SimSpace Training Catalog

• Describe the purpose and benefits of application security
• Identify methods of incorporating security into the SDLC
• Recognize the risks inherent in CI/CD pipelines
• Compare the common weaknesses of different application architectures
• Identify the most common application vulnerabilities

• Use grep to find a log line of interest
• Use a Perl regular expression with grep to find matching log lines
• Use tail or head to find the end or beginning of a log respectively
• Use cut to show a particular column of interest from an identified log
• Use awk to find specific information in an identified log
• Use jq to view and filter JSON logs

• Export a Windows object’s current state using Powershell
• Compare XML objects using Powershell
• Compute a file’s MD5 hash using Powershell
• Compare CSV objects using Powershell
• Identify malicious deviations from a calculated baseline

• Create an MD5 hash from an unknown executable
• Use FLOSS or Strings to identify text strings in an unknown executable and make inferences based on the string’s content
• Use PE-Bear to view imports, headers, and data sections of an unknown executable and make inferences about its content
• Use network analysis tools to identify malicious network signatures for a malicious binary
• Use host-based analysis tools to identify malware behavior

• Identify the difference between static and dynamic analysis
• Create an MD5 hash from an unknown executable
• Use FLOSS64 to identify text strings in an unknown executable and make inferences based on the string’s content
• Use PE-Bear to view imports, headers, and data sections of an unknown executable and make inferences about its content
• Use network analysis tools to identify malicious network signatures for a malicious binary
• Use host-based analysis tools to identify malware registry key manipulation

• Identify the advantages of using Docker instead of Linux containers (LXC)
• Interact with and examine Docker containers using Linux command line interface (CLI):
  • Add a Docker container.
  • Access an error log.
  • Mount a volume in a container.
  • Connect containers to a network.
• Design a Docker application
• Recognize and implement Docker security best practices

• Configure Elasticsearch to use a single node
• Configure Elasticsearch to run at boot in Linux
• Start Elasticsearch from the command line using systemctl
• Verify Elasticsearch is running by querying the database
• Create a custom map for importing data into an index
• Import data using the command line
• Query an Elasticsearch database using Kibana

• Identify the correct shipper for a provided data source
• Install and configure a selection of Beats
• Use the Elastic Stack to identify artifacts of interest

• Perform the steps necessary to leverage Elastic Stack as an investigation tool

• Discuss the process of manually uploading logs to the Elastic Stack
• Identify various ways to use Elastic Stack in an operational environment
• Identify methods used to troubleshoot the Elastic Stack

• Discuss how the Elastic Stack is architected
• Identify various methods and ways to ingest data into the stack

• Use Suricata and Zeek for forensic analysis of encrypted traffic

• Describe the two primary types of encryption
• Summarize the basics of public-key cryptography
• Summarize the relationship of Transport Layer Security with encryption
• Use Suricata for forensic analysis of encrypted traffic

• Use JA3 and JA3S fingerprinting for encrypted traffic analysis

• Locate core functionality of HBSS as it relates to defensive host analysis
• Identify malware using basic antivirus detection
• Recognize the tradeoffs when enabling antivirus signature rules
• Describe the limitations of basic antivirus detection
• Implement expert rules to detect and limit the impact of novel malware

• Interpret PowerShell’s comparison operators, logical operators, and if statements
• Differentiate between types of PowerShell loops and their functions
• Recognize and implement PowerShell loop logic
• Decipher error handling in PowerShell
• Automate Windows system administrative tasks using PowerShell scripts

• Detect an exploitation of Follina using Sysmon logs
• Mitigate Follina by modifying the registry

• State the benefits of version control
• Explain the difference between local and remote repositories
• Explain the difference between GitHub and GitLab
• Implement Git
• Identify version control actions and the Git commands used to perform them
• Perform an initial commit to a repository
• Save changes made locally to a repository
• Pull code from a repository
• Observe a repository and locate important information about changes

• Use blue team tools for threat hunting and incident response to accomplish the following:
  • Identify process anomalies using a known good baseline.
  • Conduct forensic investigations using Windows logs.
  • Identify active processes in acquired memory image.
  • Use YARA for threat hunting.

• Identify networking indicators of compromise attributed to APT28.
• Detect APT28 malicious activity.
• Given an APT28 intrusion, determine which host IOCs are present.

• Identify host indicators of compromise attributed to APT28.
• Detect APT28 malicious activity.
• Given an APT28 intrusion, determine which host IOCs are present.

