مهدی میرسلطانی

• پیشرفته متوسط
• مسیر آبی
• ۱۴ درس

دربارۀ این دوره

مخاطبان

• تحلیلگران SOC (Tier 1 و Tier 2)
• شکارچیان تهدید (Threat Hunters)
• متخصصان Blue Team
• تحلیلگران امنیتی
• علاقه‌مندان به Detection Engineering، تحلیل تله‌متری و حمله‌های مبتنی‌بر TTP

پیش‌نیازها

• آشنایی با سیستم‌عامل‌های لینوکس و ویندوز
• دانش پایه‌ای از مفاهیم امنیت سایبری و شبکه
• آشنایی با لاگ‌ها و SIEM
• آشنایی با PowerShell

• Session 1: "Web Server Under Siege — Webshell or Misconfiguration?"
  • MITRE Techniques: T1505.003 (Web Shell), T1059 (Command Scripting), T1071.001 (Web C2)
  • Tools: auditd, Sysmon for Linux, tcpdump, Elastic
  • Lab: Deploy PHP/ASPX webshells and generate suspicious activity
  • Detection: Identify reverse shell behavior, suspicious URL params, webserver parent-child chains
• Session 2: "3AM Logon from Overseas — Malicious or Misused Account?"
  • MITRE Techniques: T1078 (Valid Accounts), T1110 (Brute Force), T1003.001 (LSASS Dump)
  • Tools: Sysmon (Event ID 10/11), Event Logs 4624/4625/4648/4656, osquery
  • Lab: Brute-force login + LSASS memory dump + valid account access
  • Detection: Spot logon anomalies, failed/success ratio, unusual processes reading LSASS
• Session 3: "A New Admin Was Created — Without Anyone Knowing"
  • MITRE Techniques: T1136 (Create Account), T1098 (Account Manipulation), T1053
  • Tools: Event Logs 4720/4732, osquery, bash history, crontab
  • Lab: Create rogue sudo/admin user, setup cron task
  • Detection: Identify stealth persistence and privilege escalation
• Session 4: "Obfuscated PowerShell Madness"
  • MITRE Techniques: T1059.001 (PowerShell), T1218 (Signed Binary Proxy), T1569.002 (Service Execution)
  • Tools: Sysmon Event IDs 1/7/11, Windows Event Logs 4688/4689, PowerShell Operational Logs (4104, 4103)
  • Lab: Launch encoded PowerShell payloads using LOLBAS techniques, simulate Invoke-Mimikatz and encoded reverse shell
  • Detection
    • Identify PowerShell with suspicious parent (e.g., Word, rundll32)
    • Detect command-line obfuscation (-enc, iex, base64 patterns)
    • Analyze Event ID 4104 script block content
    • Correlate process tree with Sysmon and Security logs
• Session 5: "DLL Sideloading — With a Twist"
  • MITRE Techniques: T1574.001 (DLL Search Order Hijacking), T1055 (Injection)
  • Tools: Sysmon (Image Load + Process Creation), ProcMon, PE tools
  • Lab: Create DLL sideload with a Microsoft-signed binary
  • Detection: Monitor non-standard DLL loads, investigate load order patterns
• Session 6: "PsExec Everywhere — Internal Recon?"
  • MITRE Techniques: T1021.002 (SMB/Exec), T1021.001 (RDP), T1035 (Service Execution)
  • Tools: WinRM logs, firewall logs, Sysmon Event ID 7045, Event ID 5140
  • Lab: Lateral movement using PsExec and service creation
  • Detection: Monitor inter-host SMB/WinRM connections, service execution traces
• Session 7: "Outbound Noise — Is That a C2 Beacon?"
  • MITRE Techniques: T1071.001 (C2 Web), T1095 (Remote Access), T1568.002 (Dynamic Resolution)
  • Tools: PCAP (Wireshark/tcpdump), DNS logs, Zeek, Elastic
  • Lab: Simulate DNS + HTTPS beaconing with C2 tools (Mythic/Caldera)
  • Detection: Identify periodicity, suspicious user-agent strings, DNS anomalies
• Session 8: "Temp-to-Startup — Silent Persistence Attempt"
  • MITRE Techniques: T1547.001 (Registry Run), T1053.005 (Scheduled Task), T1552
  • Tools: Sysmon, autoruns, registry explorer, osquery
  • Lab: Drop malware in temp + configure registry autorun and scheduled task
  • Detection: Correlate suspicious file paths + persistence artifacts
• Session 9: "Discovery in the Dark — Before the Attack Lands"
  • MITRE Techniques: T1082 (System Info), T1518 (Software Discovery), T1016 (Network Discovery)
  • Tools: osquery, auditd, bash history, process logs
  • Lab: Run recon commands, simulate enumeration
  • Detection: Alert on unusual tools like net, ipconfig, hostname, systeminfo
• Session 10: "Covering Tracks — Indicators Disappear"
  • MITRE Techniques: T1070 (Indicator Removal on Host), T1562 (Impair Defenses)
  • Tools: Event ID 1102, Sysmon tamper detection, shell history artifacts
  • Lab: Clear event logs, delete bash_history, disable auditd
  • Detection: Catch event log wipes, auditing disablement, shell trace tampering
• Session 11: "Write What You Hunt — Detection Engineering in EQL"
  • MITRE Concepts: Behavior chaining, detection logic, rule writing lifecycle
  • Tools: Elastic EQL, MITRE ATT&CK Navigator, Sigma-to-EQL examples
  • Lab
    • Build EQL rule for encoded PowerShell spawn from Office parent
    • Match image_load + process_create for DLL sideload scenarios
    • Sequence detection: autorun registry key + suspicious file write
  • Outcome: Write and test EQL rules; map to ATT&CK; validate behavior chains
• Session 12: "Final Threat Hunt — Full Scope Incident"
  • Techniques: Mixed from sessions 1–11
  • Tools: Sysmon, auditd, PCAP, Elastic/Kibana, osquery
  • Lab: Analyze full simulated compromise across Linux and Windows
  • Outcome: Detect, hunt, and report; build ATT&CK-mapped summary and recommend detections
• Session 13: "Rogue Linux Persistence & SSH Hunting"
  • MITRE Techniques: T1053.003 (Cron), T1543.002 (Systemd Service), T1021.004 (SSH), T1070.004 (Bash History Clear), T1078 (Valid Accounts)
  • Tools: auditd, Sysmon for Linux, /var/log/auth.log, bash history, osquery
  • Lab
    • Create hidden cronjob and custom systemd service as persistence
    • Use valid SSH Key credentials to access from attacker VM
    • Clear shell history and disable auditd temporarily
  • Detection
    • Hunt for unauthorized service units and unexpected cron entries
    • Analyze auth.log for anomalous logons and sudo elevation
    • Correlate gaps in bash history with suspicious login timing
• Final Threat Hunt — Full Scope Incident"
  • Techniques: Mixed from sessions 1–11
  • Tools: Sysmon, auditd, PCAP, Elastic/Kibana, osquery
  • Lab: Analyze full simulated compromise across Linux and Windows
  • Outcome: Detect, hunt, and report; build ATT&CK-mapped summary and recommend detections

گواهینامه‌ی دوره