SimSpace Training Catalog
Jump to:
Select a team/type to view
FILTER
DIFFICULTY
Foundational
Intermediate
Advanced
Expert
DURATION
1 hour
1.5 hours
24 hours
11 hours
3 hours
TOPIC
Active Directory Exploitation
Advanced Persistent Threat
Anti-Virus
Application Security
Application Security Testing
APT
Atomic Red Team
authentication bypass
Banner Grabbing
Baseline
Beats
Billion Laughs Attack
Blind SQLi
Blue
Blue Team
Boofuzz framework
Boot2Root
Boss of the SOC
Broken Access Controls
Broken Authentication
Buffer Overflow
Capture the Flag
Code Management
Code Review
Command History
Command Line
compilers
Continuous Integration
Credential Access
Credential Harvesting
Credential Management
Cross Site Request Forgery
Cross-Site Scripting
CSRF
Cyber Fitness: SOC Analyst
Cyber Gym
Cyber Kill Chain
Data Analytics
Debugging
Defensive Evasion
Denial of Service
Detection Rules
DevOps
Directory Traversal
Discovery
Docker
Drupalgeddon2
Dynamic Analysis Security Testing
Elastic
Emerging Threats
Encrypted Traffic Forensics
Endpoint Security
Enumeration
Event Detection
Exploit Enumeration
Exploit Mitigation
Exploit Vulnerabilities
Extended regular expressions
File Detection With Yara/ClamAV Rules
File Disclosure
File Exploitation
Files on Windows
Fingerprinting
Firewalls
Forensics
Forge Tickets
Fuzzing
GDB
git
gitlab
GNU Debugger
Hardware Compromise
HBSS
Heap Overflow
Host Forensics
Host Threat Hunting
ids
Incident Response
Indicators of Compromise
Initial Access & Execution
intrusion detection
Intrustion Detection Systems
JA3
JavaScript
Kerberos
Kibana
Lateral Movement
LFI
Libraries
Linux
Linux Configuration
Linux Internals
Linux Logging
Linux Memory Forensics
Linux System Logs
Local File Inclusion
Log Analysis
Malware Analysis
Malware Development
Malware Reverse Engineering
memory corruption
Metasploit Framework
Mind Maps
MITRE ATT&CK
MITRE ATT&CK Navigator
Network Forensics
Network Fundamentals
Network Remediation
Network Security Monitoring
Network Threat Hunting
Network Traffic
Networking
NFS
Nmap
NOC/SOC Synergy
open-source intelligence
Operational Security
OPSEC
OS Exploitation
OS Injection
OSI Model
OSINT
Out of Band SQLi
overflows
OWASP Top Ten 2017
Packet Analysis
Packet Capture
Password Spraying
pcap
PCRE
Penetration Testing
Persistence
Planning
PowerShell
Private Branch Exchange
Privilege Escalation
Programming
Purple
Purple Team
PwnKit
Python Programming
Red
Red Team
regex
regular expressions
Remote Code Execution
Remote File Inclusion
Removing Artifacts
Resolvn
RFI
Risk Assessment
Scripting
SDLC
Second Order SQLi
Secure Coding
Secure Design
Secure File Deletion
Secure SDLC
Security Misconfiguration
Security operations center
Security Requirements
Sensitive Data Exposure
Server-side Request Forgery
Session Initiation Protocol (SIP)
Shells
SIEM
SIGMA
SMB
SMTP
SNMP
Software Composition Analysis
Software Development
Software Development Lifecycle
SonarQube
Source Code Compromise
Splunk
SQL Injection
sqlmap
Stack Overflow
Staffing
Static Analysis
Static Analysis Security Testing
Steal Tickets
struts-pwn
Supply Chain Compromise
Sysinternals
Sysmon
System Administration
System Monitor
Test Driven Development
Threat Analysis
Threat Hunting
Threat Models
Timestomp
Tooling
TopTTPs
Traffic Detection With Suricata/Snort
Unit Testing
Visualization
Volatilty
Vulnerabilities
Vulnerability Assessment
Vulnerability Remediation
Web Application
WebApp Exploitation
Windows
Windows Event Collector
Windows Event Forwarding
Windows Event Logs
Windows Event Subscription
Windows Internals
Windows Live Triage
Windows Logging and Monitoring
Windows Management Instrumentation
Windows Memory Analysis
Windows Registry
Windows Remote Management
Windows Security Context
Windows Sysinternals
Windows System Administration
Wireshark
Workshop
XML External Entity Attacks
XSS
XXE
XXE Remote Shell
Zeek
BLUE TEAM
Training
Foundational
Application Security Overview
Blue Team
1 hour
Read moreShow less
DESCRIPTION
An overview of how to incorporate security into each phase of the software development life cycle (SDLC). This module also reviews the common weaknesses of different application architectures and briefly discusses popular application vulnerabilities.
OUTCOMES
- Describe the purpose and benefits of application security
- Identify methods of incorporating security into the SDLC
- Recognize the risks inherent in CI/CD pipelines
- Compare the common weaknesses of different application architectures
- Identify the most common application vulnerabilities
Intermediate
ASCII and JSON Logs: Interpreting and Processing
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Become more efficient at analyzing Linux logs by using various Linux built-in commands such as grep, cut, and awk, as well as the jq tool to view and filter JSON logs.
OUTCOMES
- Use grep to find a log line of interest
- Use a Perl regular expression with grep to find matching log lines
- Use tail or head to find the end or beginning of a log respectively
- Use cut to show a particular column of interest from an identified log
- Use awk to find specific information in an identified log
- Use jq to view and filter JSON logs
Intermediate
Baselining on Windows: Introduction
Blue Team
1 hour
Read moreShow less
DESCRIPTION
This module explores Windows Golden Images, baselining of files, processes, services, patches, and network connections. It includes hands-on labs to exercise baselining skills on a known good system as well as a compromised host.
OUTCOMES
- Export a Windows object’s current state using Powershell
- Compare XML objects using Powershell
- Compute a file’s MD5 hash using Powershell
- Compare CSV objects using Powershell
- Identify malicious deviations from a calculated baseline
Intermediate
Basic Malware Analysis Exercise
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Take a guided tour of one of the most infamous pieces of malware in history: WannaCry.
OUTCOMES
- Create an MD5 hash from an unknown executable
- Use FLOSS or Strings to identify text strings in an unknown executable and make inferences based on the string’s content
- Use PE-Bear to view imports, headers, and data sections of an unknown executable and make inferences about its content
- Use network analysis tools to identify malicious network signatures for a malicious binary
- Use host-based analysis tools to identify malware behavior
Intermediate
Basic Malware Analysis Workshop
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Foundational skills of malware analysis, covering basic static and dynamic analysis, in which the analyst identifies key malware behaviors and artifacts.
OUTCOMES
- Identify the difference between static and dynamic analysis
- Create an MD5 hash from an unknown executable
- Use FLOSS64 to identify text strings in an unknown executable and make inferences based on the string’s content
- Use PE-Bear to view imports, headers, and data sections of an unknown executable and make inferences about its content
- Use network analysis tools to identify malicious network signatures for a malicious binary
- Use host-based analysis tools to identify malware registry key manipulation
Foundational
Docker Fundamentals
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
Benefits of Docker, creating a Docker application, and Docker security best practices.
OUTCOMES
- Identify the advantages of using Docker instead of Linux containers (LXC)
- Interact with and examine Docker containers using Linux command line interface (CLI):
- Add a Docker container.
- Access an error log.
- Mount a volume in a container.
- Connect containers to a network.
- Design a Docker application
- Recognize and implement Docker security best practices
Intermediate
Elastic Configuration and Data Ingestion
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Covers Elasticsearch installation and configuration, importing data, and querying data from the command line and Kibana. Gain a basic understanding of how Elastic functions "under the hood" through JSON requests and formatted data. Leverage pre-formatted data as well as use a script to parse non-JSON data so it can be efficiently indexed into Elastic.
OUTCOMES
- Configure Elasticsearch to use a single node
- Configure Elasticsearch to run at boot in Linux
- Start Elasticsearch from the command line using systemctl
- Verify Elasticsearch is running by querying the database
- Create a custom map for importing data into an index
- Import data using the command line
- Query an Elasticsearch database using Kibana
Intermediate
Elastic Endpoint Forwarders
Blue Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to the Beats framework of the Elastic Stack. Beats are lightweight applications that ship data to the Elastic Stack from network hosts and devices. Install and configure Auditbeat, Filebeat, Packetbeat, and Winlogbeat. Use Kibana to aggregate data and search for log artifacts.
OUTCOMES
- Identify the correct shipper for a provided data source
- Install and configure a selection of Beats
- Use the Elastic Stack to identify artifacts of interest
Foundational
Elastic Incident Investigation
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
Provides an intermediate understanding of the Elastic Stack platform by operationalizing the Elastic Stack software tool to assist in a cyber investigation and to detect malicious cyber activity.
OUTCOMES
- Perform the steps necessary to leverage Elastic Stack as an investigation tool
Foundational
Elastic Manual Uploads
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
A detailed look at how to operationalize the Elastic Stack to enable defensive cyberspace operations.
OUTCOMES
- Discuss the process of manually uploading logs to the Elastic Stack
- Identify various ways to use Elastic Stack in an operational environment
- Identify methods used to troubleshoot the Elastic Stack
Foundational
Elastic Overview
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
Explore the Elastic Stack and its use in Security Information and Event Management (SIEM) within operational environments.
OUTCOMES
- Discuss how the Elastic Stack is architected
- Identify various methods and ways to ingest data into the stack
Intermediate
Encrypted Traffic Forensics: CA and Issuance
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
This module covers investigating certificates and verifying if the certificate is valid.
OUTCOMES
- Use Suricata and Zeek for forensic analysis of encrypted traffic
Intermediate
Encrypted Traffic Forensics: Introduction
Blue Team
1 hour
Read moreShow less
DESCRIPTION
The basics of how to conduct forensic analysis on encrypted network traffic.
OUTCOMES
- Describe the two primary types of encryption
- Summarize the basics of public-key cryptography
- Summarize the relationship of Transport Layer Security with encryption
- Use Suricata for forensic analysis of encrypted traffic
Intermediate
Encrypted Traffic Forensics: JA3, JA3S, and Other Tools
Blue Team
1 hour
Read moreShow less
DESCRIPTION
This module covers using fingerprinting methods and other forensic tools to identify programs sending encrypted traffic.
OUTCOMES
- Use JA3 and JA3S fingerprinting for encrypted traffic analysis
Intermediate
Endpoint Security with HBSS/ESS
Blue Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to concepts related to basic usage of HBSS/ESS, a McAfee product that includes the ePolicy Orchestrator and Endpoint Security. It includes creation of expert rules to detect malicious behavior.