• Identify host indicators of compromise attributed to APT28.
• Detect APT28 malicious activity.
• Determine which host IOCs are present.

• TTP Review Scenario Host Analysis

• APT34 analysis
• Data source review

• Workshop 1 review
• TTP review
• Data source review

• Identify host-based indicators of compromise linked to APT38.
• Detect APT38 malicious activity.

• Identify host indicators of compromise linked to APT38.
• Characterize APT38 malicious activity.

• APT38 TTP Refresher
• APT38 Workshop Scenario

• Identify networking indicators of compromise attributed to APT40.
• Detect malicious activity indicative of APT40.
• Given an APT40 intrusion, determine which host IOCs are present.

• Identify network indicators of compromise linked to APT40.
• Characterize APT40 malicious activity.
• Given an intrusion by APT40, determine network IOCs that are present.

• Identify host indicators of compromise linked to APT40.
• Characterize APT40 malicious activity.
• Given an intrusion by APT40, determine host IOCs that are present.

• Mitre ATT&CK framework
• Attack overview

• Describe industrial control systems, including the principles of ICS security and the similarities, differences, and correlations with the cybersecurity principles of confidentiality, integrity, and availability.
• Identify the general types of operational controls found in industrial control systems.
• Identify concepts of vulnerability and risk management in an ICS context.

• Use the Modbus-CLI (command line utility).
• Read and write values to PLCs.
• Understand and manipulate data communication.
• Review offensive use cases and potential defensive strategies.

• Incident response preparation
• Anomaly detection
  • Malicious activity indicators
• Network intrusion detection systems
• Network security monitoring
• Containment Eradication

• Describe ladder logic Identify examples of basic ladder logic diagrams, contacts, and coils.
• Use the OpenPLC Editor to create basic PLC programs.
• Load the program into the OpenPLC Runtime PLC simulator.

Introduction to a variety of protocols used in ICS and IT environments, and an analysis of common IP-based ICS protocols using Wireshark.

• Identify protocols used in ICS and IT environments, focusing on lower-level protocols typical to industrial networks.
• State common threats facing ICS networks.
• Recommended mitigation tactics.
• Use Wireshark filters and features.
• Analyze Modbus traffic.
• Identify ICS packet data anomalies.

• Conduct a cyber threat emulation (CTE) for a SamSam-style attack.

• Identify the nature, origin, and limitations of several indicators of compromise
• Use deductive techniques and open-source research to identify Indicators of Compromise

• Describe the impact of code libraries on software development
• Install library packages with pip
• Implement a container-based deployment environment
• Interpret data from an automated integration testing pipeline

• Use Kibana’s data aggregation tools to visualize trends in large datasets
• Use Kibana to create a visualization that shows how DNS traffic on a network has changed over time
• Combine multiple visualizations in a dashboard view

• Investigate suspicious network activity using the Kibana SIEM
• Use filters in the Kibana SIEM to examine data and identify downloaded files

• Use Kibana as a data visualization platform to identify the initial point of compromise on a network
• Use Kibana as a data visualization tool to identify the destination of exfiltrated data on a network

• Identify which iptables rule matches a packet
• Evaluate iptables chains and policies
• Configure the Linux firewall to allow remote system management access
• Configure firewall rules to load on system boot

• Identify the vulnerability in the Log4j package that allows exploitation
• Locate vulnerable Log4j installations
• Apply mitigations for the Log4Shell exploit

• Discuss mind maps
• Produce a mind map laying out tasks and milestones

• Discuss the MITRE ATT&CK Framework
• Discuss the MITRE ATT&CK Navigator
• Create new MITRE ATT&CK Navigator layers

• Map threat activity to the MITRE ATT&CK matrix

• Discuss ATT&CK Navigator layers
• Map threat actor activity onto the MITRE ATT&CK matrix using ATT&CK Navigator

• Identify use cases for Zeek scripting
• Run a custom Zeek script
• Modify a Zeek script

• Combine network security monitoring and SIEM tools to investigate threats on a network
• Explain the role of a hypothesis in threat hunting
• Use a SIEM to investigate plausible hypotheses of adversary behavior
• Determine the scope of a breach by pivoting off of related indicators, discovering previously unknown indicators, and using those to discover further infection

• Use Linux built-ins to find indicators of compromise

• Modify a Zeek script to extract certain file types from a packet capture
• Use Zeek to parse a pcap file and identify anomalies from a packet capture file
• Create a custom Zeek script to analyze and detect malicious packets from a packet capture

Using packet capture analysis methodology, identify the following about a given packet capture file:
• The initial point of compromise.
• The malicious server’s hostname and IP address.
• The hostname and IP address of the point of data exfiltration.
• The names of exfiltrated files.
• The malware agent’s beaconing interval.
• The malware agent’s web resources used during beaconing.
• The name of the initial document that began the compromise.

