Join us at the Blue Team Summit! Register Here

Assumed Compromise: A Methodology with Detections and Microsoft Sentinel with Alyssa Snow and Kaitlyn Wimberley

Course Authored by and .

Assumed Compromise - A Methodology with Detections and Microsoft Sentinel with Alyssa Snow and Kaitlyn Wimberley

This course will deep dive into what we call threat optics: auditing endpoints, centralizing logs, and visualizing results.

Course is currently unavailable.

Course Length: 16 Hours

Includes a Certificate of Completion



Enroll Now

Next scheduled date: Content is loading, please wait.

Description

This course will deep dive into what we call threat optics: auditing endpoints, centralizing logs, and visualizing results.

Assumed Compromise – A Methodology with Detections and Microsoft Sentinel is for you if:

You need a methodology for assessing networks and domains. You want to improve the efficiency of your red and blue teams. You have an interest in threat optics. You want to implement a methodology for improving business processes around your security culture. Your business executives require ROI data to warrant further capital expenditure on threat-optic and threat-hunting initiatives. You want to see Azure Sentinel’s threat visualizations in near real-time.

You have interest in modern post-exploitation and pentest-related activities, including:

  • Active Directory Certificate Services
  • Command and Control
  • Credential Attacks
  • Impacket’s Heavy Hitters
  • Kerberoasting
  • Shadow Credentials
  • Threat actor TTPs

You have interest in deception techniques and detection engineering, including:

  • Honey accounts and service principals
  • BloodHound and Kerberoasting detections
  • Password spray and credential attack detects
  • Certificate request and KeyCredentialLink auditing
  • Real world attacker attribution using services

The Nitty Gritty:

Assumed Compromise: This is an Active Directory post-exploitation course where students can walk through penetration testing methodology with two well-seasoned veterans. The courseware is entirely lab based and most of those labs are based on attacks used as part of an industry proven penetration testing methodology.

Detections: The course provides configuration walkthroughs for Linux syslog and Windows event log data connectors for Microsoft Sentinel. An introduction to Kusto Query Language and Microsoft Sentinel alerts is provided to demonstrate threat detection. Association between attacker techniques, Windows event IDs, and detection logic is provided for most of the courseware’s attack labs.

Defenses: Students are guided through highly effective Active Directory deception techniques. Deception tech is then used throughout the courseware as a baseline for detecting common Active Directory enumeration like ADExplorer, BloodHound, and Impacket’s GetADUsers.py. Alongside the assumed compromise methodology and detection logic is a thorough discussion of security defenses and best practices.  

System Requirements
  • Student Requirements
    • Access to an Azure Subscription for this lab environment
    • Exposure to Active Directory

FAQ

Q. What are the dates of your next training? 
A. The best way to know when we will be offering Attack Detect Defend (ADD) is to sign up for our email list (we rarely email, though, so you’ll know it’s important when we do).  
Q. Is the course live?  
A. Yes, it is live and typically is 4 hours per day for 4 days, unless we are doing a custom training (hours vary depending on the team we are training).  
Q. Are there hands-on labs? 
A. Absolutely! That’s half the fun! 
Prerequisites: 
Access to an Azure Subscription for this lab environment. 
A GitHub account to access all course materials including lab contents. 
Ability to SSH and RDP to your lab IP addresses hosted on Microsoft Azure.
Prior exposure to Active Directory is nice. 
Prior exposure to Linux command line and PowerShell is also nice.
Who Should Take This Course
You want to improve the efficiencies of your red and blue teams
You have interest in threat optics
You want to implement a methodology for improving business processes around your security culture
Your business executives require ROI data to warrant further capital expenditure on threat-optic and threat-hunting initiatives
You have interest in modern pentest-related activities, including:
Active Directory Certificate Services, Command and Control, Credential Attacks, Kerberoasting, Password Cracking, Shadow Credentials, and much more...

About the Instructors

Pixel splash background
Alyssa Snow
Bio

Alyssa Snow studied computer science and began her infosec career as an intern automating tooling to scale application security at a software company. Originally, Alyssa aspired to be a developer; however, over time, she learned that she was better at breaking things than making things, and she transitioned to working on an internal red team. Currently, Alyssa is a Security Analyst at BHIS, on the traditional penetration testing and the ANTISOC (Continuous Penetration Testing) teams.

Pixel splash background
Kaitlyn Wimberley
Bio

Kaitlyn became an official part of BHIS in 2022 after being a long-time Community Leader on the BHIS Discord server. She loves to learn and share her knowledge and is an active participant in the community, having spoken at several security-focused events. She holds an M.S. in Cybersecurity from NYU, with a focus in offensive security. She started working at BHIS as a SOC analyst before becoming an operator on the BHIS ANTISOC team. Her current areas of focus are assumed breach and cloud tests.

Similar Courses

Shopping Cart

No products in the cart.