OUTCOMES
- Locate core functionality of HBSS as it relates to defensive host analysis
- Identify malware using basic antivirus detection
- Recognize the tradeoffs when enabling antivirus signature rules
- Describe the limitations of basic antivirus detection
- Implement expert rules to detect and limit the impact of novel malware
Foundational
Flow Control in PowerShell
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Fundamental PowerShell flow control elements for creating complex scripts. Covers comparison and logical operators, if statements, loops, and error handling.
OUTCOMES
- Interpret PowerShell’s comparison operators, logical operators, and if statements
- Differentiate between types of PowerShell loops and their functions
- Recognize and implement PowerShell loop logic
- Decipher error handling in PowerShell
- Automate Windows system administrative tasks using PowerShell scripts
Foundational
Git: Introduction
Blue Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to version control with an overview of Git fundamentals that includes adding, removing and committing files and changes; creating and interfacing with repositories locally or centralized; and several advanced Git commands.
OUTCOMES
- State the benefits of version control
- Explain the difference between local and remote repositories
- Explain the difference between GitHub and GitLab
- Implement Git
- Identify version control actions and the Git commands used to perform them
- Perform an initial commit to a repository
- Save changes made locally to a repository
- Pull code from a repository
- Observe a repository and locate important information about changes
Intermediate
Host Analyst Exercise: Threat Hunting and Incident Response
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Engage in a hands-on exercise as a contractor hired by a small company to augment its security staff. Use blue team techniques and tools, such as YARA and Volatility, to perform incident response procedures in their network.
OUTCOMES
- Use blue team tools for threat hunting and incident response to accomplish the following:
- Identify process anomalies using a known good baseline.
- Conduct forensic investigations using Windows logs.
- Identify active processes in acquired memory image.
- Use YARA for threat hunting.
Foundational
Identifying Indicators of Compromise
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Under the framework of the Pyramid of Pain, which is a stratified glimpse of the potential indicators of a network intrusion, this module introduces you to several increasingly difficult-to-recognize artifacts of attempted and successful intrusions.
OUTCOMES
- Identify the nature, origin, and limitations of several indicators of compromise
- Use deductive techniques and open-source research to identify Indicators of Compromise
Foundational
Integration Testing in CI
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
The practice, tools, and automation of integration testing in continuous integration (CI).
OUTCOMES
- Describe the impact of code libraries on software development
- Install library packages with pip
- Implement a container-based deployment environment
- Interpret data from an automated integration testing pipeline
Intermediate
Kibana Data Visualization
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Use Kibana’s native search application to create data visualizations of a simulated network environment.
OUTCOMES
- Use Kibana’s data aggregation tools to visualize trends in large datasets
- Use Kibana to create a visualization that shows how DNS traffic on a network has changed over time
- Combine multiple visualizations in a dashboard view
Foundational
Kibana: Introduction
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Kibana is an open-source data visualizer application that enables search and visualization capabilities of a data set. Examine the interesting and powerful use of Kibana as the front end of an integrated Security Incident and Event Manager (SIEM).
OUTCOMES
- Use Kibana as a data visualization platform to identify the initial point of compromise on a network
- Use Kibana as a data visualization tool to identify the destination of exfiltrated data on a network
Intermediate
Kibana SIEM Application
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Use insights from data visualizations to investigate threats using the Kibana SIEM application.
OUTCOMES
- Investigate suspicious network activity using the Kibana SIEM
- Use filters in the Kibana SIEM to examine data and identify downloaded files
Foundational
Linux Firewall
Blue Team
3 hours
Read moreShow less
DESCRIPTION
An introduction to the Linux firewall using iptables.
OUTCOMES
- Identify which iptables rule matches a packet
- Evaluate iptables chains and policies
- Configure the Linux firewall to allow remote system management access
- Configure firewall rules to load on system boot
Intermediate
Log4Shell Defense: Legacy Threat
Blue Team
1 hour
Read moreShow less
DESCRIPTION
An explanation of the Log4Shell exploit from a defensive perspective. Includes background and hands-on mitigation. Learn how Log4j (CVE-2021-44228) functions and potential mitigation techniques.
OUTCOMES
- Identify the vulnerability in the Log4j package that allows exploitation
- Locate vulnerable Log4j installations
- Apply mitigations for the Log4Shell exploit
Foundational
Mind Maps
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Explores how to create and use mind maps for identifying tasks and creating milestones to achieve mission success.
OUTCOMES
- Discuss mind maps
- Produce a mind map laying out tasks and milestones
Foundational
MITRE ATT&CK Framework
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
Explore the MITRE ATT&CK framework tactics and how it relates to attack lifecycle phases. Explores the MITRE ATT&CK Navigator and walks through creating a new layer.
OUTCOMES
- Discuss the MITRE ATT&CK Framework
- Discuss the MITRE ATT&CK Navigator
- Create new MITRE ATT&CK Navigator layers
Foundational
MITRE ATT&CK Practical Use
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Use the ATT&CK framework to identify known adversarial threat activity. In conjunction with the ATT&CK framework, the Mordor Project is used to test a detection strategy or rule against malicious events for a given APT.
OUTCOMES
- Map threat activity to the MITRE ATT&CK matrix
Intermediate
MITRE ATT&CK Threat Mapping
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
Covers mapping real-world threat actor activity onto the MITRE ATT&CK matrix.
OUTCOMES
- Discuss ATT&CK Navigator layers
- Map threat actor activity onto the MITRE ATT&CK matrix using ATT&CK Navigator
Intermediate
Modifying Zeek Scripts
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Zeek includes a robust scripting engine that enables customization that expands the usefulness of Zeek both as a command-line tool and as a network sensor. Learn the basics of Zeek scripting, including common use cases and how to write a custom script, execute that script, and further modify it to return additional data.
OUTCOMES
- Identify use cases for Zeek scripting
- Run a custom Zeek script
- Modify a Zeek script
Intermediate
Network Analyst Exercise: Network Threat Hunting
Blue Team
3.5 hours
Read moreShow less
DESCRIPTION
Discover and scope an attack using threat hunting skills such as hypothesis development and pivoting in a lab environment.
OUTCOMES
- Combine network security monitoring and SIEM tools to investigate threats on a network
- Explain the role of a hypothesis in threat hunting
- Use a SIEM to investigate plausible hypotheses of adversary behavior
- Determine the scope of a breach by pivoting off of related indicators, discovering previously unknown indicators, and using those to discover further infection
Intermediate
Network Analyst Walkthrough: ASCII and JSON Logging
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
A walkthrough follow-on exercise for the module ASCII and JSON Logs: Interpreting and Processing.
OUTCOMES
- Use Linux built-ins to find indicators of compromise
Intermediate
Network Analyst Walkthrough: Modifying Zeek Scripts
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
A walkthrough follow-on for the module Modifying Zeek Scripts that guides you through modifying and customizing Zeek scripts to identify anomalous network activity.
OUTCOMES
- Modify a Zeek script to extract certain file types from a packet capture
- Use Zeek to parse a pcap file and identify anomalies from a packet capture file
- Create a custom Zeek script to analyze and detect malicious packets from a packet capture
Intermediate
Network Analyst Walkthrough: Packet Capture and Analysis
Blue Team
1 hour
Read moreShow less
DESCRIPTION
A walkthrough follow-on to the Packet Capture and Analysis module. Investigate a potential network compromise and determine basic facts about the break-in. Use packet capture analysis methodology to determine the initial point of compromise, the point of origin of the malware, the beaconing interval of the malware agent, and more.
OUTCOMES
- Using packet capture analysis methodology, identify the following about a given packet capture file:
- The initial point of compromise.
- The malicious server’s hostname and IP address.
- The hostname and IP address of the point of data exfiltration.
- The names of exfiltrated files.
- The malware agent’s beaconing interval.
- The malware agent’s web resources used during beaconing.
- The name of the initial document that began the compromise.
Foundational
Network Device Configuration
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Fundamentals of network devices, establishing network connections between devices, and managing and troubleshooting device connections.
OUTCOMES
- Identify the different types of network devices and their functions within a network
- Using the command line interface, statically configure a host’s IP address to communicate across different networks
- Using the command line interface, configure a router for Dynamic Host Control Protocol (DHCP) to dynamically assign IP addresses within a subnet
- Using the router command line interface, configure a router to enable Secure Shell (SSH)
- Using SSH, remotely configure the router for DHCP
- Describe general troubleshooting steps for basic network device connectivity
Foundational
Network Firewalls
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Types of network firewalls and the analysis and creation of firewall rules.
OUTCOMES
- Differentiate between the various types of network firewalls, based on their features, advantages, and disadvantages
- Analyze a set of firewall rules to identify how they are processed
- Create firewall rules in pfSense
Intermediate
Network Remediation: Introduction
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Remediating a network after an attack. Includes factors to consider and recommending options based on specific pcaps.
OUTCOMES
- Identify factors to consider when recommending remediation
- Recognize the role attacker persistence plays in network remediation.
- Recommend remediation actions based on method of compromise
- Given scenarios, recommend best course of action for remediation
Foundational
NetworkMiner: Introduction
Blue Team
1 hour
Read moreShow less
DESCRIPTION
NetworkMiner makes artifact extraction an easy task by automating the process. An introduction to using the interface version of the tool on Windows and Linux.
OUTCOMES
- Identify the primary purpose of NetworkMiner for a blue team analyst
- Use NetworkMiner to:
- Identify hosts in network traffic.
- Identify filenames of artifacts.
- Determine the content of artifacts.
- Find unencrypted email communication details.
- Demonstrate artifact extraction from a pcap.
Foundational
Open vSwitch Fundamentals
Blue Team
1 hour
Read moreShow less
DESCRIPTION
This training package teaches a participant how to configure Open vSwitch to remotely mirror traffic between a physical and virtual layer 3 device.
OUTCOMES
N/A
Learn More
Foundational
Open-Source Intelligence (OSINT) Techniques
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Explores various methods to conduct intelligence gathering through open sources.
OUTCOMES
- Collect intelligence via various open-source methods
- Identify various tools and techniques to gather OSINT
Foundational
Operational Security 101
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
Examines aspects of Operational Security (OPSEC) with a focus on cybersecurity.
OUTCOMES
- Describe OPSEC as it applies to defensive cyber operations
- Identify various methods and techniques of ensuring OPSEC
Intermediate
Parsing Network Traffic with Zeek
Blue Team
1 hour
Read moreShow less
DESCRIPTION
How and why to use Zeek to parse network traffic, both live and static via pcap files. Participate in a scenario exercise and parse three pcap files with malicious traffic. After parsing pcap files, analyze Zeek logs and describe which Indicators of Compromise are present within the captures.
OUTCOMES
- Configure Zeek to listen on a single network interface
- Parse pcap data into Zeek logs
- Analyze Zeek logs to identify suspicious activity
Foundational
PowerShell: Introduction
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Use PowerShell to interact with a Windows operating system to complete beginner-level administrative tasks.