• Identify the different types of network devices and their functions within a network
• Using the command line interface, statically configure a host’s IP address to communicate across different networks
• Using the command line interface, configure a router for Dynamic Host Control Protocol (DHCP) to dynamically assign IP addresses within a subnet
• Using the router command line interface, configure a router to enable Secure Shell (SSH)
• Using SSH, remotely configure the router for DHCP
• Describe general troubleshooting steps for basic network device connectivity

• Differentiate between the various types of network firewalls, based on their features, advantages, and disadvantages
• Analyze a set of firewall rules to identify how they are processed
• Create firewall rules in pfSense

• Identify factors to consider when recommending remediation
• Recognize the role attacker persistence plays in network remediation.
• Recommend remediation actions based on method of compromise
• Given scenarios, recommend best course of action for remediation

• Identify the primary purpose of NetworkMiner for a blue team analyst
• Use NetworkMiner to:
• Identify hosts in network traffic.
• Identify filenames of artifacts.
• Determine the content of artifacts.
• Find unencrypted email communication details.
• Demonstrate artifact extraction from a pcap.

• Collect intelligence via various open-source methods
• Identify various tools and techniques to gather OSINT

• Describe OPSEC as it applies to defensive cyber operations
• Identify various methods and techniques of ensuring OPSEC

• Configure Zeek to listen on a single network interface
• Parse pcap data into Zeek logs
• Analyze Zeek logs to identify suspicious activity

• Create, modify, and execute custom PowerShell scripts
• Get help in PowerShell by using the Get-Help command
• Interpret PowerShell elements including objects, aliases, variables, and arrays

• Identify indicators of a potential attack using CVE-2021-34527 and the Elastic SIEM
• Explain various mitigations for CVE-2021-34527 and their impact on a domain

• Detect ProxyLogon in a lab environment
• Explain how to mitigate ProxyLogon

• Describe the purpose and importance of secure coding
• Apply secure coding best practices
• Summarize common programming countermeasures
• Perform a secure code review

• Identify key security concerns when deploying an application
• Describe how containerization, web application firewalls (WAF), and runtime application selfprotection (RASP) secure application deployment
• Test a WAF that is protecting an application
• Recommend methods for incorporating security into application maintenance

• Assess different methods for catching bugs in the development phase
• Analyze code to identify vulnerabilities
• Deploy software security tools into a CI/CD pipeline

• Recommend techniques for building security into the first two phases of the SDLC
• Identify appropriate security requirements for an application
• Recognize correct threat modeling for an application

• Identify suitable security unit tests
• Recognize the benefits of DAST
• Contrast DAST and IAST
• Conduct fuzz testing to identify vulnerabilities
• Evaluate appropriate applications of penetration testing in a secure SDLC
• Identify the role of SCA in securing an application’s third-party packages

• Define SOC
• Describe the primary functions of the people working in a SOC
• Identify the main tasks done in a SOC
• Choose which SOC architecture is most appropriate for a given organization
• Contrast the roles and responsibilities of the different levels of SOC analysts

• Describe the importance of continually testing code for vulnerabilities
• Define security requirements
• Conduct a risk analysis
• Formulate a test plan
• Differentiate between white, black, and gray box testing
• Compare and contrast various application security testing tools
• Practice using security testing tools to scan code
• Interpret results from a scan
• Describe how to incorporate security testing into a development pipeline

• Using a Security Information and Event Management (SIEM) platform, identify key facts about a network intrusion:
• Identify the network intrusion’s point of origin on the internal network.
• Identify portscanning against internal hosts.
• Determine the adversary’s initial foothold and privilege escalation method.
• Identify the malicious domain used to install post-compromise malware.

