual improvement should take this course.
  • IT System Administrators
  • IT Security Management and Leadership
  • Helpdesk Technicians and Analysts
  • Network Engineers
  • Defenders and BlueTeamers
  • General security practitioners
  • Penetration testers
  • Network / Domain Architects

AUDIENCE SKILL LEVEL

Students should have nominal Windows / Linux / Mac operating knowledge. An ideal candidate is in a position to make lasting changes in a Windows Domain environment. A motivated student will be ready to deploy command and control infrastructure, infect Windows systems, escalate their privileges, and learn defensive strategies to kill these attack chains.

STUDENT REQUIREMENTS

Exposure to Active Directory.

WHAT A STUDENT SHOULD BRING

  • Laptop
  • Remote Desktop Protocol (RDP) Client

WHAT STUDENTS WILL BE PROVIDED WITH

  • Digital Copy of Book
  • Best Practice guides, cheat sheets, and syntax cards
  • 6 Months free access to Cyber Range

COURSE OUTLINE

Applied Purple Team Course Overview
Applied Purple Team Lifecycle (APTLC) Overview
APTLC Ingests
APT Lab Overview
Windows Threat Optics

  • Lab: Sysmon
  • Lab: Audit Policies
  • Lab: Windows Event Collection / Windows Event Forwarding
  • Lab: Log Shipping

Enterprise Recon
Windows Security Best Practices
Active Directory Enumeration – PowerShell Hack Tools

  • Lab: PowerShell Execution
  • Lab: Hunt / Defend PowerShell
  • APT Lifecycle Report: AD Enumeration via PowerShell Hack Tools

Attack Team C2 Infrastructure – SILENTTRINITY

  • Lab: Establish Command and Control
  • Lab: Hunt / Defend C2
  • APT Lifecycle Report: Command and Control with SILENTTRINITY

Credential Abuse: Domain Password Spray

  • Lab: Domain Password Spray
  • Lab: Hunt / Defend Domain Password Spray
  • APT Lifecycle Report: Credential Abuse

Privilege Escalation: Pass the Hash (NTLMRelayx / CrackMapExec)

  • Lab: Poisoning Shares with LNK Files and Hash Attacks (SMB Relay)
  • Lab: Hunt / Defend Pass the Hash
  • APT Lifecycle Report: Lateral Movement via SMB Relay

NTDS Enumeration: Cracking Hashes

  • Lab: NTDS Enumeration and Password Cracking
  • APT Lifecycle Report: NTDS Enum and Password Cracking

Kerberoasting: Kerberoast Detection

  • Lab: Preemptive Detection of Kerberoast
  • APT Lifecycle Report: Kerberoasting

Adversary Emulation with Atomic Red Team

  • Lab: Mimikatz, SquibblyDoo
  • Lab: Choose Your Own Hunting Adventure

Course Wrap-up

TRAINER & AUTHOR

Jordan Drysdale
Jordan was around for the inception of Napster and the explosion of P2P networks. This drove his fascination with network systems and led him toward a career in IT. Jordan’s first gig in the industry included supporting Latin American networking customers for Hewlett Packard’s network support division. After five years of support, engineering, training, and stress, Jordan became a wireless escalations team lead and multi-vendor certified problem solver. With kids in tow, Jordan headed back toward the Dakotas to be nearer extended family and friends where he learned Citrix, VMware, VDI, supported Cisco gear, implemented profile management solutions, deployed remote networks at scale, and ensured performance across infrastructure. Before becoming a penetration tester, Jordan supported multiple (50+) domains as part of an MSSP’s rock star team. Solutions utilized included HP Networking, FortiGate/FortiManager/FortiWeb/FortiAnalyzer et al., Cisco ASA, HP DL/GL/ML, Dell, VMware, NetApp, and the list goes on. For the last five years, Jordan has been a penetration tester with the Black Hills InfoSec team.

 

Kent Ickler
Kent started his Information Technology career working for an Internet Service Provider supporting the MidWest’s broadband initiatives of the early 2000s. His interest in technology and business operations drove his career into working for multiple Fortune 500 companies and equipping their organizational leadership with business analytical data that would support their technology initiatives. With his continued interest in Business Operations, Kent completed his postgraduate education in Business Management. With an understanding of Information Technology, System Administration, Accounting, and Business Law, Kent has helped businesses leverage technology for competitive advantage while balancing the risks associated with today’s dynamic network environments. Kent has been with Black Hills Information Security for three years in security and administration roles.

 

In addition to their Security Analyst roles at Black Hills Information Security, Jordan and Kent are Co-Founders of Defensive Origins…a cyber-security research, training, and consulting institution designed to assist Information Security professionals, Systems Administrators, and Organizational Leadership in developing, operating, and maintaining efficient secure network operations. Both Jordan and Kent have presented at multiple conferences, webcasts, and television programs, as well as written blogs discussing the importance of Network Security, Internet Privacy, and the importance of balancing Information Security business risk in today’s organizations.

Course Schedule

No sections of “Applied Purple Teaming” are not currently scheduled.
Please keep an eye on the training schedule page for updates.

Join the Wild West Hackin’ Fest Discord server to stay updated on future training and webcasts: Join Our Server!