OUTCOMES
- Create, modify, and execute custom PowerShell scripts
- Get help in PowerShell by using the Get-Help command
- Interpret PowerShell elements including objects, aliases, variables, and arrays
Advanced
PrintNightmare Defense: Legacy Threat
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
An outline of the “PrintNightmare” exploit (CVE-2021-34527) from a defensive/protector perspective. Includes background information on CVE-2021-34527 as well as details on some confusion surrounding the publication of the vulnerability.
OUTCOMES
- Identify indicators of a potential attack using CVE-2021-34527 and the Elastic SIEM
- Explain various mitigations for CVE-2021-34527 and their impact on a domain
Advanced
ProxyLogon Defense: Legacy Threat
Blue Team
1 hour
Read moreShow less
DESCRIPTION
An outline of the “ProxyLogon” exploit (CVE-2021-26855) from a detection and mitigation perspective. Due to a server-side request forgery vulnerability, this exploit allows an attacker to send arbitrary HTTP requests and authenticate as the Microsoft Exchange server.
OUTCOMES
- Detect ProxyLogon in a lab environment
- Explain how to mitigate ProxyLogon
Intermediate
Secure Coding
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
An introduction to the concept of secure coding that includes identifying some of the most common software security risks and providing programming countermeasures that are used in a secure code review.
OUTCOMES
- Describe the purpose and importance of secure coding
- Apply secure coding best practices
- Summarize common programming countermeasures
- Perform a secure code review
Foundational
Secure SDLC: Deployment and Maintenance
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Examine the fifth and sixth phases of the software development life cycle (SDLC) and helpful tools and techniques for incorporating security into them. Review the most effective testing techniques for a CI/CD pipeline.
OUTCOMES
- Identify key security concerns when deploying an application
- Describe how containerization, web application firewalls (WAF), and runtime application selfprotection (RASP) secure application deployment
- Test a WAF that is protecting an application
- Recommend methods for incorporating security into application maintenance
Foundational
Secure SDLC: Development
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Examine the third phase of the software development life cycle (SDLC) and tools and techniques that are effective for secure development in the SDLC. Review how to incorporate them into a CI/CD pipeline.
OUTCOMES
- Assess different methods for catching bugs in the development phase
- Analyze code to identify vulnerabilities
- Deploy software security tools into a CI/CD pipeline
Foundational
Secure SDLC: Requirements and Design
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Examines the first and second phases of the software development life cycle (SDLC) and tools and techniques that are effective for secure requirements gathering and design in the SDLC. Also reviews how to incorporate them into a CI/CD pipeline.
OUTCOMES
- Recommend techniques for building security into the first two phases of the SDLC
- Identify appropriate security requirements for an application
- Recognize correct threat modeling for an application
Foundational
Secure SDLC: Testing
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Examines the fourth phase of the software development life cycle (SDLC) and helpful tools and techniques for incorporating security in it. Also reviews the most effective testing techniques for a CI/CD pipeline.
OUTCOMES
- Identify suitable security unit tests
- Recognize the benefits of DAST
- Contrast DAST and IAST
- Conduct fuzz testing to identify vulnerabilities
- Evaluate appropriate applications of penetration testing in a secure SDLC
- Identify the role of SCA in securing an application’s third-party packages
Foundational
Security Operations Center (SOC) Overview
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
An overview of a Security Operations Center, including the roles and functions of those who work in it, and the skills required for a SOC analyst.
OUTCOMES
- Define SOC
- Describe the primary functions of the people working in a SOC
- Identify the main tasks done in a SOC
- Choose which SOC architecture is most appropriate for a given organization
- Contrast the roles and responsibilities of the different levels of SOC analysts
Intermediate
Security Testing
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Security testing concepts, as well as a hands-on demonstration of incorporating static, dynamic, and software composition analysis testing tools into a software development pipeline.
OUTCOMES
- Describe the importance of continually testing code for vulnerabilities
- Define security requirements
- Conduct a risk analysis
- Formulate a test plan
- Differentiate between white, black, and gray box testing
- Compare and contrast various application security testing tools
- Practice using security testing tools to scan code
- Interpret results from a scan
- Describe how to incorporate security testing into a development pipeline
Foundational
SIEM: Conceptual Introduction
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Review common SIEM functions, including dashboard composition and log aggregation. Use two common SIEM products, Splunk Enterprise Security and Elastic SIEM, to perform simple searches on a simulated corporate network and correlate log information.
OUTCOMES
- Describe a SIEM’s core functions
- Explain the SIEM’s main function in the context of information security
- Describe the components of a SIEM
- Execute a simple search in Kibana to correlate information about user activity on the network
- Execute a simple search in Splunk to correlate information about user activity on the network
Intermediate
SIEM: Practical Introduction
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
An introduction to using Security Information and Event Management (SIEM) software, with hands-on labs that use Elastic Stack.
OUTCOMES
- Discuss how a SIEM deployment is commonly architected
- Identify various parts and pieces of a SIEM solution
- Identify methods to deploy log forwarders
Advanced
SIEM Walkthrough: Incident Response
Blue Team
1 hour
Read moreShow less
DESCRIPTION
A walkthrough follow-on for Elastic and Splunk SIEM modules: A suspected network breach has occurred on the SOMECORP network. Use everything you've learned about log analysis, event correlation, and indicators of compromise to identify the key facts about this malicious break-in.
OUTCOMES
- Using a Security Information and Event Management (SIEM) platform, identify key facts about a network intrusion:
- Identify the network intrusion’s point of origin on the internal network.
- Identify portscanning against internal hosts.
- Determine the adversary’s initial foothold and privilege escalation method.
- Identify the malicious domain used to install post-compromise malware.
Intermediate
Sigma: Introduction
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
Leverage Sigma to turn indicators of compromise into a customized Kibana query to discover infected hosts.
OUTCOMES
- Use Sigma to identify key features of a malicious binary to write a SIEM-agnostic rule for detection
- Convert the general Sigma rule into a Kibana-specific query to find malicious activity
- Use Kibana to visualize the Intrusion Detection Signature (IDS) signatures going into the network and use this information to find malicious user behavior
Intermediate
SIP Telephony
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
An overview of the voice protocol and Session Initiation Protocol (SIP) and an explanation of SIP vulnerabilities and attacks.
OUTCOMES
- Understand the SIP protocol
- Identify various SIP vulnerabilities
- Locate SIP attack indicators using an Elastic Stack
Foundational
SOC: Incident Response
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
An explanation of Incident Response and how it works in a Security Operations Center (SOC).
OUTCOMES
- Define incident response
- Describe how SOC analysts respond to incidents
- Identify the typical tools used to perform incident response
- Choose appropriate courses of action when presented with an incident response scenario
Foundational
SOC: Security Monitoring
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
An overview of the roles, responsibilities, and tools involved in the Security Monitoring function of a Security Operations Center (SOC).
OUTCOMES
- Define security monitoring
- Describe how SOC analysts monitor the network and endpoints
- Identify the typical tools used to perform security monitoring
- Choose appropriate courses of action when presented with a security monitoring scenario
Foundational
SOC: Threat Hunting
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
An introduction to the role and functions of threat hunting in a Security Operations Center (SOC).
OUTCOMES
- Define threat hunting
- Describe how SOC analysts hunt for threats
- Identify typical tools used to perform threat hunting
- Choose appropriate courses of action when presented with a threat hunting scenario
Intermediate
Splunk Configuration and Data Ingestion
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Install and configure a basic Splunk instance on a local network. Load data into Splunk and extract custom fields to enhance Splunk Search and return more refined results.
OUTCOMES
- Install Splunk
- Configure the Splunk web interface to use SSL
- Import local compressed data into Splunk
- Query data in Splunk for artifacts
Advanced
Splunk Enterprise Security
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
An introduction to Splunk Enterprise Security (ES), Splunk's SIEM offering. Covers the installation of Splunk ES and its basic use, including using built-in alerts to detect DNS exfiltration. Additionally, use Sigma to create a custom Splunk search to quickly identify infected network hosts.
OUTCOMES
- Identify the number of assets and identities in a static Assets & Identities configuration file
- Use cross-correlated information to identify Indicators of Compromise on a network:
- Use Enterprise Security correlation searches to identify DNS tunneling.
- Use Suricata signatures to correlate events with a host to find unauthorized Peer to Peer (P2P) torrent client activity.
Foundational
Splunk Forwarders and Normalization
Blue Team
1 hour
Read moreShow less
DESCRIPTION
How Splunk Technology Add-ons pair with the Universal Forwarder to create CIM-compliant data. Install and configure the Splunk Universal Forwarder on a Windows VM and enable the Windows TA to view normalized data in real-time. Also, learn how TAs impact search-time by performing a custom CIM mapping.
OUTCOMES
- Create a new index to use with Splunk Technology Add-on
- Enable monitoring and configure Splunk Technology Add-on
- Install the Splunk Universal Forwarder on a Windows VM
- Identify when a custom CIM is required
Foundational
Splunk Incident Investigation
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Taking on the position of a basic cyber protection analyst, use Splunk to navigate through an investigation of a realistic cyber incident.
OUTCOMES
- Perform the necessary steps to leverage Splunk as an investigation tool
- Discuss the scope of the incident investigation
- Analyze the incident investigation
Foundational
Splunk Overview
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
The Splunk Security Information and Event Management (SIEM) and its use in operational environments.
OUTCOMES
- Discuss Splunk architecture
- Identify various methods of ingesting data
- Identify how to configure the Splunk forwarder
Foundational
Splunk Post Incident Investigation Actions
Blue Team
1 hour
Read moreShow less
DESCRIPTION
How to operationalize Splunk to meet the needs of a cyber protection team, employing actions taken during the incident investigation lesson to create reports, alerts, and dashboards aimed at the identification of future malicious cyber activity.
OUTCOMES
- Operationalize Splunk concepts to identify malicious cyber activity
- Create Splunk reports, alerts, and dashboards
Foundational
Splunk Searching
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
Use Splunk for data searching and visualization. Become familiar with Splunk search terminology. Write Splunk queries. This module also covers viewing events, building a transforming search, and optimizing searches.
OUTCOMES
- Write advanced queries
- Conduct anonymous and wildcard searches
- Build a transforming search
- Use search optimizations
Foundational
Suricata: Introduction
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
The installation and configuration of Suricata, a network security monitoring tool often used as an intrusion detection system. Includes ruleset management and briefly introduces custom rules.
OUTCOMES
- Identify situations in which IDS would be an effective tool for network security
- Explain the difference between Suricata’s main logging formats
- Configure Suricata
- Update and deploy rulesets for Suricata
- Write and deploy a simple custom Suricata rule
Intermediate
Suricata Rule Writing
Blue Team
1.5 hours
Read moreShow less
DESCRIPTION
Write rules using Suricata to catch malicious traffic. This covers the basic parts of a Suricata rule, techniques to minimize noise, using pcaps to develop rules, and Perl Compatible Regular Expressions.
