{"id":11736,"date":"2023-03-20T08:28:51","date_gmt":"2023-03-20T08:28:51","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/"},"modified":"2023-07-07T07:19:09","modified_gmt":"2023-07-07T07:19:09","slug":"deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt","status":"publish","type":"product","link":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/","title":{"rendered":"Deep Dive Into Threat Hunting & Purple Teaming"},"content":{"rendered":"

ATTEND IN-PERSON<\/span>: Onsite in Phuket<\/strong><\/h4>\n

DATE: 21-24 August 2023<\/strong><\/h4>\n

TIME: 09:00 to 17:00 ICT\/GMT+7<\/strong><\/h4>\n\n\n\n\n\n\n\n
Date<\/strong><\/td>\nDay<\/strong><\/td>\nTime<\/strong><\/td>\nDuration<\/strong><\/td>\n<\/tr>\n
21 Aug<\/td>\nMonday<\/td>\n0900-17:00 ICT\/GMT+7<\/td>\n8 Hours<\/td>\n<\/tr>\n
22 Aug<\/td>\nTuesday<\/td>\n0900-17:00 ICT\/GMT+7<\/td>\n8 Hours<\/td>\n<\/tr>\n
23 Aug<\/td>\nWednesday<\/td>\n0900-17:00 ICT\/GMT+7<\/td>\n8 Hours<\/td>\n<\/tr>\n
24 Aug<\/td>\nThursday<\/td>\n0900-17:00 ICT\/GMT+7<\/td>\n8 Hours<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n
With the rise of APT attacks and targeted ransomware attacks, there\u2019s a huge need for in-depth investigation & threat hunting skills to detect these attacks early on before the cost of the breach gets tripled every day.<\/h5>\n

In this training, you will learn how real APT attacks and targeted attacks work, how to in-depth investigation through collecting key artifacts, performing live forensics, memory forensics, and how to automate this across the whole enterprise in Powershell.<\/p>\n

As well, you will learn how to perform threat hunting based on the MITRE ATT&CK framework and powered by threat intelligence. Not the Attackers’ IoCs but their tactics, techniques and procedures<\/p>\n

 <\/p>\n

Agenda<\/strong><\/h5>\n
DAY 1<\/h5>\n

Intro to APT Attacks & MITRE ATT&CK<\/strong>
\n\u2022 What is an APT Attack?
\n\u2022 review over the kill chain
\n\u2022 MITRE ATT&CK map with techniques and sub techniques
\n\u2022 Examples of real APT Attack
\n\u2022 Red Team Tools & Frameworks (PowerSploit, Powershell EMPIRE, Cobalt Strike, Metasploit, Kali Linux)<\/p>\n

Intro to Incident Response & Threat Hunting<\/strong>
\n\u2022 The Incident Response Lifecycle
\n\u2022 how attacks are being discovered (SOC, 3rd party & threat hunting)
\n\u2022 Security Controls and types of logs in an organization
\n\u2022 What’s Threat hunting & why threat hunting?
\n\u2022 Types of Threat hunting
\n\u2022 The threat hunting process step by step
\n\u2022 Intelligence-based Threat hunting<\/p>\n

Building Your Purple Team Cloud Lab<\/strong>
\n\u2022 Build Your honeypot Domain in the Cloud (AWS & Terraform)
\n\u2022 Intro to Threat Hunting ELK (HELK) for Log Analysis
\n\u2022 Intro to Atomic Red Team For Purple Teaming
\n\u2022 Intro to Caldera For Advanced Red Teaming Activities
\n\u2022 Access The Lab (Hands-on)<\/p>\n

Initial Access & Log Analysis:<\/strong>
\n\u2022 Spearphishing Attacks with malicious attachment
\n\u2022 Spearphishing attacks with links
\n\u2022 Spearphishing attacks using social media
\n\u2022 Credential pharming
\n\u2022 Detecting Spearphishing using EDR Logs
\n\u2022 Advanced execution techniques
\n\u2022 Analyze attacks using sysmon & Splunk (Hands-on)
\n\u2022 Convert your threat hunting hypothesis into an alert
\n\u2022 Write your own SIGMA rules (Hands-on)<\/p>\n

 <\/p>\n

DAY 2:<\/h5>\n

Packet Analysis & Malware Exfiltration:<\/strong>
\n\u2022 Hunting the evil in packets
\n\u2022 Hunting for Malware Exfiltration methods
\n\u2022 Hunting for Downloaders, malicious documents, exploits and others
\n\u2022 Detecting IP Flux, DNS Flux, DNS over HTTPS
\n\u2022 Malicious bits transfer, malware communicating through legitimate websites
\n\u2022 Detecting peer-to-peer communication, Remote COM Objects and suspicious RDP Tunneling
\n\u2022 Hands-on analysis using Wireshark & Microsoft Network Monitor
\n\u2022 Hunting the evil in Zeek logs
\n\u2022 In-Depth Packet Investigation using Zeek logs (Hand-on)<\/p>\n

