Your organization’s recent red teaming exercise revealed critical gaps in detecting advancedattacks, which bypassed the out-of-the-box detections. Now, it’s time to transform those insightsinto action by developing robust detections.We will make you comfortable with our Detection Engineering methodology, providing hands-onexperience in how to research and analyze attacker techniques, craft resilient analytics andvalidate detections.The training is highly interactive and retains a good balance between theory and a lot of handsonexercises. You will simulate real-world attacks, gaining practical skills to build and maintainadvanced detections.From endpoints to Active Directory to cloud environments, we cover realistic enterprise attackscenarios, preparing you to implement these practices at your organization.By the end of this training, you’ll be equipped to enhance your defenses, anticipate attackerbehavior, and secure your network against evolving threats.
Workshop
Advanced Detection Engineering in the Enterprise
March 10th, 11th & 12th, 2025
3 days training, by Olaf Hartong & Henri Hambartsumyan
This training will be given in ENGLISH
Normal price: CHF 3000.-
Student price: CHF 2250.- (limited availability)
Description
About the trainer
Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects.
Henri Hambartsumyan is an experienced technical security professional, with 10 years oftechnical security experience. Henri started his career as pentester and moved to the moreadvanced pentesting projects. Later he started executing “covert operations”, which the industrylater dubbed to “red teaming”. In the recent years, Henri has performed countless red teamoperations amongst which 4 TIBER exercises. Next to projects, Henri spent most off-time indeveloping AV bypasses for future ops. The last year, Henri has taken an interest in blueteaming, especially in detecting more advanced tradecraft in a realistic way. Due to his in-depthunderstanding of the tradecraft, he currently develops detection rules for advanced attacks aspart of blog series FalconFriday and for clients. Next to this, he is still active in performing redteams.
Course outline
Detection Engineering Methodology
- Introduction
- Detection Engineering principles
- Testing, Maintenance and Improvement
- Automatic deployment and validation
Endpoint
- Command and Control use and detection
- Credential Dumping
- Lateral Movement
Active Directory and server-side attacks
- Kerberos attacks
- Active Directory Certificate Services
Cloud Infrastructure
- Initial access via devicecode phishing
- EntraID abuse and misconfigurations
- Azure KeyVault and Storage Accounts
- Azure Virtual Machine attacks
- Lateral movement to on-premise
Detection Validation and automation
- Logic Apps
- Enrichment pipelines
Course requirements
Students should be familiar with Windows endpoints, Active Directory and Azure cloud.Furthermore, at least some experience Azure Sentinel and its query language (Kusto) isrequired. Recommended study material to prepare will be supplied to the students severalweeks in advance.To connect to our student lab environment, students should be able to use Microsoft RDP(Remote Desktop Protocol) via the Internet on port 3389 TCP.