OUTCOMES
- Identify reasons to use a Suricata rule
- Identify the parts of a Suricata rule
- Write a basic Suricata rule that is functional
- Write rules that use progressively more advanced rule writing concepts
Foundational
System Monitor (Sysmon)
Blue Team
1 hour
Read moreShow less
DESCRIPTION
This module introduces System Monitor (Sysmon) from Windows SysInternals. It describes the steps to install and configure Sysmon and view its generated logs.
OUTCOMES
- Install Sysmon and view output
- Create a custom configuration for Sysmon
- Use Sysmon data to identify a threat
Foundational
Threat Hunting in Windows Files
Blue Team
1 hour
Read moreShow less
DESCRIPTION
How to analyze Windows files for indicators of malicious activity. Includes hands-on labs using magic numbers, examining basic steganography, and finding alternate data streams.
OUTCOMES
- Identify anomalies in digital signatures
- Validate digital signatures
- Identify files using a hex editor and magic bytes
- Explain two methods of file obfuscation
- Use two hashing methods to analyze files
- Analyze alternate data streams
- Identify the methods attackers use for file downloads
Intermediate
Threat Hunting Physical Devices
Blue Team
1 hour
Read moreShow less
DESCRIPTION
A walkthrough follow-on for Elastic and Splunk SIEM modules: A suspected network breach has occurred on the SOMECORP network! You must use everything you've learned about log analysis, event correlation, and indicators of compromise to identify the key facts about this break-in.
OUTCOMES
- Gain a foothold in the Site com internal network.
- Pivot into the Corp lan internal network.
- Gain access to the Corp lan domain controller as a domain administrator.
Intermediate
Threat Hunting with IOCs Exercise
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Use your threat hunting skills to uncover indicators of compromised and infected hosts.
OUTCOMES
- Identify network indicators of compromise
- Pivot off of network indicators of compromise
- Identify host indicators of compromise
- Pivot off of host indicators of compromise
Foundational
Threat Hunting with IOCs Workshop
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Indicators of compromise in networks and hosts and how to use pivoting to threat hunt.
OUTCOMES
- Describe indicators of compromise
- Explain types of network and host indicators
- Describe how IOCs are used in threat hunting
- Describe the Pyramid of Pain and where different indicators fit on it
- Identify network indicators of compromise
- Pivot off of network indicators of compromise
- Identify host indicators of compromise
- Pivot off of host indicators of compromise
Foundational
Threat Hunting with MITRE ATT&CK®
Blue Team
2.5 hours
Read moreShow less
DESCRIPTION
Gather and operationalize threat intelligence using the open-source tool Atomic Red Team in conjunction with the MITRE ATT&CK® framework.
OUTCOMES
- Identify APT TTPs using ATT&CK Navigator
- Map APT activity to the MITRE ATT&CK framework
Foundational
Threat Modeling
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
Learn to decompose, classify, and visualize threats to an IT system with STRIDE, OWASP Threat Dragon, and more!
OUTCOMES
- Classify a vulnerability using CVSS
- Describe how to apply the OWASP Threat Modeling Process
- Categorize a threat using STRIDE
- Use OWASP Threat Dragon to create a threat diagram
Foundational
Unit Testing in CI
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Tools and techniques for sustainably increasing software development quality and speed: Test-driven development (TDD), unit testing, and test automation.
OUTCOMES
- Identify traits of an effective unit test
- Describe the process and features of TDD
- Create unit tests
- Determine the advantages of pytest
- Test software developed through TDD
- Automate unit testing
Foundational
Volatility: Introduction
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
Learn memory forensic techniques by using one of the leading tools to investigate and identify the memory image of a compromised machine.
OUTCOMES
- Identify active processes in acquired memory image
- Find relevant files in acquired memory image
- Identify parameters and use patterns for the Volatility tool
Intermediate
Vulnerability Remediation
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Provides the concepts relating to remediating or mitigating vulnerabilities, including CVSS, remediation options, and remediation plan development.
OUTCOMES
- Interpret a vulnerability’s severity based on its Common Vulnerability Scoring System (CVSS) score
- Develop a vulnerability remediation plan based on best practices and organizational risk appetite and tolerance
Intermediate
Windows Event Forwarding
Blue Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to Windows Event Forwarding (WEF) which reads operational or administrative event logs and forwards the events to you via a subscription.
OUTCOMES
- Describe the purpose of Windows Event Forwarding
- Describe the two WEF subscription types
- Create a WEF subscription
Foundational
Windows Libraries: Introduction
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Describes the function and capabilities of the libraries for the Windows operating system, as well as attacks that utilize libraries.
OUTCOMES
- State the purpose of libraries within the Windows OS
- Perform basic analysis of the functions of a library
- Discuss the impact of malicious use of libraries in a defense context
Foundational
Windows Memory Analysis: Introduction
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
Walk through the steps of memory acquisition, collecting volatile data from Windows systems. Learn foundational memory analysis techniques that aim to identify malicious code and rogue activity.
OUTCOMES
- Perform memory dump
- Validate processes running in memory
- Find relevant files
Foundational
Windows Processes: Introduction
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Learn about the composition of processes in the Windows operating system, and perform enumeration of those processes with UI and command line tools.
OUTCOMES
- Identify the fundamentals of several different OSs and their corresponding internals
- Understand the use and function of processes within the Windows OS
- Discuss the impact of the Windows OS and its corresponding internals on Defensive Cyberspace Operations (DCO)
Foundational
YARA and Signature-Based Writing
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Use the powerful and flexible open-source pattern matching YARA tool, written in the C programming language, to run, write, and customize rules to identify and classify malware.
OUTCOMES
- Scan a file with YARA
- Scan a directory with YARA
- Identify common YARA use cases
- Write a custom YARA rule
Challenges
Intermediate
Advanced Forensic Analysis Challenge: Dead Drop
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
This challenge tests encrypted traffic forensics and Windows baselining skills. It also requires skills with using Suricata, Wireshark, and JA3 signatures to locate infected devices.
OUTCOMES
- Identify network indicators of compromise (IOC) on infected devices
- Use network IOC to find further infected devices
- Identify host IOC on infected devices
- Use host IOC to find infected devices
Intermediate
Basic Malware Analysis Challenge: Alien Autopsy
Blue Team
4 hours
Read moreShow less
DESCRIPTION
Assume a junior malware analyst's role on the morning of a malware outbreak. Use your skills to identify key indicators that can be used to track the outbreak and prevent it from spreading.
OUTCOMES
- Report facts about an unknown binary from initial detonation
- Create an MD5 hash from an unknown executable
- Perform basic static analysis to gather facts
- Perform basic dynamic analysis to gather facts
- Review findings for inclusion in a post-compromise report
Advanced
Cyber Defense Challenge: Blind Burglar
Blue Team
4 hours
Read moreShow less
DESCRIPTION
A capture-the-flag challenge in which network defenders uncover crypto-mining software installed across their networks, and trace their invasions to the security shortcomings that allowed them in.
OUTCOMES
- Identify the initial compromise point of the network and its matching CVE
- Evaluate Sigma rules to identify a specific attack
- Use multiple SIEM tools to trace a complete attack path
- Identify all network components compromised in an attack chain
- Identify suspicious files or activities on a machine or target network
Advanced
Cyber Defense Challenge: Business Aquarium
Blue Team
4 hours
Read moreShow less
DESCRIPTION
In this capture-the-flag challenge, trace the path of an attacker traversing a network through social mistrust, discover their malware, identify their command-and-control infrastructure, and find out what they were after.
OUTCOMES
- Identify the sensitive document(s) and how they were exfiltrated
- Identify where the attacker gained initial access to a network
- Identify how the attacker gained initial access to a network
- Identify the security misconfigurations that allowed the attack to work
Advanced
Cyber Defense Challenge: Stagecoach Holdup
Blue Team
2 hours
Read moreShow less
DESCRIPTION
This capture-the-flag challenge employs Kibana, Hybrid Hunter, and other tools to find an infestation of ransomware in the company network and trace events back to initial compromise.
OUTCOMES
- Identify the ransomware malware and its locations on a network
- Identify where the attacker gained initial access to a network
- Identify how the attacker gained initial access to a network
- Identify the security misconfigurations that allowed the attack to work
Intermediate
Host Analyst Assessment: Digital Scorpion
Blue Team
4 hours
Read moreShow less
DESCRIPTION
You are tasked with investigating a malware infection on a small network. Use blue team tools and techniques, including Windows logs, Powershell, YARA, and Volatility, to analyze the hosts and uncover the extent of the infection.
OUTCOMES
- Identify the presence of a malware infection
- Discover the changes to the system made by the malware
- Determine the original point of infection
- Analyze a memory capture to find the presence of active C2
- Find the location of a second infection using malware signatures
Intermediate
Host Forensics Challenge: Wise Skunk
Blue Team
0.5 hours
Read moreShow less
DESCRIPTION
In this challenge, you assume the role of the primary blue team operator during a host-based investigation of a red team audit.
OUTCOMES
- Conduct basic forensic investigations using Windows logs
- Using the method of your choice, view and interpret Linux log files
Intermediate
Incident Identification and Prioritization Challenge: Plug and Play
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
Your network is under attack! Whether by a knowing compromise or means of subterfuge, a malicious actor has found their way in. Using your knowledge of SIEM fundamentals and network monitoring software, dig out the source of this attacker's intrusion and expel them!
OUTCOMES
- Use log aggregation software to unearth a network intrusion
- Identify Indicators of Compromise (IOC) using domain name lookups
- Identify IOC from Windows and Linux logging
Foundational
Introduction to Application Security Challenge: Flabbergasted Florist
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Showcase your application security mettle by helping Flora McMahon secure her application as she plans to release a new feature in this exciting challenge.
OUTCOMES
- Recommend misuse cases and security requirements for a new application feature
- Identify new threats against an application
- Run a SAST tool against an application and analyze the results
- Run security unit tests on an application and analyze the results
- Identify the capabilities of application testing tools
- Analyze ModSecurity logs to identify an attack
- Recommend techniques to secure the deployment and maintenance of an application
Foundational
Introduction to SOC Challenge: SOC Monkey
Blue Team
1 hour
Read moreShow less
DESCRIPTION
DroneRaptor is building a SOC and has called you in to consult on the process. As they progress through the steps of planning, building, and implementing a SOC, you will be presented with options for them to take. Once they get to the implementation phase, you will have to perform some incident investigation activities.
OUTCOMES
- Select an appropriate SOC architecture, given constraints and goals
- Identify the roles of members of the SOC
- Identify relevant tools that will be used in the SOC
- Implement the correct alert triage procedure
- Implement the correct incident response procedure
- Perform threat hunting to identify a current threat
Advanced
Network Analyst Challenge: Broken Halo
Blue Team
4 hours
Read moreShow less
DESCRIPTION
Your network is under attack! Examine the artifacts of an intrusion and recreate the steps of the attack chain. Use incident response skills, such as packet capture analysis and Linux command-line utilities, to gather the basic facts about your company's compromise.