• Describe a SIEM’s core functions
• Explain the SIEM’s main function in the context of information security
• Describe the components of a SIEM
• Execute a simple search in Kibana to correlate information about user activity on the network
• Execute a simple search in Splunk to correlate information about user activity on the network

• Discuss how a SIEM deployment is commonly architected
• Identify various parts and pieces of a SIEM solution
• Identify methods to deploy log forwarders

• Use Sigma to identify key features of a malicious binary to write a SIEM-agnostic rule for detection
• Convert the general Sigma rule into a Kibana-specific query to find malicious activity
• Use Kibana to visualize the Intrusion Detection Signature (IDS) signatures going into the network and use this information to find malicious user behavior

• Understand the SIP protocol
• Identify various SIP vulnerabilities
• Locate SIP attack indicators using an Elastic Stack

• Define incident response
• Describe how SOC analysts respond to incidents
• Identify the typical tools used to perform incident response
• Choose appropriate courses of action when presented with an incident response scenario

• Define security monitoring
• Describe how SOC analysts monitor the network and endpoints
• Identify the typical tools used to perform security monitoring
• Choose appropriate courses of action when presented with a security monitoring scenario

• Define threat hunting
• Describe how SOC analysts hunt for threats
• Identify typical tools used to perform threat hunting
• Choose appropriate courses of action when presented with a threat hunting scenario

• Install Splunk
• Configure the Splunk web interface to use SSL
• Import local compressed data into Splunk
• Query data in Splunk for artifacts

• Identify the number of assets and identities in a static Assets & Identities configuration file
• Use cross-correlated information to identify Indicators of Compromise on a network:
• Use Enterprise Security correlation searches to identify DNS tunneling.
• Use Suricata signatures to correlate events with a host to find unauthorized Peer to Peer (P2P) torrent client activity.

• Create a new index to use with Splunk Technology Add-on
• Enable monitoring and configure Splunk Technology Add-on
• Install the Splunk Universal Forwarder on a Windows VM
• Identify when a custom CIM is required

• Perform the necessary steps to leverage Splunk as an investigation tool
• Discuss the scope of the incident investigation
• Analyze the incident investigation

• Discuss Splunk architecture
• Identify various methods of ingesting data
• Identify how to configure the Splunk forwarder

• Operationalize Splunk concepts to identify malicious cyber activity
• Create Splunk reports, alerts, and dashboards

• Write advanced queries
• Conduct anonymous and wildcard searches
• Build a transforming search
• Use search optimizations

• Identify reasons to use a Suricata rule
• Identify the parts of a Suricata rule
• Write a basic Suricata rule that is functional
• Write rules that use progressively more advanced rule writing concepts

• Identify situations in which IDS would be an effective tool for network security
• Explain the difference between Suricata’s main logging formats
• Configure Suricata
• Update and deploy rulesets for Suricata
• Write and deploy a simple custom Suricata rule

• Install Sysmon and view output
• Create a custom configuration for Sysmon
• Use Sysmon data to identify a threat

• Identify anomalies in digital signatures
• Validate digital signatures
• Identify files using a hex editor and magic bytes
• Explain two methods of file obfuscation
• Use two hashing methods to analyze files
• Analyze alternate data streams
• Identify the methods attackers use for file downloads

• Gain a foothold in the Site
com internal network.
• Pivot into the Corp
lan internal network.
• Gain access to the Corp
lan domain controller as a domain administrator.

• Identify network indicators of compromise
• Pivot off of network indicators of compromise
• Identify host indicators of compromise
• Pivot off of host indicators of compromise

• Describe indicators of compromise
• Explain types of network and host indicators
• Describe how IOCs are used in threat hunting
• Describe the Pyramid of Pain and where different indicators fit on it
• Identify network indicators of compromise
• Pivot off of network indicators of compromise
• Identify host indicators of compromise
• Pivot off of host indicators of compromise

• Identify APT TTPs using ATT&CK Navigator
• Map APT activity to the MITRE ATT&CK framework

• Classify a vulnerability using CVSS
• Describe how to apply the OWASP Threat Modeling Process
• Categorize a threat using STRIDE
• Use OWASP Threat Dragon to create a threat diagram

• Identify traits of an effective unit test
• Describe the process and features of TDD
• Create unit tests
• Determine the advantages of pytest
• Test software developed through TDD
• Automate unit testing

• Identify active processes in acquired memory image
• Find relevant files in acquired memory image
• Identify parameters and use patterns for the Volatility tool

• Interpret a vulnerability’s severity based on its Common Vulnerability Scoring System (CVSS) score
• Develop a vulnerability remediation plan based on best practices and organizational risk appetite and tolerance

