Purple Team


Purple Team
پس از پرداخت اطلاعات به ایمیل شما ارسال خواهد شد
- پیشرفته
- مسیر بنفش
- ۱۳ درس
دربارهی این دوره
این دوره به چه افرادی توصیه میشود؟
- متخصصان امنیت سایبری
- نفوذگران وب و شبکه
- کارشناسان تیم بنفش
- کارشناسان شکار تهدیدها
- کارشناسان مدیریت رخداد
- کارشناسان تیم مرکز عملیات امنیت
برای حضور در این دوره چه دانشهایی باید داشته باشم؟
- حداقل دو سال سابقه در زمینهی دفاعی یا حملهها
سرفصلهای دوره
-
Introduction to Purple Teaming
-
What is Red Teaming
-
What is Blue Teaming
-
What is Purple Teaming
-
-
Structure of an Advanced Persistent Threat (APT)
-
Chain of an Attack
-
MITRE comes to rescue
-
MITRE ATT&CK (Simulation)
-
Lab: Find a new (for you) interesting technique
-
MITRE Shield (Detection)
-
Lab: Write your detection hypothesis around the new technique
-
-
Initial access Emulation, Detection and Prevention
-
Legitimate binaries
-
Lab: Find and Use a LOLBin
-
Common techniques (DLL side loading, Scriptlet, XSL, Macro, DDE, JS, VBA)
-
Lab: Write a script for detecting DLL side loading
-
Lab: Mitigate Macro usage in Enterprise
-
Lab: Prevent Macro execution in Enterprise
-
Lab: Prevent JS/HTA execution in Enterprise
-
Fileless download and execution
-
Lab: Disabling Windows Script Host (WSH) in your organization
-
Bypass application control and whitelisting
-
Credential Harvesting Attacks
-
Lab: Find a Credential Harvesting Attack against a Cryptocurrency company
-
Domain Masquerading
-
Lab: Find a Domain Masquerading Attack against your organization
-
NTLM Relaying
-
Lab: Stopping NTLMv2 related attacks
-
Payload Packs (ISO, MSI)
-
Lab: Build your own Payload
-
Lab: Prevent ISO Mount in Enterprise
-
-
Enumeration Emulation, Detection and Prevention
-
RAW LDAP queries
-
IN-Memory WMI
-
Internal Reconnaissance with WinAPI
-
Lab: Write a code to get system information
-
Low noise host, group, ACL, user, policy, AD Controls, enumeration
-
Sessions
-
Password policies
-
Machine Account
-
Certificates
-
-
Privilege Escalation Emulation, Detection and Prevention
-
Delegation
-
Targeted Kerberoasting
-
-
AD and Local persistent Emulation, Detection and Prevention
-
DLL Sideloads
-
COM Object Model
-
COM Interactions
-
COM Hijacking
-
Lab: Write a script for detecting COM Hijacking (should handle 2 of known variants)
-
COM Backdoors and Persistence
-
ACL and Security Descriptors
-
Abuse Kerberos for Persistent
-
-
Advanced Active Directory Domain Attacks
-
The Kerberos Realm
-
S4U2self Abuse AS-REP Roasting
-
Golden Tickets
-
Silver Tickets Attacks
-
Command execution on silver ticket
-
NO AD Touch Kerberos Attacks
-
Pass the Ticket
-
ACL, SACL, DACL and GPO Abuse
-
DCShadow
-
Abusing vulnerable services
-
Abuse AD rights
-
Preventing Wiper/Ransomware with Sysmon’s new feature
-
-
Lateral Movement
-
SMB and RPC Pivoting
-
WinRM and PowerShell Pivoting
-
Fileless WMI Queries and WMI Execution
-
Service Diversion
-
Socks Tunneling
-
Remote Desktop
-
-
Defense Evasion
-
Event Tracing for Windows (ETW) bypasses
-
Application Whitelisting bypasses
-
VBA stomping
-
HTML smuggling
-
Parent Process Id (PPID) spoofing
-
Endpoint Detection and Response (EDR) Evasion
-
Environmental Keying
-
Attack Surface Reduction (ASR) bypasses
-
Command-Line Spoofing
-
Process Injection
-
-
Build Your Emulation Plan
-
Pick Your Favorite APT
-
Emulate the APT
-
Detect the APT
-
Mitigate the APT
-
-
Introduction to security mechanisms and tools
-
WDAC
-
CLM
-
ASR rule
-
EDR
-
YARA
-
-
Setup your RED – Blue LAB
-
C2
-
Elastic
-
-
Emulating real-world APTs and cyber criminals
-
APT 27: ProxyLogon -> Local and Domain Discovery -> DLL Search Order Hijacking -> Service (for Persistence) -> Indicator Removal -> Add Exclusion to Windows Defender -> Dumping LSASS -> NTDS -> Data Collection -> Exfiltration
-
APT 28: Latest TTPs!
-
Lazarus: Malicious Document (was sent via LinkedIn) -> LNK -> MSHTA -> VBScript -> Startup (for Persistence) -> PowerShell -> Disable Windows Defender -> Disable Credential Guard -> Credential Access -> Next Stage -> SSP (for Persistence) -> Indicator Removal
-
APT 29: Latest TTPs!
-
Emotet: LNK -> PowerShell -> Regsvr32 -> Local and Domain Recon -> Run Key -> Remote Management Tool -> Service Creation -> AnyDesk -> Zerologon -> Indicator Removal -> Dumping LSASS -> Remove Service -> WMI -> RDP -> Ransomware
-
گواهینامهی دوره