OUTCOMES
- Identify the hostname of the initial point of compromise
- Identify the IP address that launched the initial attack
- Identify the exploited service and resource of the initial point of compromise
- Identify the IP address of the host used for lateral movement
- Identify the Fully Qualified Domain Name of the server used for stage 2 malware download
- Identify the beaconing interval of the malware C2 agent
- Recover the file used to download the malware C2 agent
- Write a Zeek script to identify C2 traffic
Advanced
Network Analyst Challenge: Hidden Lotus
Blue Team
4 hours
Read moreShow less
DESCRIPTION
In this blue team assessment, use network threat hunting and forensics skills to uncover a sophisticated breach of a realistic corporate network.
OUTCOMES
- Fully scope a network breach and identify all compromised devices
Intermediate
Network Forensics Challenge: Zeeking the Predator
Blue Team
1 hour
Read moreShow less
DESCRIPTION
A challenge to test skills with network forensics using Suricata, Wireshark, and Zeek
OUTCOMES
- Confirm a potential attack via Suricata alerts
- Identify a network indicator from which to pivot
- Identify one or more attacked hosts
- Confirm fully infected host(s) that require remediation
- Extract the attacker’s tool
Intermediate
Reducing Vulnerabilities in Code Challenge: Shellshocked Sally
Blue Team
0.75 hours
Read moreShow less
DESCRIPTION
Sally's website is riddled with vulnerabilities. Help her team to make their site's code more secure by going over secure coding, security testing, threat modeling, and vulnerability remediation.
OUTCOMES
- Review the specifications of the Common Vulnerability Scoring System (CVSS)
- Analyze a CVSS score
- Differentiate between vulnerability remediation and mitigation
- Identify code that uses secure coding best practices
- Verify secure code review processes
- Identify and demonstrate a common security flaw in code
- Differentiate between security testing tool types
- Use a Dynamic Application Security Testing (DAST) tool against an application and analyze the results
- Recommend a vulnerability remediation plan and determine the best courses of action
Advanced
SIEM Challenge: Lone Shark
Blue Team
2 hours
Read moreShow less
DESCRIPTION
Your network is under attack! Examine the artifacts of an intrusion and recreate the steps of the attack chain. Use threat hunting skills, such as Kibana or Splunk searching and visualization, to gather the basic facts about your company's compromise. After gathering these facts, answer a series of questions about the intrusion from compromised hosts to malware artifacts.
OUTCOMES
- Identify the binary names of the supply chain compromised software
- Identify the hostnames of infected clients
- Identify the IP address of the malicious server that is exfiltrating data
- Identify the hostname of the infected server
- Identify the first timestamp of exfiltrated data
- Identify the last timestamp of exfiltrated data
- Identify the number of times that data was exfiltrated from the network
- Identify the filename of the output written to disk by the malware
Intermediate
SIEM Fundamentals Challenge: Little Lone Shark
Blue Team
1 hour
Read moreShow less
DESCRIPTION
Your network is under attack! Examine the artifacts of an intrusion and recreate the steps of the attack chain. Use threat hunting skills, such as Kibana or Splunk searching and visualization, to gather the basic facts about your company's compromise. After gathering these facts, answer a series of questions about the intrusion from compromised hosts to malware artifacts.
OUTCOMES
- Identify the binary names of the supply chain compromised software
- Identify the hostnames of infected clients
- Identify the IP address of the malicious server that is exfiltrating data
- Identify the hostname of the infected server
- Identify the first timestamp of exfiltrated data
- Identify the last timestamp of exfiltrated data
- Identify the number of times that data was exfiltrated from the network
- Identify the filename of the output written to disk by the malware
Intermediate
Splunk Boss of the SOC V1
Blue Team
6 hours
Read moreShow less
DESCRIPTION
The focus of this hands-on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack.
OUTCOMES
N/A
Learn More
Intermediate
Splunk Boss of the SOC V2
Blue Team
6 hours
Read moreShow less
DESCRIPTION
In this hands-on exercise, you assume the persona of Alice Bluebird, the analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly to assist them with their recent issues.
OUTCOMES
N/A
Learn More
Intermediate
Splunk Boss of the SOC V3
Blue Team
6 hours
Read moreShow less
DESCRIPTION
Boss of the SOC is a blue-team CTF that helps you enhance your hunting and analysis skills.
You will use Splunk and other tools to answer a variety of questions about security incidents that
have occurred in a realistic but fictitious enterprise environment.
OUTCOMES
N/A
Learn More
Foundational
Telemetry Challenge: Faulty Firewall
Blue Team
1 hour
Read moreShow less
DESCRIPTION
This challenge tests the ability to tie together multiple sources of network telemetry to identify and mitigate threats and misconfigurations. It requires skill with network firewalls, Elastic endpoint forwarders, Windows Event Forwarding, and Sysmon.
OUTCOMES
- Use Kibana/Elastic to identify a threat within the network
- Identify and correct misconfigurations hampering investigations into the threat
- Triage the threat and collect information about it
- Identify and correct the misconfiguration that is allowing the threat to connect into and out of the network
Intermediate
Threat Hunting with IOCs Challenge: Dragnet Diaries
Blue Team
1 hour
Read moreShow less
DESCRIPTION
In this challenge, your threat hunting abilities are put to the test.
OUTCOMES
- Identify network indicators of compromise on infected devices
- Use network indicators of compromise to find further infected devices
- Identify host indicators of compromise on infected devices
- Use host indicators of compromise to find infected devices
RED TEAM
Training
Foundational
Boot2Root Workshop 1
Red Team
1 hour
Read moreShow less
DESCRIPTION
Workshop | Use industry tools to identify and exploit vulnerabilities to gain remote access and control of a network host.
Targets are Linux OS, WordPress, and MySQL.
OUTCOMES
- Determine and analyze attack surfaces
- Identify vulnerabilities
- Execute exploits to gain access and privilege escalation
- Document results
Intermediate
Boot2Root Workshop 2
Red Team
1 hour
Read moreShow less
DESCRIPTION
Workshop | Use industry tools to identify and exploit vulnerabilities to gain remote access and control of a network host. Targets are Linux OS and MySQL.
OUTCOMES
- Identify vulnerabilities
- Execute exploits to gain access and privilege escalation
- Document results
Intermediate
Boot2Root Workshop 3
Red Team
4 hours
Read moreShow less
DESCRIPTION
Workshop | Use industry tools to identify and exploit vulnerabilities to gain remote access and control of a network host. Target is Linux OS, and techniques include steganography, MIB manipulation, MD5 cracking, and open-source research.
OUTCOMES
- Determine and analyze attack surfaces
- Identify vulnerabilities
- Execute exploits to gain access and privilege escalation
- Document results
Advanced
Boot2Root Workshop 4
Red Team
2 hours
Read moreShow less
DESCRIPTION
Workshop | Use industry tools to identify and exploit vulnerabilities to gain remote access and control of a network host. Targets are Linux OS and OpenNetAdmin.
OUTCOMES
- Determine and analyze attack surfaces
- Identify vulnerabilities
- Execute exploits to gain access and privilege escalation
- Document results
Foundational
Credential Management and Harvesting
Red Team
2 hours
Read moreShow less
DESCRIPTION
Techniques for identifying and harvesting credentials in Windows. The hands-on lab provides multiple opportunities to harvest credentials, followed by a challenge lab.
OUTCOMES
- Identify the common locations of credentials in Windows
- Describe what Mimikatz does
- On a given system, escalate privileges to local Administrator by harvesting credentials
- On a given system, dump SAM hashes with Mimikatz
- Demonstrate hash cracking with John the Ripper
Foundational
Defeating CSRF Protections with XSS
Red Team
0.75 hours
Read moreShow less
DESCRIPTION
Common defense techniques against cross-site request forgery (CSRF) and demonstration of how to defeat them using cross-site scripting (XSS).
OUTCOMES
- Recognize when a CSRF token is present as a defensive measure
- Execute a CSRF exploit to overcome CSRF tokens
- Recognize when a SameSite cookie attribute is present as a defensive measure
- Execute a CSRF exploit to circumvent a SameSite ”strict” setting on session cookies
Foundational
Enumeration: Introduction
Red Team
1.5 hours
Read moreShow less
DESCRIPTION
An introduction to the enumeration phase of the penetration testing methodology. This module covers tools and techniques for enumeration of common network services.
OUTCOMES
- Use Nmap to fingerprint a remote OS
- Use Netcat to perform banner grabbing
- Use penetration testing tools to enumerate network services
Intermediate
Exploit Public-Facing Application: MITRE ATT&CK® Red
Red Team
1 hour
Read moreShow less
DESCRIPTION
An overview of the LAMP stack and HTTP basics, with a lab that covers common web attacks (SQL injection, cross-site scripting, and local file inclusion).
OUTCOMES
- Given the description of a vulnerability, identify the appropriate attack to exploit it
- Demonstrate how attackers leverage weaknesses in web applications to bypass authentication
- Demonstrate how attackers leverage injection, cross-site scripting, and file inclusion attacks to compromise web-facing applications and extract data
Intermediate
Follina Defense: Emerging Threat
Red Team
1.5 hours
Read moreShow less
DESCRIPTION
The background of CVE-2022-30190 Follina, a Microsoft Office vulnerability, along with detection and mitigation.
OUTCOMES
- Detect an exploitation of Follina using Sysmon logs
- Mitigate Follina by modifying the registry
Intermediate
Follina Offense: Emerging Threat
Red Team
1.5 hours
Read moreShow less
DESCRIPTION
The background of CVE-2022-30190 Follina, a Microsoft Office vulnerability, along with an explorations of the vectors needed to create a malicious document that utilizes the exploit to run commands on a target device.
OUTCOMES
- Create a malicious document (“maldoc”) that uses CVE-2022-30190 to exploit a target user
- Use variations of CVE-2022-30190 that alter the manner of user interaction required to trigger the exploit
Intermediate
Initial Access
Red Team
2 hours
Read moreShow less
DESCRIPTION
An introduction to gaining initial access to a remote system. This overview provides some of the standard methods of gaining initial access to a remote system and how to carry out some of those techniques.
OUTCOMES
- Apply phishing and spear-phishing tradecraft to conduct campaigns
- Build weaponized documents to drop an initial payload
- Use drive-by attack links in conjunction with spear-phishing to gain access
- Utilize spear-phishing to conduct credential harvesting to gain valid account access
- Identify components of social engineering and apply them to gain initial access
- Apply the information gained by scanning to identify public-facing application vulnerabilities
Intermediate
Invoke-PSImage: Steganography
Red Team
1 hour
Read moreShow less
DESCRIPTION
Employ steganography using Invoke-PSImage and embed a PowerShell script inside of a picture. After you use Invoke-PSImage in an attack, flip the role and try to find out what happened.