• Describe the purpose of Windows Event Forwarding
• Describe the two WEF subscription types
• Create a WEF subscription

• State the purpose of libraries within the Windows OS
• Perform basic analysis of the functions of a library
• Discuss the impact of malicious use of libraries in a defense context

• Perform memory dump
• Validate processes running in memory
• Find relevant files

• Identify the fundamentals of several different OSs and their corresponding internals
• Understand the use and function of processes within the Windows OS
• Discuss the impact of the Windows OS and its corresponding internals on Defensive Cyberspace Operations (DCO)

• Scan a file with YARA
• Scan a directory with YARA
• Identify common YARA use cases
• Write a custom YARA rule

• Determine and analyze attack surfaces
• Identify vulnerabilities
• Execute exploits to gain access and privilege escalation
• Document results

• Identify vulnerabilities
• Execute exploits to gain access and privilege escalation
• Document results

• Determine and analyze attack surfaces
• Identify vulnerabilities
• Execute exploits to gain access and privilege escalation
• Document results

• Determine and analyze attack surfaces
• Identify vulnerabilities
• Execute exploits to gain access and privilege escalation
• Document results

• Identify the common locations of credentials in Windows
• Describe what Mimikatz does
• On a given system, escalate privileges to local Administrator by harvesting credentials
• On a given system, dump SAM hashes with Mimikatz
• Demonstrate hash cracking with John the Ripper

• Conduct an attack which emulates APT41.
• Connect actions done from the red side with information found during the blue investigation.

• Recognize when a CSRF token is present as a defensive measure
• Execute a CSRF exploit to overcome CSRF tokens
• Recognize when a SameSite cookie attribute is present as a defensive measure
• Execute a CSRF exploit to circumvent a SameSite ”strict” setting on session cookies

• Identify the manual installation key components on Ubuntu.
• Identify OS level dependencies.
• Identify Empire configuration options and requirements.
• Identify key components for establishing baseline C2 communications.
• Identify key concepts for the Empire command line.
• Identify common troubleshooting installation and configuration Issues.

• Use Nmap to fingerprint a remote OS
• Use Netcat to perform banner grabbing
• Use penetration testing tools to enumerate network services

• Given the description of a vulnerability, identify the appropriate attack to exploit it
• Demonstrate how attackers leverage weaknesses in web applications to bypass authentication
• Demonstrate how attackers leverage injection, cross-site scripting, and file inclusion attacks to compromise web-facing applications and extract data

• Create a malicious document (“maldoc”) that uses CVE-2022-30190 to exploit a target user
• Use variations of CVE-2022-30190 that alter the manner of user interaction required to trigger the exploit

• Apply phishing and spear-phishing tradecraft to conduct campaigns
• Build weaponized documents to drop an initial payload
• Use drive-by attack links in conjunction with spear-phishing to gain access
• Utilize spear-phishing to conduct credential harvesting to gain valid account access
• Identify components of social engineering and apply them to gain initial access
• Apply the information gained by scanning to identify public-facing application vulnerabilities

• State how Invoke-PSImage conceals malicious code
• Use Invoke-PSImage to embed a malicious script into an image
• Detect traces of Invoke-PSImage as a defender

• Use impacket to extract AS-REP and TGS-REP values from a target
• Use John the Ripper to recover weak passwords from this authentication data

• Take over a Windows device using the following methods:
  • Co-opt SMB using PsExec and recovered passwords.
  • Windows Management Instrumentation (WMI) commands.
  • Co-opt SMB using recovered passwords, a lateral tool transfer, and creating a remote scheduled task.
  • Co-opt Windows Remote Management with PowerShell using recovered passwords.

• Execute an LFI exploitation
• Recognize vulnerabilities that LFI can exploit
• Perform a directory traversal attack
• Abuse file uploads and use LFI to gain RCE
• Identify an RFI exploit

• Perform the steps to stage the Log4Shell exploit
• Perform the exploit

• Execute the reset of another user’s password on a web service using weak authentication
• Capture authentication information from an unencrypted exchange and replay it to access another user’s account
• Execute a brute-force search to access a hidden (otherwise unsecured) administrative interface through brute-force searching
• Perform a data scraping from an exposed Elasticsearch database

• Use the db_nmap Metasploit module to enumerate a target host and determine its open ports
• Stage and launch an exploit against a vulnerable web server using a Metasploit module to gain root-level access
• Use the Meterpreter payload to perform postcompromise actions like credential harvesting
• Use the auxiliary/analyze/crack_linux module to crack harvested credentials from within Metasploit Framework
• Use the Metasploit SOCKS proxy server module and the proxychains command to perform a domain hashdump with secretsdump
py.