Malware In-Depth & Malware Functionalities<\/strong>
\n\u2022 Types of Malware
\n\u2022 Malware Functionalities in-depth: Downloaders & Droppers
\n\u2022 Malware Functionalities in-depth: Keyloggers
\n\u2022 Malware Functionalities in-depth: Banking Trojans & Man-In-The-Browser
\n\u2022 Malware Functionalities in-depth: Ransomware
\n\u2022 Basic Static Analysis: Strings
\n\u2022 Basic Static Analysis: APIs
\n\u2022 Basic Static Analysis: Packing & Obfuscation
\n\u2022 Write Your Own Yara Rule<\/p>\n

Maintaining Persistence In-Depth (Advanced Techniques)<\/strong>
\n\u2022 Maintain Persistence in the victim machine
\n\u2022 Advanced Persistence methods
\n\u2022 Disguise the malware inside a legitimate process (Malware-as-a-DLL)
\n\u2022 Persistence through DLL Injection<\/p>\n

DAY 3:<\/h5>\n

In Depth Investigation & Forensics<\/strong>
\n\u2022 Why in-depth investigation?
\n\u2022 Detecting malware persistence: Autoruns registry keys and options
\n\u2022 Detecting malware persistence: Scheduled tasks and jobs
\n\u2022 Detecting malware persistence: BITs jobs
\n\u2022 Detecting malware persistence: Image File Execution Options & File Association
\n\u2022 Detecting Malware & Malicious Documents Execution (Prefetch, MRU, Shims \u2026 etc)
\n\u2022 $MFT structure and cavity searching
\n\u2022 How to perform Forensics Triage With KAPE (Hands-on)<\/p>\n

Malware Defense Evasion Techniques<\/strong>
\n\u2022 Process Injection (DLL & Shellcode Injection)
\n\u2022 Advanced Process Injection (APC Queue Injection)
\n\u2022 Network Defense Evasion: HTML Smuggling
\n\u2022 Network Defense Evasion: Legitimate Websites
\n\u2022 Network Defense Evasion: Cohort Channels
\n\u2022 Use of legitimate applications for Applocker bypass
\n\u2022 Detecting & preventing the abuse of the legitimate applications
\n\u2022 Sysmon & EDR Bypass Techniques<\/p>\n

Memory Forensics<\/strong>
\n\u2022 Intro to Memory Forensics & Volatility
\n\u2022 Capture a full memory dump
\n\u2022 Extract suspicious & hidden processes
\n\u2022 Detecting memory injection, process hollowing & API hooking
\n\u2022 Detect suspicious network communication & extract network packets
\n\u2022 Detect malware persistence Functionalities using registry hives
\n\u2022 Detect the initial access using Prefetch files & MFT extraction
\n\u2022 Extract windows event logs from memory<\/p>\n

 <\/p>\n

DAY 4:<\/h5>\n

Privilege Escalation Techniques<\/strong>
\n\u2022 UAC bypass techniques
\n\u2022 Abuse services for privilege escalation
\n\u2022 DLL Order Hijacking
\n\u2022 Best practicies for detecting & preventing privilege escalation<\/p>\n

Incident Response in an Enterprise: Powershell Intro<\/strong>
\n\u2022 Intro to Powershell
\n\u2022 Powershell Remoting
\n\u2022 Logon Types and Powershell vs RDP
\n\u2022 Collect & Analyze Malicious Artifacts using Kansa
\n\u2022 Collect Minidumps using Powershell
\n\u2022 Detect suspicious processes using Powershell
\n\u2022 Automating Artifacts collection & analysis for threat intelligence<\/p>\n

Impersonating Users: Credential Theft & Token Impersonalization <\/strong>
\n\u2022 Detecting & Hunting Lsass Memory dump
\n\u2022 Detecting & Hunting Token Impersonation
\n\u2022 Hands-on AD Vulnerability Scanning using PingCastle<\/p>\n

Detection & Prevention Lateral Movements<\/strong>
\n\u2022 Intro Authentication Mechanisms in Active Directory (NTLM & Kerberos)
\n\u2022 Understand domain account permissions and access level
\n\u2022 NTLM Attacks: Pass The Hash
\n\u2022 Kerberos Attacks: Pass The Ticket
\n\u2022 Kerberos Attacks: Overpass The Hash
\n\u2022 Silver & Golden Tickets and Kerberoasting Attacks
\n\u2022 Hardening Your AD (LAPS, gMSA \u2026 etc)
\n\u2022 Building a Secure Multi-Tiered Environment<\/p>\n","protected":false},"excerpt":{"rendered":"