OUTCOMES
- State how Invoke-PSImage conceals malicious code
- Use Invoke-PSImage to embed a malicious script into an image
- Detect traces of Invoke-PSImage as a defender
Foundational
Kerberoasting: MITRE ATT&CK® Red
Red Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to the Kerberos protocol and SecureAuthCorpTM’s Impacket toolkit, a suite for interacting with Active Directory environments in Python. You will be able to use Kerberos to extract cryptographic material from a domain controller, and then prosecute this material to increase network presence in an Active Directory domain.
OUTCOMES
- Use impacket to extract AS-REP and TGS-REP values from a target
- Use John the Ripper to recover weak passwords from this authentication data
Intermediate
Lateral Movement
Red Team
4 hours
Read moreShow less
DESCRIPTION
An introduction to using the compromise of a single network device to expand access within a target network. In the context of a Red Team intrusion, use the credentialed lateral movement techniques of PsExec, WMI, WinRM, and scheduling remote tasks.
OUTCOMES
- Take over a Windows device using the following methods:
- Co-opt SMB using PsExec and recovered passwords.
- Windows Management Instrumentation (WMI) commands.
- Co-opt SMB using recovered passwords, a lateral tool transfer, and creating a remote scheduled task.
- Co-opt Windows Remote Management with PowerShell using recovered passwords.
Foundational
Local File Inclusion (LFI): Introduction
Red Team
1 hour
Read moreShow less
DESCRIPTION
Local file inclusion (LFI), its relationship to other exploitations, and hands-on LFI exploit labs.
OUTCOMES
- Execute an LFI exploitation
- Recognize vulnerabilities that LFI can exploit
- Perform a directory traversal attack
- Abuse file uploads and use LFI to gain RCE
- Identify an RFI exploit
Intermediate
Log4Shell Offense: Legacy Threat
Red Team
1 hour
Read moreShow less
DESCRIPTION
An explanation of the Log4Shell exploit from an offensive perspective. Includes background and hands-on exploitation. Learn how Log4j (CVE-2021-44228) functions and use it against vulnerable targets in a range.
OUTCOMES
- Perform the steps to stage the Log4Shell exploit
- Perform the exploit
Intermediate
Logic and Implementation Vulnerabilities
Red Team
1 hour
Read moreShow less
DESCRIPTION
At a high level, learn about four of the OWASP Top 10 2017 web vulnerabilities. These vulnerabilities can be attributed to accidental misconfiguration or careless implementation mistakes, rather than directly to software vulnerabilities.
OUTCOMES
- Execute the reset of another user’s password on a web service using weak authentication
- Capture authentication information from an unencrypted exchange and replay it to access another user’s account
- Execute a brute-force search to access a hidden (otherwise unsecured) administrative interface through brute-force searching
- Perform a data scraping from an exposed Elasticsearch database
Foundational
Metasploit Framework: Introduction
Red Team
1.5 hours
Read moreShow less
DESCRIPTION
Using msfconsole for search functionality and database scanning. Includes a brief history of MSF and its uses as an offensive security tool, MSF functionality, and MSF command line interface via msfconsole.
OUTCOMES
- Use the db_nmap Metasploit module to enumerate a target host and determine its open ports
- Stage and launch an exploit against a vulnerable web server using a Metasploit module to gain root-level access
- Use the Meterpreter payload to perform postcompromise actions like credential harvesting
- Use the auxiliary/analyze/crack_linux module to crack harvested credentials from within Metasploit Framework
- Use the Metasploit SOCKS proxy server module and the proxychains command to perform a domain hashdump with secretsdump py.
Foundational
MSFvenom: Introduction
Red Team
1 hour
Read moreShow less
DESCRIPTION
Pen testers and red teams often need to obtain a shell on a network machine and msfvenom creates an encoded, customized shell payload tailored for the target and ready to deliver. Learn how to use msfvenom as you select payloads and customize them. Prove your new skill by creating a payload that gives you a reverse shell on a network machine.
OUTCOMES
- Describe types of payloads available
- Describe the function of common MSFvenom options for specifying payloads
- Determine an appropriate payload for a given victim machine and OS
- Generate a reverse-shell payload
- Deploy a payload to get a reverse shell on a victim machine
Foundational
Persistence
Red Team
4 hours
Read moreShow less
DESCRIPTION
An introduction to "persistence", or surviving reboots and shutdowns, in the context of a Red Team intrusion solidifying their network presence. The Windows version of this module introduces the persistence techniques of registry "run" keys, scheduled tasks, and WMI.
OUTCOMES
- Install persistent malware on Windows using registry “Run keys”
- Install persistent malware on Windows using scheduled tasks
- Install persistent malware on Windows using Windows Management Instrumentation
- Install persistent malware on Windows as a Windows Service
- Find examples of malicious scripts and executables configured to start on system startup on a Windows 10 virtual machine
Advanced
PrintNightmare Offense: Legacy Threat
Red Team
1 hour
Read moreShow less
DESCRIPTION
An outline of the “PrintNightmare” exploit (CVE-2021-34527) from an offensive/attacker perspective. Includes background information on CVE-2021-34527 as well as details on some confusion surrounding the publication of the vulnerability.
OUTCOMES
- Use CVE-2021-34527 to elevate privileges on a Windows 10 workstation
- Use CVE-2021-34527 to remotely take control of a Windows domain controller
Intermediate
Privilege Escalation
Red Team
2.5 hours
Read moreShow less
DESCRIPTION
How to overcome access control mechanisms in Windows using different techniques for gathering information and capitalizing on weaknesses to escalate your privileges.
OUTCOMES
- Identify the privileges of the current user
- Describe what privilege escalation is
- Exploit a vulnerable service to escalate user privileges
- Conduct a DLL Hijacking attack to escalate user privileges
- Exploit the domain controller to elevate a domain user to Domain Admin
Advanced
ProxyLogon Offense: Legacy Threat
Red Team
1 hour
Read moreShow less
DESCRIPTION
An outline of the “ProxyLogon” exploit (CVE-2021-26855) from an offensive/attacker perspective. Due to a server-side request forgery vulnerability, this exploit allows an attacker to send arbitrary HTTP requests and authenticate as the Microsoft Exchange server.
OUTCOMES
- Gain a foothold on an Exchange server using ProxyLogon
- Perform post-compromise activity after using ProxyLogon for code execution
Foundational
Removing Artifacts
Red Team
2 hours
Read moreShow less
DESCRIPTION
Explore the various artifacts that can be left behind after an offensive network operation, and determine when and how to remove incriminating artifacts.
OUTCOMES
- Identify artifacts related to logging into a Windows workstation
- Identify and remove artifacts related to logging into a Linux server
- Identify console logging locations on Linux and Windows
- Delete files securely after file identification
- Determine appropriate techniques for hiding evidence of file deletion
Intermediate
SQL and OS Injection: Introduction
Red Team
1 hour
Read moreShow less
DESCRIPTION
SQL and OS injection vulnerabilities and exploitation with SQLmap and OS injection points.
OUTCOMES
- Describe SQL injection syntax
- Describe the consequences of SQL injection
- Explain how to exploit SQL injection to obtain authentication bypass
- Explain how to exploit SQL injection to obtain database contents using SQLmap
- Describe OS/command injection and consequences
- Describe common syntax and OS injection points to test for
- Explain how to use OS injection to read sensitive system files
Intermediate
SQLi Attack Types
Red Team
1 hour
Read moreShow less
DESCRIPTION
There are several variations of SQLi exploitation and data extraction that require more than the basic discovery and exploitation techniques. This module covers blind SQLi, out-of-band SQLi, and second-order SQLi.
OUTCOMES
- Verify the existence of blind SQLi vulnerabilities
- Use Sqlmap to exploit blind SQLi vulnerabilities
- Verify the existence of out of band SQLi vulnerabilities
- Verify the existence of second-order SQLi vulnerabilities
- Use Sqlmap to exploit second-order SQLi vulnerabilities
Foundational
sqlmap: Introduction
Red Team
1 hour
Read moreShow less
DESCRIPTION
The basics of sqlmap, an offensive tool used to detect and exploit SQL injection attacks on vulnerable web applications. Discover a vulnerable login form and exploit it with sqlmap to steal valid login credentials, as well as explore sqlmap's interactive shell option and attempt to obtain code execution on the target.
OUTCOMES
- Identify when to use sqlmap
- Identify why manual input is sometimes better than sqlmap
- Use common sqlmap input flags
- Use sqlmap to scan a web application for injection vulnerabilities
- Use sqlmap to extract data from a vulnerable database
- Explore sqlmap shell options to enumerate potential host settings
Advanced
Supply Chain Compromise: MITRE ATT&CK® Red
Red Team
4 hours
Read moreShow less
DESCRIPTION
Techniques involved in the Supply Chain Compromise (T1195), with three real-life case studies of compromises in the supply chain as well as a hands-on lab demonstrating how one could be conducted.
OUTCOMES
- Evaluate the attack surface of a generic supply chain
- Use a software-based supply chain compromise to enumerate an internal network
- Use a software-based supply chain compromise to take control of users of that software
Foundational
Vulnerability Enumeration
Red Team
1 hour
Read moreShow less
DESCRIPTION
An examination of the connection between scan results and existing vulnerabilities, highlighting several such datasets along the way.
OUTCOMES
- Identify existing vulnerabilities in a Server Message Block (SMB) server running on Windows XP SP0
- Exploit found vulnerabilities in an SMB server running on Windows XP SP0
- Identify a vulnerable application running on an HTTP server
- Exploit a vulnerable application on an HTTP server
- Identify a backdoor on an FTP server
- Exploit an FTP server outfitted with a backdoor
Foundational
Web Application Fuzzing
Red Team
1 hour
Read moreShow less
DESCRIPTION
Introduces the idea of unstructured client requests to web applications, and some of the vulnerabilities that can ensue when these are not properly handled. Prominently featured is wfuzz, the Python fuzzing framework, but the lessons reach beyond the simple use of the tool.
OUTCOMES
- Enumerate hidden virtual hosts
- Use a brute-force attack to obtain authentication information to access a web page
- Identify a vulnerable header parameter in an insecure Internet of Things (IoT) device
Intermediate
Web Vulnerabilities: Introduction
Red Team
1 hour
Read moreShow less
DESCRIPTION
Exploitation of web vulnerabilities with hands-on exploration of the most common weaknesses and vulnerabilities.
OUTCOMES
- Perform website exploration techniques to retrieve sensitive data from a web server
- Perform exploitation techniques to gain remote code execution (RCE) on a simple web server
Intermediate
XML External Entities (XXE) Attacks
Red Team
1 hour
Read moreShow less
DESCRIPTION
Explore XML External Entity (XXE) vulnerabilities, including how to leverage these vulnerabilities to extract sensitive information or compromise systems.
OUTCOMES
- Explain how to execute XXE injection attacks
- Describe the impact of XXE attacks
- Explain how to execute an XXE remote shell
- Describe an XXE DoS attack
Intermediate
PwnKit Offense: Emerging Threat
Red Team
2.5 hours
Read moreShow less
DESCRIPTION
How to detect and prevent PwnKit in your environment. Includes background information on the Linux local privilege escalation exploit, discovering vulnerabilities and detecting PwnKit exploitation.