• Describe types of payloads available
• Describe the function of common MSFvenom options for specifying payloads
• Determine an appropriate payload for a given victim machine and OS
• Generate a reverse-shell payload
• Deploy a payload to get a reverse shell on a victim machine

• Statically configure a host’s IP address.
• Configure a DHCP server to assign IP addresses dynamically.
• Review server logs to verify correct functioning.
• Use built-in Windows tools to test network connectivity.

• Install persistent malware on Windows using registry “Run keys”
• Install persistent malware on Windows using scheduled tasks
• Install persistent malware on Windows using Windows Management Instrumentation
• Install persistent malware on Windows as a Windows Service
• Find examples of malicious scripts and executables configured to start on system startup on a Windows 10 virtual machine

• Manipulate objects using PowerShell.
• Manipulate properties using PowerShell.
• Manipulate methods using PowerShell.
• Create PowerShell functions.
• Export PowerShell functions.

A step-by-step guide demonstrating how to create PowerShell scripts and how to conceptualize them using pseudocode.

• Describe the process of developing a script.
• Employ PowerShell to construct a basic script.
• Discuss how scripting can be used as a network analysis tool.

• Use CVE-2021-34527 to elevate privileges on a Windows 10 workstation
• Use CVE-2021-34527 to remotely take control of a Windows domain controller

• Identify the privileges of the current user
• Describe what privilege escalation is
• Exploit a vulnerable service to escalate user privileges
• Conduct a DLL Hijacking attack to escalate user privileges
• Exploit the domain controller to elevate a domain user to Domain Admin

A primer on Ethernet, IP, TCP, UDP, ICMP, and ARP, and how protocol standards are established.

• Identify common service protocols, such as Simple Mail Transfer Protocol (SMTP) and Domain Name System (DNS).
• Identify common protocols and their functions.

• Identify suspicious activity in Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), and Simple Mail Transfer Protocol (SMTP) web traffic captures.
• Analyze and break down packets to the byte level.

• Gain a foothold on an Exchange server using ProxyLogon
• Perform post-compromise activity after using ProxyLogon for code execution

• Obtain superuser privileges on a Ubuntu 20.04 device using CVE-2021-4034.
• Obtain superuser privileges on a CentOS 7 device using CVE-2021-4034.

• Gather evidence associated with the attack.
• Identify IOCs to inform intelligence feeds.
• Identify attacker infrastructure, such as domain names and IP addresses.
• Collect evidence to support subpoena and search warrant requests.
• Log evidence in an Incident Response timeline.

• Identify artifacts related to logging into a Windows workstation
• Identify and remove artifacts related to logging into a Linux server
• Identify console logging locations on Linux and Windows
• Delete files securely after file identification
• Determine appropriate techniques for hiding evidence of file deletion

• Describe SQL injection syntax
• Describe the consequences of SQL injection
• Explain how to exploit SQL injection to obtain authentication bypass
• Explain how to exploit SQL injection to obtain database contents using SQLmap
• Describe OS/command injection and consequences
• Describe common syntax and OS injection points to test for
• Explain how to use OS injection to read sensitive system files

• Verify the existence of blind SQLi vulnerabilities
• Use Sqlmap to exploit blind SQLi vulnerabilities
• Verify the existence of out of band SQLi vulnerabilities
• Verify the existence of second-order SQLi vulnerabilities
• Use Sqlmap to exploit second-order SQLi vulnerabilities

• Identify when to use sqlmap
• Identify why manual input is sometimes better than sqlmap
• Use common sqlmap input flags
• Use sqlmap to scan a web application for injection vulnerabilities
• Use sqlmap to extract data from a vulnerable database
• Explore sqlmap shell options to enumerate potential host settings

• Evaluate the attack surface of a generic supply chain
• Use a software-based supply chain compromise to enumerate an internal network
• Use a software-based supply chain compromise to take control of users of that software

This module provides a walkthrough of using Splunk to search for given IOCs.

• Identify evidence of compromise in a simulated enterprise network.

