APTs are constantly evolving their attack techniques putting pressure on responders and blue teamers to stay up-to-date on all the latest tactics, techniques and procedures. Depending on the nature of the organization, responders and blue teamers may have never responded to a nation-state level threat in their environment. This course is built to arm attendees with the ability to detect, respond and remediate an APT-level attack. Attendees will be challenged with practical labs built around a simulated APT intrusion covering each stage of the ATT&CK chain. Students will be exposed to endpoint forensics, log analysis and cloud forensics on up-to-date attack techniques leveraged by Russian, Chinese, North Korean and Iranian APT groups against organizations within the last two years.
Day one of the course begins with an introduction to the APT attack scenario hosted in the labs. Each module of the course is built to introduce various APT techniques and detection methodologies, followed by a practical lab where students are invited to investigate and determine what occurred in the intrusion. The first day will focus on incident tracking, supertimelining and log analysis using ELK. Attendees will be introduced to various exploitation techniques, modern ways to obfuscate webshells and cloud forensics in Azure AD/M365 environment covering advanced techniques like service principal abuse, OAuth abuse and Active Directory backdoors. The day ends with a deep dive into Windows forensics, covering NTFS and artifacts of execution.
Day two is focused on advanced detection and forensics on APT techniques centered around persistence, defense evasion and credential compromise. The day begins with a deep-dive into credential dumping methods with a strong focus on the Golden SAML technique abused by Russian APT groups. Various persistence techniques like abusing LSA SSP/AP to install backdoors will be explored with practical logs and disk data for attendees to triage. The day then dives into various forensic artifacts covering registry timelining, file access artifacts and lateral movement techniques and detections in the event logs. Attendees will then be introduced to APT defense evasion techniques like bypassing write events in the event logs and exfiltration methods that cover various C2 methods and tunnelling techniques.