OUTCOMES
Learn MoreIntermediate
PwnKit Offense: Emerging Threat
Red Team
2 hours
Read moreShow less
DESCRIPTION
How attackers use PwnKit, a Linux local privilege escalation exploit, to gain superuser privileges in Linux. Includes background, and a walkthrough of running a PwnKit exploit.
OUTCOMES
- Obtain superuser privileges on a Ubuntu 20.04 device using CVE-2021-4034.
- Obtain superuser privileges on a CentOS 7 device using CVE-2021-4034.
Challenges
Intermediate
Cyber Attack Challenge: Cedar Bunny
Red Team
2 hours
Read moreShow less
DESCRIPTION
Test your red team skills in a simple, simulated environment. With multiple threads to pull on, this Red-team challenge will draw you to demonstrate your favorite tactics and techniques to gather shells and flags across the challenge field.
OUTCOMES
- Use external reconnaissance to enumerate the interior of a network
- Identify entry points and elevation points that can bring a challenger to superuser status
- Decide from a platform of tools and maneuvers which will be optimal in achieving and maintaining network supremacy
Expert
Cyber Attack Challenge: Oak Rabbit
Red Team
24 hours
Read moreShow less
DESCRIPTION
Test your red team skills in a realistic enterprise environment. With multiple threads to pull on, you'll find your favorite TTPs will get you your shells and flags.
OUTCOMES
- Use external reconnaissance to enumerate the interior of a network
- Identify entry points and elevation points that can bring a challenger to superuser status
- Select from a platform of tools to decide the optimal maneuvers to achieve and maintain network supremacy
Advanced
Memory Corruption Vulnerabilities Challenge: iBreach
Red Team
1 hour
Read moreShow less
DESCRIPTION
In this challenge, you perform fuzz testing on an application containing a memory corruption vulnerability. To demonstrate the impact of the vulnerability, you exploit the remote application to achieve remote code execution.
OUTCOMES
- Identify a vulnerability using the boofuzz framework
- Locate a memory corruption vulnerability using GNU Debugger
- Exploit the memory corruption vulnerability with Python
- Identify possible solutions to mitigate the vulnerability
Foundational
Reconnaissance Challenge: Stakeout
Red Team
1 hour
Read moreShow less
DESCRIPTION
Use discovery, enumeration, and open-source intelligence (OSINT) to identify potential cyber attack vectors.
OUTCOMES
- Perform reconnaissance on SomeCorp to identify information to leverage in an attack
- Use OSINT sources to obtain data for social engineering
- Discover and enumerate hosts, services, and web applications
PURPLE TEAM
Training
Intermediate
Attacking with XSS
Purple Team
1.5 hours
Read moreShow less
DESCRIPTION
Explores the impacts of the classic cross-site scripting (XSS) vulnerability through various JavaScript walkthroughs and labs.
OUTCOMES
- Use enumeration to identify XSS vulnerabilities
- Defeat XSS filters
- Use XSS attacks to:
- Modify a page
- Intercept events
- Exfiltrate data
- Abuse the Same-Origin-Policy
- Attack with externally hosted JavaScript
Foundational
Basic Regular Expressions
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Introduction to regular expressions basics and extended regular expressions, with hands-on examples.
OUTCOMES
- Analyze basic and extended regular expressions to determine what strings they match
- Create basic and extended regular expressions to match specific patterns
- Create regular expressions that match specific patterns using the underlying regular expression engine
Foundational
Binary and Hex: Introduction
Purple Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to binary and hexadecimal numbering, how and why the values are used in computing, and how to convert them.
OUTCOMES
- Perform basic arithmetic operations with binary and hexadecimal
- Decode an IP address from binary into Base 10
- Decode a MAC address from hexadecimal into binary
- Identify why binary is used in computing
Foundational
Continuous Integration (CI) Overview
Purple Team
0.5 hours
Read moreShow less
DESCRIPTION
Fundamental principles for successful CI implementation.
OUTCOMES
- Recognize the components, terminology, and common tools of CI
- Describe the practical and security benefits of CI
Intermediate
Create or Modify System Process: MITRE ATT&CK® Purple
Purple Team
1 hour
Read moreShow less
DESCRIPTION
The sub-techniques of Create or Modify System Process (T1543), including this type of attack on Windows, macOS, and Linux. Create or modify system processes from the adversary's perspective and learn methods to detect these exploitation techniques.
OUTCOMES
- Create a malicious systemd service
- Use Linux commands to audit persistent services
- Use the Windows cmd line to create a malicious service
- Detect persistent Windows services using Sysinternals Autoruns
Foundational
Cross-Site Request Forgery (CSRF): Introduction
Purple Team
0.75 hours
Read moreShow less
DESCRIPTION
Cross-site request forgery (CSRF) vulnerabilities and how to exploit them.
OUTCOMES
- Create and launch a CSRF exploit that changes account information
- Test anti-CSRF measures in a web application
Foundational
Cross-Site Scripting (XSS): Introduction
Purple Team
0.75 hours
Read moreShow less
DESCRIPTION
Three methods of cross-site scripting (XSS) attacks with an example of an XSS attack - session hijacking.
OUTCOMES
- Demonstrate a reflected XSS attack
- Demonstrate a stored XSS attack
- Demonstrate a DOM-based XSS attack
- Explain how to hijack a session with an XSS attack
Intermediate
CurveBall: Legacy Threat
Purple Team
2 hours
Read moreShow less
DESCRIPTION
A how-to guide for the CurveBall vulnerability, or CVE-2020-0601, including a walkthrough and methods to prevent an incident.
OUTCOMES
- Explain two types of attacks that can be accomplished by exploiting CurveBall
- Complete the process of forging a web certificate that passes validation
- Forge a signed executable that runs and returns a reverse shell
Foundational
Cyber Kill Chain®
Purple Team
1 hour
Read moreShow less
DESCRIPTION
An overview of the Lockheed Martin Cyber Kill Chain®, including a practical exercise for "boot to root" exploitation against a vulnerable target machine. You will have the opportunity to execute all 7 phases of the Cyber Kill Chain® in a hands-on environment.
OUTCOMES
- Given an attack scenario, provide the appropriate Cyber Kill Chain® phase that correlates with the attack
- Demonstrate how attackers leverage every phase of the Cyber Kill Chain® to compromise a target system
- Identify suspicious files or activities on a machine or target network
Intermediate
Dirty COW
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Dirty COW was a Linux kernel bug that affected operating systems that used a Linux kernel built between September 2007 and October 2016. This module explores ways it can be exploited to elevate any user to superuser privileges on an affected system, across several different Linux-based operating systems.
OUTCOMES
- Obtain superuser privileges on several Linux-based devices by taking advantage of Dirty COW
- Choose the appropriate implementation of Dirty COW on a system-by-system basis to gain root privileges
Intermediate
Dirty Pipe: Legacy Threat
Purple Team
2 hours
Read moreShow less
DESCRIPTION
Dirty Pipe (CVE-2022-0847) is a Linux local privilege escalation exploit that allows unprivileged users to write arbitrary data to locations on the Linux file system regardless of access rights. This module covers Dirty Pipe from the offensive and defensive perspectives and includes hands-on exploitation labs.
OUTCOMES
- Identify the call to kernel resources that exposes the vulnerability
- Describe the steps which reproduce this vulnerability through the splice syscall
- Describe mitigations for the Dirty Pipe exploit
Foundational
Files on Windows: Introduction
Purple Team
0.5 hours
Read moreShow less
DESCRIPTION
What a file is on Windows systems and how the operating system reads a file in order to get the right application to launch the file.
OUTCOMES
- Identify file types with a hex editor
- Count in binary
- Use hex editor to fix file headers to recover file extensions
Advanced
Fuzzing: Memory Corruption Vulnerabilities
Purple Team
1 hour
Read moreShow less
DESCRIPTION
The concept of fuzz testing and the use of a fuzzing framework.
OUTCOMES
- Describe the function and purpose of a fuzzer
- Identify differences between fuzzing methodologies
- Use a fuzzing framework to identify potential software bugs
Intermediate
GDB: Introduction
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Debugging software with the GNU Debugger (GDB).
OUTCOMES
- Explain the role of symbols in a binary file
- Set breakpoints using GDB
- View variables in GDB
- View CPU registers in GDB
- Execute a program line-by-line
- Debug a program
Advanced
Heap Overflows: Memory Corruption Vulnerabilities
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Introduces the concept of the heap overflow vulnerability, which includes details on how an attack is performed, and ways to protect against it.
OUTCOMES
- Describe the cause of a heap overflow
- Perform a heap overflow attack
- Explain methods of heap overflow prevention
Intermediate
Indicator Removal on Host: MITRE ATT&CK® Purple
Purple Team
1 hour
Read moreShow less
DESCRIPTION
The techniques (T1070) that adversaries use to cover their actions. Examine each sub-technique through the eyes of an attacker, and then flip the script to detect the attack you conducted. After you detect your attack through the lens of a defender, implement a mitigation technique to prevent or provide early warning to a similar threat in the future.
OUTCOMES
- Clear Windows Event Logs, and detect and mitigate deletion
- Remove all logs from /var/log on a Linux host, and detect and mitigate deletion
- Clear command history in Bash and Powershell, and detect and mitigate deletion
- Delete the file used to spawn connection from Meterpreter, and detect and mitigate file deletion
- Use net use to map a share, collect data, and delete the share after use
- Detect and mitigate network share removal
- Upload a backdoor and match its timestamp to another binary to blend in, and detect and mitigate timestomping
Intermediate
Insecure Deserialization and SSTI
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Trusting user input is the root of many web vulnerabilities. This module covers two vulnerabilities that arise from trusting user input resulting in code being injected into the back-end web application.
OUTCOMES
- Locate an insecure deserialization vulnerability
- Perform an exploit of an insecure deserialization vulnerability
- Locate an SSTI vulnerability
- Perform an exploit of an SSTI vulnerability
Foundational
Linux Configuration and Logging: Introduction
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Configuration and logging are the first line of defense against attackers. Identify Linux file types, directory structure, logs, and configuration files.
OUTCOMES
- Obtain the file type for a Linux file
- Identify configuration file types and location
- Identify log types and location
- Use three methods to view configuration or log files
Foundational
Linux Internals
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Gain situational awareness on a target system by being able to manually gather baseline configuration data from Linux devices, including processes, services and important file locations.
OUTCOMES
- Identify Linux processes and services
- Identify important file paths and locations
- Baseline a system
- Detect anomalies
Foundational
Local Permissions on Windows
Purple Team
1 hour
Read moreShow less
DESCRIPTION
An explanation of the six basic Windows permissions on a local machine for both users and groups, and their impact on access to files and folders.
