25,000+ Courses Nationwide
0345 4506120

Defending Enterprises for Threat Hunters

From setup and configuration, to threat hunting, monitoring and alerting, you’ll play a SOC analyst in our lab and try to rapidly locate IOC’s and IOA’s from an enterprise breach executed by the trainers in real time.

Select specific date to see price, venue and full details.

Learning Objectives

Over the 2 days well cover the following topics:

  • MITRE ATT&CK framework primer
  • Defensive OSINT
  • Linux auditing and logging overview
  • Windows events, logging and configuring Sysmon
  • Configuring ELK, Splunk and data forwarders
  • Filters, regex and visualisations
  • Configuring monitoring and alerting
  • Identifying IOC’s and IOA’s
  • Detecting phishing attacks (Office macros, HTA’s and suspicious links)
  • Detecting credential exploitation (Kerberoasting, PtH, PtP, DCSync)
  • Detecting lateral movement (WinRM, WMI, SMB, DCOM, MSSQL)
  • Detecting data exfiltration (HTTP/S, DNS, ICMP)
  • Detecting persistence (userland methods, WMI Event Subscriptions)
  • Identifying C2 communications


  • A firm familiarity of Windows and Linux command line syntax
  • Understanding of networking concepts
  • Suited to system/network administrators, response analysts, penetration testers and anyone working in a technical IT role
  • You will need a laptop with local administrator/root access

Course Content

Day 1

Module 1: Defensive OSINT

Data scraping techniques, using certificate transparency logs and Shodan to identify company infrastructure exposure and utilising publicly disclosed data breaches

Module 2: Linux auditing, events and logging

  • Filebeat (Elastic)
  • Auditd and Auditbeat (Elastic)
  • Using default tools and utilities to query event data

Module 3: Windows auditing, events and logging

  • Enforcing event logging via Group Policy (GPO)
  • Common and useful event logs
  • Deploying Sysmon
  • Windows Event Forwarding (WEF)

Module 4: Sigma rules

  • Rule creation and structure
  • SIEM Integration

Module 5: Overview of and configuring Elastic/Logstash, Splunk and data forwarders

  • Splunk forwarders
  • Using Logstash (Elastic) and Grok for data processing
  • Forwarding data from Logstash to Elastic and Microsoft Azure Sentinel

Module 5: Configuring alerting and monitoring

  • Event ID triggers
  • Multiple criteria triggers (also continues within next section)

Module 6: Using filters, RegEx and visualisations

  • Viewing and querying for events in Kibana
  • Viewing and querying for events in Microsoft Azure Sentinel
  • Creating visualisations for activity mapping
  • Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC)
  • From this stage onwards the trainers will be performing live attacks within the lab using popular C2 tooling and other open source code and toolsets
  • Detecting Initial Access
  • Access

Module 7: Detecting Phishing attacks

  • Office macros
  • HTA’s
  • Suspicious links

Module 8: Detecting Phishing attacks (targeting one or more of the above techniques)

  • Detecting malicious links
  • Detecting suspicious network activity
  • Detecting living off the land (LOLBAS) abuse

Module 9: Detecting Credential Exploitation

Part 1: Kerberoasting

  • Identifying Kerberoasting attacks

Part 2: Pass-the-Hash (PtH)

  • Identifying PtH attacks

Part 3: Pass-the-Ticket (PtT)

  • Identifying PtT attacks

Day 2


Part 4: DCSync Theory

  • Identifying DCSync attacks

Module 10: Detecting Lateral Movement

Part 1: WinRM / PowerShell Remoting / SSH

  • Ports and processes
  • Common attacker tooling and executing commands on remote systems
  • Event IDs and useful IOC’s to detect lateral movement via WinRM
  • Identifying WinRM abuse

Part 2: WMI

  • Ports and processes
  • Common attacker tooling and executing commands on remote systems
  • Event IDs and useful IOC’s to detect lateral movement via WMI
  • *Further content within the persistence modules

Part 3: SMB

  • SMB versions, weaknesses and signing
  • Common attacker tooling and executing commands on remote systems
  • Event IDs and useful IOC’s to detect lateral movement via SMB

Module 11: Identifying SMB abuse Practical

Part 4: DCOM

  • Overview of DCOM and its place in a modern attack chain
  • Event IDs and useful IOC’s to detect lateral movement via DCOM

Part 5: MSSQL

  • Using MSSQL servers for lateral movement (linked servers, trustworthy DBs)
  • Common attacker tooling and executing commands on remote systems
  • Event IDs and useful IOC’s to detect lateral movement via MSSQL

Module 12: Identifying MSSQL abuse Practical

Module 13: Detecting Data Exfiltration

Part 1: HTTP/S Communications

  • Overview of Domain Fronting
  • SNI, ESNI overview
  • C2 tooling and traffic detection

Part 2: DNS Communications

  • DNSSEC, DoT and DoH
  • Data exfiltration over DNS channels
  • OOB shells over DNS (dnscat2 / iodine)
  • C2 tooling and traffic detection

Part 3: ICMP communications

  • ICMP types
  • OOB Shells over ICMP (icmpsh)
  • C2 tooling and traffic detection

Module 14: Identifying OOB channels, shells and data exfiltration

Detecting Persistence Activities

Part 1: Identifying common persistence activities, including:

  • Scheduled tasks
  • Windows Registry
  • Living off the Land and other techniques

Module 15: Identifying common persistence TTP’s Practical

Part 2: Identifying the presence of Permanent WMI Event Subscriptions and associated activities

  • Overview of configuring Event Subscriptions in PowerShell and by using MOF files
  • Interesting consumer classes (ActiveScriptEventConsumer and
  • CommandLineEventConsumer)

Module 16: Identifying Permanent WMI Event Subscriptions Practical

  • Course wrap-up and extended lab time information

* Students will use a combination of ELK and Microsoft Azure Sentinel platforms to perform practical exercises.

In each instance, filters and/or expressions will be supplied for both platforms (where applicable), so students

are able to experiment as they so wish within the supplied exercise and extended after training lab time.

Related Courses

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


We work with the best