Our Threat Hunting with AI Support course is a 5-day training (35 hours) designed for Security Analysts, IT Administrators, Incident Responders and Threat Hunters. During the course participants will learn some of the modern attack techniques, local privilege escalation methods and identity infrastructure attacks as well as the ways how those attacks could be detected and mitigated. This knowledge will be enhanced with case studies which will demonstrate how real-world attacks happen using the methods learned. Additionally, participants will be introduced to solutions, that with AI support can enhance the threat hunting process. The course will conclude with showcasing how threat hunting and threat detection design can be performed by leveraging manual and automated methods.
Course syllabus
This Live Virtual Class consists of 13 Modules in terms of Threat Hunting with AI Supportg. They include essential theory combined with individual practice during the exercises as well as loads of hands-on tools and real-case scenarios.
Module 1: Modern Attack Techniques and Tracing Them
- Discussion: Top attack techniques
- Advanced Persistent Threats
- Initial access vectors
- Phishing – rev shell mail phishing bob
- Valid Credentials– password spray exc.
- Spoofing – DSN Twist
- Vulnerable components (drive by download)
- Weak defaults
- Other vectors Escalation through Windows Services
Module 2: Local Privilege Escalation Techniques and Tracing Them
- Unquoted service path
- Image and DLL manipulation
- Schedule Tasks
- Access Token Manipulation
- SeImpersonate
- SeTcb
- Create User Token
- Process Injection
- DLL Injection and Reflective DLL Injection
- CreateRemoteThread
- Memory Injection
- Other techniques
Module 3: Case Study - Investigating In-Place Attacka
Module 4: Windows Authentication Architecture & Crypography
- Windows Logon
- Windows Logon Types
- LSASS Architecture
- NTLM
- Kerberos
- SAM Database
- NTDS.dit
- LSA Secrets & gMSA accounts
- Secrets, credentials and Logon Data
- PKI Misconfigurations
- SSP Providers
- Data Protection API
Module 5: Case Study - Investigating Identity Theft
Module 6: Attacks on Identitiy Infrastructure and Tracing Them
- Pass-the-Hash, OverPTH attacks
a. Pass the ticket
b. Golden and silver ticket
c. Pass the PRT
d. Shadow Credentials / NGC
- NBNS/LLMNR spoofing, NTLM Relay, Kerberoasting
- DCSync and DCShadow
- AdminSDholder
- Other Modern identity attack techniques
Module 7: Microsoft 365 Defender for Endpoint - EDR
- Intro 101 to Microsoft Defender ecosystem
- EDR deployment strategies
- EDR installation and configuration
- Fine tuning and hardening of EDR configuration
- Managing and Maintaining Security Posture
- Troubleshooting Common Issues
- Automation with ServiceNow and 3rd party
Modul 8: Security Operations with Microsoft EDR (Defender for Endpoints) - Advanced Threat
- EDR integration with Microsoft Azure Sentinel
- Security Operations best practices with Microsoft EDR and Sentinel
- How to manage Incidents inside EDR and Sentinel
- Kusto language 101 – basic and advanced queries
- Advanced Hunting
- Hacker ways to hide malware and bypass EDR
Module 9: Microsoft Security Copilot
- Introduction to Microsoft Security Copilot
- Developing and Using Promptbooks
- Create Effective Promptbooks for Security Analysis
- Plugins Management
- Data Security and Privacy
- Responsible AI at Microsoft
Module 10: Case Study - Detecting a Complex Threat with Sentinel and Microsoft Copoilot for Security
Module 11: Network Forensics and Monitoring
- Types and approaches to network monitoring
- Network evidence acquisition
- Network protocols and Logs
- Gathering data from network security appliances
- Detecting intrusion patterns and attack indicators
- Data correlation
- Hunting malware in network traffic
Module 12: Memory Dumping and Analysis
- Introduction to memory dumping and analysis
- Creating memory dump – Belkasoft RAM Capturer and DumpIt
- Creating memory dump
- Utilizing Volatility to analyse Windows memory image
- Analysing Stuxnet memory dump with Volatility
- Automatic memory analysis with Volatile
Module 13: Disk Dumping Analysis
- Introduction to storage acquisition and analysis
- Drive Acquisition
- Autopsy
- Building timelines
- File System Analysis Techniques
- Encryption and Decryption of Drives
- Deep-Dive into Automatic Destinations
- Extracting Information About Network Activity
Speaker:Marcin Krawczyk & Amr Thabet