Assumed Compromise: A Methodology with Detections and Microsoft Sentinel

You want to take this course if you need a clear methodology for assessing networks and domains for common attacker TTPs, while also improving the efficiency of your red and blue teams. If you have an interest in threat optics, you can take this course for practical exposure to Azure Sentinel’s detection, alerting, and near real-time threat visualization capabilities. The skills and techniques taught during this course may be used to strengthen your organization’s security culture, providing executives with the ROI data they need to justify further investment in threat-optics and threat-hunting initiatives.

Topics that will be covered:

Assumed Compromise: This is an Active Directory post-exploitation course where students can walk through penetration testing methodology with two experienced security practitioners. The courseware is entirely lab-based and most of those labs include attacks used as part of an industry proven penetration testing methodology.

Detections: The course provides configuration walkthroughs for Linux syslog and Windows event log data connectors for Microsoft Sentinel. An introduction to Kusto Query Language and Microsoft Sentinel alerts is provided to demonstrate threat detection. Association between attacker techniques, Windows event IDs, and detection logic is provided for most of the courseware’s attack labs.

Defenses: Students are guided through highly effective Active Directory deception techniques. Deception tech is then used throughout the courseware as a baseline for detecting common Active Directory enumeration like ADExplorer, BloodHound, and the Impacket toolkit. Alongside the assumed compromise methodology and detection logic is a thorough discussion of security defenses and best practices.

You will gain exposure to:

Modern post-exploitation and pentest-related activities, including:

• Active Directory Certificate Services
• Command and Control
• Credential Attacks
• Impacket’s Heavy Hitters
• Kerberoasting
• Shadow Credentials
• Threat actor TTPs

Deception techniques and detection engineering, including:

• Honey accounts and service principals
• BloodHound and Kerberoasting detections
• Password spray and credential attack detects
• Certificate request and KeyCredentialLink auditing
• Real world attacker attribution using services