OUTCOMES
- Identify the six Windows permissions
- Explain/describe the six Windows permissions
- Assign permissions for groups and users
- Identify misconfigured permissions
- Identify appropriate access controls for a given application
Advanced
Memory Corruption Vulnerabilities: Introduction
Purple Team
1 hour
Read moreShow less
DESCRIPTION
The fundamental concepts of memory corruption vulnerabilities, including the system components that are directly impacted and exploited by memory corruption vulnerabilities.
OUTCOMES
- Describe the system components targeted by memory corruption attacks
- Explain the differences between assembly and machine languages
- Describe the purpose of interpreted languages
- Describe the purpose of compiled languages
Foundational
Nmap: Introduction
Purple Team
0.75 hours
Read moreShow less
DESCRIPTION
An overview of Nmap use cases and installation. Use Nmap to conduct network scans on a live range to validate a network diagram.
OUTCOMES
- Scan a network with Nmap
- Identify hosts on a network
- Detect open ports on network hosts
- Optimize scan timing
Foundational
Open-Source Intelligence (OSINT): Introduction
Purple Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to the world of Open Source Intelligence. Open-Source Intelligence (OSINT) is a methodology of collecting data from publicly available sources and using contextual awareness and understanding to bring meaning to the data.
OUTCOMES
- Describe the purpose of OSINT
- Identify sources and targets of OSINT
- Navigate the OSINT Framework
- Gather and interpret information gathered via OSINT
Foundational
OSI Model
Purple Team
0.5 hours
Read moreShow less
DESCRIPTION
The layers of the Open System Interconnection (OSI) model and interconnected network protocols.
OUTCOMES
- Understand the difference between the OSI Model and the TCP/IP Model:
- Successfully identify relevant protocols per OSI layer.
- Identify the usefulness of each step of the OSI model.
Foundational
Packet Capture and Analysis
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Use Wireshark, a prominent open-source network analyzer tool, to capture network traffic, analyze a TCP stream, examine packet headers, extract objects from a TCP stream, and draw conclusions based on packet statistics.
OUTCOMES
- Start and run Wireshark to capture traffic on an interface
- Analyze the composition of traffic on a network by examining the Wireshark Statistics menu item
- Utilize the Wireshark Export Objects feature to extract requested HTTP resources from traffic on a network
- Use Wireshark to analyze and identify a point of compromise on a live network
- Analyze captured traffic to determine basic facts about a potential intrusion
Foundational
Perl Compatible Regular Expressions (PCRE)
Purple Team
1 hour
Read moreShow less
DESCRIPTION
The advanced features included in Perl Compatible Regular Expressions (PCRE) syntax, with examples and hands-on labs.
OUTCOMES
- Analyze PCRE regular expressions to determine what strings they match
- Create PCRE to match strings following complex requirements
- Create regular expressions that match specific patterns using the underlying regular expression engine
Foundational
Reverse Shells
Purple Team
1 hour
Read moreShow less
DESCRIPTION
An examination of reverse shells, which are exploit payloads built to give a hacker a target-to-attacker connection that provides an interactive command-and-control session with the exploited device, in a variety of languages including Bash, PHP, Python, Perl, and the Windows cmd.exe.
OUTCOMES
- Use reverse shells written in several different programming languages
- Select, from a variety of payloads, the most appropriate one for a given exploitation event
- Decide on the next-best alternative for a chosen payload in case of failure
Advanced
Stack Overflows: Memory Corruption Vulnerabilities
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Learn the fundamentals of stack overflow attacks and how to defend against them.
OUTCOMES
- Describe the cause of a stack overflow
- Perform a stack overflow attack
- Explain methods of stack overflow prevention
Advanced
Steal or Forge Kerberos Tickets: MITRE ATT&CK® Purple
Purple Team
2 hours
Read moreShow less
DESCRIPTION
Use powerful tools to extract Kerberos tickets by abusing the mechanisms of the Kerberos protocol.
OUTCOMES
- List components that make Kerberos an insecure protocol
- Identify the characteristics of a Pass-the-Ticket attack
- Demonstrate how to exploit the process with AS-REP roasting
- Describe how to exploit a service account to steal and crack its credentials
- Demonstrate how to escalate privileges and recover a krbtgt account’s NTLM hash to forge a Golden Ticket
- Describe how to exploit an application server and recover credentials to forge a Silver Ticket
- Identify methods of detecting and mitigating sub-techniques
Intermediate
Unsecured Credentials: MITRE ATT&CK® Purple
Purple Team
1.5 hours
Read moreShow less
DESCRIPTION
The sub-techniques of an unsecured credentials exploitation, including plain text password recovery, registry password harvesting, Group Policy Preference password decryption, and more. Perform credential harvesting from the adversary's perspective with offensive tools, and learn methods to mitigate this exploitation technique.
OUTCOMES
- Identify and describe the sub-techniques of ATT&CK TTP: Unsecured Credentials
- Identify the risks associated with each sub-technique
- Describe mitigation techniques for each sub-technique
- Enumerate and recover unsecured credential sets through recursive file searching, enumeration scripts, and post-exploitation modules
- Use acquired plain text credentials to move laterally across a target network
- Decrypt a Group Policy Preference (GPP) encrypted password using the Kali Linux native gpp-decrypt tool
- Use compromised private key credentials to move laterally across a target network
Foundational
Vulnerabilities
Purple Team
2 hours
Read moreShow less
DESCRIPTION
An introduction to exploitation with hands-on exploration of the most common weaknesses and vulnerabilities.
OUTCOMES
- Use common exploitation technique to gain web remote code execution
- Migrate from web user to device user and stable shell
- Gain control at an administrative level
Foundational
Web Application Exploitation
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Two infamous web application exploits: struts-pwn and Drupalgeddon2. Review examples of how each has been used. Assume the role of a cyber adversary to scan, enumerate, and exploit these web applications to gain unauthorized access to a server. Additionally, explore basic indicators of compromise (IOC).
OUTCOMES
- Identify the primary methods by which struts-pwn and Drupalgeddon2 can compromise a vulnerable web server
- Identify live hosts on a network by performing a basic Nmap ping-sweep
- Using open-source intelligence and directory and service enumeration scanning techniques, identify websites that use Apache Struts and Drupal
- Select the best uses of the Searchsploit tool from a given list
- Obtain a user shell on a vulnerable host by identifying, preparing, and launching web application exploits
Foundational
Windows Command Line and Administration
Purple Team
1 hour
Read moreShow less
DESCRIPTION
An introduction to using the Command Prompt window, as well as basic commands and fundamental administrative tasks, such as adding users and groups.
OUTCOMES
- Use at least two methods to open a Command Prompt window
- Create a new directory in a relative or absolute path
- Use Help to construct a command that utilizes parameters
- Add a new user
- Delete a user
- Add a user to a local group
Foundational
Windows Internals: Introduction
Purple Team
0.5 hours
Read moreShow less
DESCRIPTION
An entry-level look at basic concepts of how Windows works on the inside, including core elements of services, drivers, and processes on Windows.
OUTCOMES
- Identify running processes on Windows
- Find drivers running on Windows
- Query and find service information on Windows
Foundational
Windows Logging and Monitoring
Purple Team
1 hour
Read moreShow less
DESCRIPTION
This module covers Windows logging and enables you to identify common event logs in Windows and gain an understanding of Windows security auditing. It also prepares you to configure and identify verbose PowerShell logs.
OUTCOMES
- Explain the function, types, and locations of Windows logs
- Explain the basic purpose of audit policy
- Configure Security Logging
- Conduct basic forensic investigations using Windows logs
- Configure PowerShell Logging
- Use PowerShell Logging to investigate a malicious process
Foundational
Windows Logging: Introduction
Purple Team
2 hours
Read moreShow less
DESCRIPTION
The function and location of various Windows logs, the function of Audit Policy, and the difference between forensic and alert-based uses of logs. Also, how logs can be used to investigate an attack on a network.
OUTCOMES
- Explain the function, types, and locations of Windows logs
- Explain the basic purpose of the audit policy
- Describe the difference between alert-based and forensic uses of Windows logs
- Conduct basic forensic investigations using Windows logs
Foundational
Windows Registry: Introduction
Purple Team
0.5 hours
Read moreShow less
DESCRIPTION
This module explains the Windows registry and why it exists, and covers principles about the registry which could lead to security issues.
OUTCOMES
- Edit the registry to change a setting
- Scan the registry and list startup tasks
- Identify how the registry can pose a security risk
Intermediate
XXE Attacks and SSRF Vulnerabilities
Purple Team
1 hour
Read moreShow less
DESCRIPTION
XML External Entity attacks can face interesting challenges when attempting to retrieve files more complicated than /etc/passwd or when the results of the XML parsing are not shown to the user. This module describes how to face these challenges to exploit XXE vulnerabilities. It also shows how to capitalize on access that XXE attacks give to exploit SSRF vulnerabilities.
OUTCOMES
- Exploit blind XXE vulnerabilities
- Perform a retrieval of arbitrary files via XXE vulnerabilities on PHP web apps
- Reach an internal application using SSRF vulnerabilities
Foundational
Zerologon: Legacy Threat
Purple Team
2 hours
Read moreShow less
DESCRIPTION
This presents the “Zerologon” exploit: CVE-2020-1472. A high-visibility exploit, Zerologon lets any attacker with a foothold in the domain accelerate straight to domain administrator privileges. Includes a brief walkthrough of how the exploit works, then how to use it, how to detect it, and what to do to mitigate it.
OUTCOMES
- Use CVE-2020-1472 to elevate to domain administrator on a Windows domain controller
- Repair the damage done to the domain controller using the exploit proof-of-concept
- Identify Windows Event Logs potentially related to using the exploit proof-of-concept
- Identify solutions to remediate the domain after a cataclysmic attack
Challenges
Foundational
Continuous Integration Challenge: Blame Thrower
Purple Team
1 hour
Read moreShow less
DESCRIPTION
Investigate the trials and tribulations in a development team's attempt to implement continuous integration and modern, secure coding practices.
OUTCOMES
- Navigate a Git repository
- Recognize the best practices a development team implemented in their continuous integration workflow
- Identify the security vulnerability in the team’s implementation
- Investigate an attack’s cause and its mitigation
Intermediate
Web Vulnerabilities Challenge: Fools Errant
Purple Team
1 hour
Read moreShow less
DESCRIPTION
This web vulnerabilities challenge presents a set of websites intentionally vulnerable to attacks listed in the OWASP Top 10 2017 demonstrated in the web vulnerabilities circuit.
OUTCOMES
- Obtain the highest-level access to the website: www challenge.local.
- Obtain the highest-level access to the website: blog challenge.local.
- Use features made available to users of www challenge.local and blog.challenge.local with the level of access obtained to compromise the underlying server.
next step
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform
connect
Stay connected
to SimSpace
Want to stay on top of the latest SimSpace
and cybersecurity news and updates?
Please enter your email below
By filling out this form, you agree to SimSpace's terms of use and privacy policy
.svg)
.svg)
.svg)
.svg)