ATTEND IN-PERSON: Onsite in Phuket DATE: 21-24 August 2023 TIME: 09:00 to 17:00 ICT\/GMT+7 Date Day Time Duration 21 Aug Monday 0900-17:00 ICT\/GMT+7 8 Hours 22 Aug Tuesday 0900-17:00 ICT\/GMT+7 8 Hours 23 Aug Wednesday 0900-17:00 ICT\/GMT+7 8 Hours 24 Aug Thursday 0900-17:00 ICT\/GMT+7 8 Hours With the rise of APT attacks and targeted ransomware […]<\/p>\n","protected":false},"featured_media":11735,"template":"","meta":{"_acf_changed":false},"product_cat":[59,77,57],"product_tag":[],"class_list":{"0":"post-11736","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-4-day-training","7":"product_cat-hitb2023hkt","8":"product_cat-in-person","10":"first","11":"instock","12":"featured","13":"shipping-taxable","14":"purchasable","15":"product-type-simple"},"acf":[],"yoast_head":"\nDeep Dive Into Threat Hunting & Purple Teaming - HITB (in)Cyber 2024 - Abu Dhabi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Deep Dive Into Threat Hunting & Purple Teaming - HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"og:description\" content=\"ATTEND IN-PERSON: Onsite in Phuket DATE: 21-24 August 2023 TIME: 09:00 to 17:00 ICT\/GMT+7 Date Day Time Duration 21 Aug Monday 0900-17:00 ICT\/GMT+7 8 Hours 22 Aug Tuesday 0900-17:00 ICT\/GMT+7 8 Hours 23 Aug Wednesday 0900-17:00 ICT\/GMT+7 8 Hours 24 Aug Thursday 0900-17:00 ICT\/GMT+7 8 Hours With the rise of APT attacks and targeted ransomware […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/\" \/>\n<meta property=\"og:site_name\" content=\"HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-07T07:19:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/\",\"name\":\"Deep Dive Into Threat Hunting & Purple Teaming - HITB (in)Cyber 2024 - Abu Dhabi\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg\",\"datePublished\":\"2023-03-20T08:28:51+00:00\",\"dateModified\":\"2023-07-07T07:19:09+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#primaryimage\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg\",\"contentUrl\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg\",\"width\":1200,\"height\":900},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Shop\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/shop\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Deep Dive Into Threat Hunting & Purple Teaming\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\",\"name\":\"HITB (in)Cyber 2024 - Abu Dhabi\",\"description\":\"May 14 - 16, Etihad Arena \",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Deep Dive Into Threat Hunting & Purple Teaming - HITB (in)Cyber 2024 - Abu Dhabi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/","og_locale":"en_US","og_type":"article","og_title":"Deep Dive Into Threat Hunting & Purple Teaming - HITB (in)Cyber 2024 - Abu Dhabi","og_description":"ATTEND IN-PERSON: Onsite in Phuket DATE: 21-24 August 2023 TIME: 09:00 to 17:00 ICT\/GMT+7 Date Day Time Duration 21 Aug Monday 0900-17:00 ICT\/GMT+7 8 Hours 22 Aug Tuesday 0900-17:00 ICT\/GMT+7 8 Hours 23 Aug Wednesday 0900-17:00 ICT\/GMT+7 8 Hours 24 Aug Thursday 0900-17:00 ICT\/GMT+7 8 Hours With the rise of APT attacks and targeted ransomware […]","og_url":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/","og_site_name":"HITB (in)Cyber 2024 - Abu Dhabi","article_modified_time":"2023-07-07T07:19:09+00:00","og_image":[{"width":1200,"height":900,"url":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/","name":"Deep Dive Into Threat Hunting & Purple Teaming - HITB (in)Cyber 2024 - Abu Dhabi","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website"},"primaryImageOfPage":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#primaryimage"},"image":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#primaryimage"},"thumbnailUrl":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg","datePublished":"2023-03-20T08:28:51+00:00","dateModified":"2023-07-07T07:19:09+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#primaryimage","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg","contentUrl":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/3.jpg","width":1200,"height":900},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/deep-dive-into-threat-hunting-purple-teaming-hitb2023hkt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/"},{"@type":"ListItem","position":2,"name":"Shop","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/shop\/"},{"@type":"ListItem","position":3,"name":"Deep Dive Into Threat Hunting & Purple Teaming"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/","name":"HITB (in)Cyber 2024 - Abu Dhabi","description":"May 14 - 16, Etihad Arena ","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product\/11736"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/types\/product"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/media\/11735"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/media?parent=11736"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product_cat?post=11736"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product_tag?post=11736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}