• Identify existing vulnerabilities in a Server Message Block (SMB) server running on Windows XP SP0
• Exploit found vulnerabilities in an SMB server running on Windows XP SP0
• Identify a vulnerable application running on an HTTP server
• Exploit a vulnerable application on an HTTP server
• Identify a backdoor on an FTP server
• Exploit an FTP server outfitted with a backdoor

• Enumerate hidden virtual hosts
• Use a brute-force attack to obtain authentication information to access a web page
• Identify a vulnerable header parameter in an insecure Internet of Things (IoT) device

• Perform website exploration techniques to retrieve sensitive data from a web server
• Perform exploitation techniques to gain remote code execution (RCE) on a simple web server

• Compile a basic C++ dropper.
• Integrate Windows shellcode with a C++ dropper.

Using Wireshark for packet capture analysis, with labs that use various filters and color-coding of rules.

• Identify Wireshark components.
• Define the purpose of various Wireshark functions.

• Explain how to execute XXE injection attacks
• Describe the impact of XXE attacks
• Explain how to execute an XXE remote shell
• Describe an XXE DoS attack

• Use enumeration to identify XSS vulnerabilities
• Defeat XSS filters
• Use XSS attacks to:
  • Modify a page
  • Intercept events
  • Exfiltrate data
  • Abuse the Same-Origin-Policy
  • Attack with externally hosted JavaScript

• Analyze basic and extended regular expressions to determine what strings they match
• Create basic and extended regular expressions to match specific patterns
• Create regular expressions that match specific patterns using the underlying regular expression engine

• Perform basic arithmetic operations with binary and hexadecimal
• Decode an IP address from binary into Base 10
• Decode a MAC address from hexadecimal into binary
• Identify why binary is used in computing

• Recognize the components, terminology, and common tools of CI
• Describe the practical and security benefits of CI

• Create a malicious systemd service
• Use Linux commands to audit persistent services
• Use the Windows cmd line to create a malicious service
• Detect persistent Windows services using Sysinternals Autoruns

• Create and launch a CSRF exploit that changes account information
• Test anti-CSRF measures in a web application

• Demonstrate a reflected XSS attack
• Demonstrate a stored XSS attack
• Demonstrate a DOM-based XSS attack
• Explain how to hijack a session with an XSS attack

• Explain two types of attacks that can be accomplished by exploiting CurveBall
• Complete the process of forging a web certificate that passes validation
• Forge a signed executable that runs and returns a reverse shell

• Given an attack scenario, provide the appropriate Cyber Kill Chain® phase that correlates with the attack
• Demonstrate how attackers leverage every phase of the Cyber Kill Chain® to compromise a target system
• Identify suspicious files or activities on a machine or target network

• Obtain superuser privileges on several Linux-based devices by taking advantage of Dirty COW
• Choose the appropriate implementation of Dirty COW on a system-by-system basis to gain root privileges

• Identify the call to kernel resources that exposes the vulnerability
• Describe the steps which reproduce this vulnerability through the splice syscall
• Describe mitigations for the Dirty Pipe exploit

• Identify file types with a hex editor
• Count in binary
• Use hex editor to fix file headers to recover file extensions

• Describe the function and purpose of a fuzzer
• Identify differences between fuzzing methodologies
• Use a fuzzing framework to identify potential software bugs

• Explain the role of symbols in a binary file
• Set breakpoints using GDB
• View variables in GDB
• View CPU registers in GDB
• Execute a program line-by-line
• Debug a program

• Describe the cause of a heap overflow
• Perform a heap overflow attack
• Explain methods of heap overflow prevention

• Clear Windows Event Logs, and detect and mitigate deletion
• Remove all logs from /var/log on a Linux host, and detect and mitigate deletion
• Clear command history in Bash and Powershell, and detect and mitigate deletion
• Delete the file used to spawn connection from Meterpreter, and detect and mitigate file deletion
• Use net use to map a share, collect data, and delete the share after use
• Detect and mitigate network share removal
• Upload a backdoor and match its timestamp to another binary to blend in, and detect and mitigate timestomping

• Locate an insecure deserialization vulnerability
• Perform an exploit of an insecure deserialization vulnerability
• Locate an SSTI vulnerability
• Perform an exploit of an SSTI vulnerability

• Obtain the file type for a Linux file
• Identify configuration file types and location
• Identify log types and location
• Use three methods to view configuration or log files

• Identify Linux processes and services
• Identify important file paths and locations
• Baseline a system
• Detect anomalies

