Your organization’s recent red teaming exercise revealed critical gaps in detecting advancedattacks, which bypassed the out-of-the-box detections. Now, it’s time to transform those insightsinto action by developing robust detections.We will make you comfortable with our Detection Engineering methodology, providing hands-onexperience in how to research and analyze attacker techniques, craft resilient analytics andvalidate detections.The training is highly interactive and retains a good balance between theory and a lot of handsonexercises. You will simulate real-world attacks, gaining practical skills to build and maintainadvanced detections.From endpoints to Active Directory to cloud environments, we cover realistic enterprise attackscenarios, preparing you to implement these practices at your organization.By the end of this training, you’ll be equipped to enhance your defenses, anticipate attackerbehavior, and secure your network against evolving threats.
Workshop
Advanced Detection Engineering in the Enterprise
March 10th, 11th & 12th, 2025
– SOLD OUT –
3 days training, by Olaf Hartong & James Gratchoff
This training will be given in ENGLISH
Normal price: CHF 3000.-
Student price: CHF 2250.- (limited availability)
Description
About the trainer
Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects.
James is a seasoned red team operator with over 8 years of experience in TIBER red teaming, penetration testing, and hardware hacking. He has extensive expertise in conducting adversarial simulations and TIBER(-EU) exercises while also testing physical security systems. James uniquely combines his red team duties with designing custom conference badges.
Course outline
Detection Engineering Methodology
- Introduction
- Detection Engineering principles
- Testing, Maintenance and Improvement
- Automatic deployment and validation
Endpoint
- Command and Control use and detection
- Credential Dumping
- Lateral Movement
Active Directory and server-side attacks
- Kerberos attacks
- Active Directory Certificate Services
Cloud Infrastructure
- Initial access via devicecode phishing
- EntraID abuse and misconfigurations
- Azure KeyVault and Storage Accounts
- Azure Virtual Machine attacks
- Lateral movement to on-premise
Detection Validation and automation
- Logic Apps
- Enrichment pipelines
Course requirements
Students should be familiar with Windows endpoints, Active Directory and Azure cloud.Furthermore, at least some experience Azure Sentinel and its query language (Kusto) isrequired. Recommended study material to prepare will be supplied to the students severalweeks in advance.To connect to our student lab environment, students should be able to use Microsoft RDP(Remote Desktop Protocol) via the Internet on port 3389 TCP.