• Identify the six Windows permissions
• Explain/describe the six Windows permissions
• Assign permissions for groups and users
• Identify misconfigured permissions
• Identify appropriate access controls for a given application

• Describe the system components targeted by memory corruption attacks
• Explain the differences between assembly and machine languages
• Describe the purpose of interpreted languages
• Describe the purpose of compiled languages

• Scan a network with Nmap
• Identify hosts on a network
• Detect open ports on network hosts
• Optimize scan timing

• Describe the purpose of OSINT
• Identify sources and targets of OSINT
• Navigate the OSINT Framework
• Gather and interpret information gathered via OSINT

• Understand the difference between the OSI Model and the TCP/IP Model:
• Successfully identify relevant protocols per OSI layer.
• Identify the usefulness of each step of the OSI model.

• Start and run Wireshark to capture traffic on an interface
• Analyze the composition of traffic on a network by examining the Wireshark Statistics menu item
• Utilize the Wireshark Export Objects feature to extract requested HTTP resources from traffic on a network
• Use Wireshark to analyze and identify a point of compromise on a live network
• Analyze captured traffic to determine basic facts about a potential intrusion

• Analyze PCRE regular expressions to determine what strings they match
• Create PCRE to match strings following complex requirements
• Create regular expressions that match specific patterns using the underlying regular expression engine

• Use reverse shells written in several different programming languages
• Select, from a variety of payloads, the most appropriate one for a given exploitation event
• Decide on the next-best alternative for a chosen payload in case of failure

• Describe the cause of a stack overflow
• Perform a stack overflow attack
• Explain methods of stack overflow prevention

• List components that make Kerberos an insecure protocol
• Identify the characteristics of a Pass-the-Ticket attack
• Demonstrate how to exploit the process with AS-REP roasting
• Describe how to exploit a service account to steal and crack its credentials
• Demonstrate how to escalate privileges and recover a krbtgt account’s NTLM hash to forge a Golden Ticket
• Describe how to exploit an application server and recover credentials to forge a Silver Ticket
• Identify methods of detecting and mitigating sub-techniques

• Identify and describe the sub-techniques of ATT&CK TTP: Unsecured Credentials
• Identify the risks associated with each sub-technique
• Describe mitigation techniques for each sub-technique
• Enumerate and recover unsecured credential sets through recursive file searching, enumeration scripts, and post-exploitation modules
• Use acquired plain text credentials to move laterally across a target network
• Decrypt a Group Policy Preference (GPP) encrypted password using the Kali Linux native gpp-decrypt tool
• Use compromised private key credentials to move laterally across a target network

• Identify the primary methods by which struts-pwn and Drupalgeddon2 can compromise a vulnerable web server
• Identify live hosts on a network by performing a basic Nmap ping-sweep
• Using open-source intelligence and directory and service enumeration scanning techniques, identify websites that use Apache Struts and Drupal
• Select the best uses of the Searchsploit tool from a given list
• Obtain a user shell on a vulnerable host by identifying, preparing, and launching web application exploits

• Use at least two methods to open a Command Prompt window
• Create a new directory in a relative or absolute path
• Use Help to construct a command that utilizes parameters
• Add a new user
• Delete a user
• Add a user to a local group

• Identify running processes on Windows
• Find drivers running on Windows
• Query and find service information on Windows

• Explain the function, types, and locations of Windows logs
• Explain the basic purpose of audit policy
• Configure Security Logging
• Conduct basic forensic investigations using Windows logs
• Configure PowerShell Logging
• Use PowerShell Logging to investigate a malicious process

• Explain the function, types, and locations of Windows logs
• Explain the basic purpose of the audit policy
• Describe the difference between alert-based and forensic uses of Windows logs
• Conduct basic forensic investigations using Windows logs

• Edit the registry to change a setting
• Scan the registry and list startup tasks
• Identify how the registry can pose a security risk

• Exploit blind XXE vulnerabilities
• Perform a retrieval of arbitrary files via XXE vulnerabilities on PHP web apps
• Reach an internal application using SSRF vulnerabilities

• Use CVE-2020-1472 to elevate to domain administrator on a Windows domain controller
• Repair the damage done to the domain controller using the exploit proof-of-concept
• Identify Windows Event Logs potentially related to using the exploit proof-of-concept
• Identify solutions to remediate the domain after a cataclysmic attack