Course Overview
Learn the foundations of cybersecurity defense with Foundational Security Operations and Defensive Analysis (SOC-200), a course designed for job roles such as Security Operations Center (SOC) Analysts and Threat Hunters. Learners gain hands-on experience with a SIEM, identifying and assessing a variety of live, end-to-end attacks against a number of different network architectures. Learners who complete the course and pass the exam earn the OffSec Defense Analyst (OSDA) certification, demonstrating their ability to detect and assess security incidents.
Target Audience
- Security Operations Center (SOC)
- Tier 1 Analyst
- Tier 2 Analyst
- Tier 3 Analyst
- Threat Hunting
- Digital Forensics & Incident Response (DFIR)
Course Objectives
- Recognize common methodologies for end-to-end attack chains (MITRE ATT&CK® framework)
- Conduct guided audits of compromised systems across multiple operating systems
- Use a SIEM to identify and assess an attack as it unfolds live
Prerequisites
All learners are required to have completed the following courses:
- SOC-100: Linux Basics 1 & 2
- SOC-100: Windows Basics 1 & 2
- SOC-100: Networking Basics
Duration
5 days
Certifications
OSDA
Register For This Course By Filling Out The Form Below:
Course Outline
Attacker Methodology
The Network as a Whole ●Gain a basic understanding of anenterprise network’s DMZ ●
Learn about deploymentenvironments ●
Understand the difference betweencore and edge network devices ●
Study virtual private networks andremote sites
The Lockheed-Martin Cyber Kill-ChainLearn the parts of the Lockheed-MartinCyber Kill-Chain ●
Apply the Kill-Chain to malware thatperformed cryptomining ●
Apply the Kill-Chain to three iterationsof ransomware
MITRE ATT&CK Framework ●Learn the classifications of the MITREATT&CK Framework ●
Review a case study of OilRigcampaigns with MITRE ATT&CKprinciples ●
Review a case study of APT3campaigns with MITRE ATT&CKprinciples ●
Review a case study of APT28campaigns with MITRE ATT&CKprinciples
Windows Endpoint Introduction
Windows Processes ●Gain a basic understanding ofprograms running within Windows ●
Learn about Windows Services andtheir relationship with processes ●
Review the common states ofWindows
Windows Registry ●Review the configuration structure ofthe Windows Registry ●
Learn about the key-value pairrelationship within the Windows Registry ●
Understand the value types andformats for Windows Registry keys
Command Prompt, VBScript, andPowerShell ●Review the non-graphical means ofinteracting with Windows ●
Build batch scripts used for thecommand prompt to run localcommands ●
Write a Visual Basic Script forcollecting operating system ●
Build custom PowerShell functions
Programming on Windows ●Review the Component Object Modelin Windows ●
Learn about the development of the.NET Framework and .NET Core
Windows Event Log ●Gain a basic understanding ofWindows Event logs and sources ●
Review several Windows Event logsusing the Windows Event Viewer ●
Use PowerShell to query WindowsEvent logs
Empowering the Logs ●Gain a basic understanding of SystemMonitor Sysmon) ●
Review Sysmon events using theWindows Event Viewer ●
Review Sysmon events usingPowerShell ●
Use PowerShell Core in Kali Linux toquery event logs remotely
Windows Server Side Attacks
Credential Abuse ●Learn about the Windows SecurityAccount Manager ●
Learn about Windows AuthenticationUnderstand the concept of suspiciouslogin activity ●
Evaluate the behavior of brute-force login activity
Web Application Attacks ●Learn about the configuration ofInternet Information Services IIS inWindows ●
Evaluate logging artifacts of localfile inclusion for attacking webservers ●
Evaluate logging artifacts ofcommand injection and file uploadfor attacking web servers
Binary Exploitation ●Learn about binary attacks throughbuffer overflows, and the artifactsthey create ●
Study the use of Windows DefenderExploit Guard and how it protectsagainst binary exploitation ●
Evaluate logging artifacts generatedby the Windows Defender ExploitGuard
Windows Client Side Attacks
Attacking Microsoft Office ●Review social engineering andspearphishing techniques ●
Evaluate the use of Microsoft Officeproducts to deploy phishing attacks
Review logging artifacts generatedfrom a phishing attack
Monitoring Windows PowerShell ●Gain a basic understanding ofextended PowerShell loggingcapabilities ●
Understand the use of PowerShellmodule logging ●
Understand the use of PowerShellscript block logging
Understand the use of PowerShelltranscription ●
Review PowerShell logging artifactsgenerated from a phishing attack ●
Learn about PowerShell obfuscationand deobfuscation
Windows Privilege Escalation
Privilege Escalation Introduction ●Gain a basic understanding of Windowsintegrity levels and enumeration ●
Learn about Windows’ User AccountControl UAC ●
Evaluate a UAC bypass technique andthe logging artifacts it creates
Escalations to SYSTEM ●Perform an elevation using UACBypass and review the logging artifactscreated ●
Learn about service permissions forprivilege escalation along with relevantlogging artifacts ●
Learn about unquoted service pathsfor privilege escalation along withlogging artifacts
Linux Endpoint Introduction
Linux Applications and Daemons ●Understand what Linux daemons are ●
Understand the Syslog Frameworkcomponents ●
Understand how the syslog and thejournal daemon work together ●
Understand Linux web loggingAutomating the Defensive Analysis ● Understand how scripting can aid loganalysis ●
Understand how to scale furtherscripting with DevOps tools ●
Understand how to put togetherwhat we learned in a real-life huntingscenario
Linux Server-Side Attacks
Credential Abuse ●Understand suspicious logins and howto detect them in logs ●
Understand brute-force passwordattacks and their log footprints
Web Application Attacks ●Understand command injectionattacks and their log footprint anddetections ●
Understand SQL injection attacks andtheir log footprint and detections
Linux Privilege Escalation
User-side privilege escalation attackdetections ●Understand how Linux privilegesworks ●
Understand how to detect privilegeescalation attacks on user’sconfiguration files
System-side privilege escalationattack detections ●Understand how Linux privilegesworks ●
Understand how to detect privilegeescalation attacks on user’sconfiguration files
Windows Persistence
Persistence on Disk ●Understand and recognizePersisting via Windows Service ●
Understand and recognizePersisting via Scheduled Tasks ●
Understand and recognizePersisting by DLLSideloading/Hijacking
Persistence in Registry ●Understand Using Run Keys ●
Understand Using Winlogon Helper
Network Detections
Intrusion Detection Systems ●Understand theory andmethodologies behind IPS and IDS
Understand Snort rule syntax ●
Learn how to craft basic Snort rules
Detecting Attacks ●Learn how to detect knownvulnerabilities with Snort rules ●
Learn how to detect novelvulnerabilities with Snort rules
Detecting C2 Infrastructure ●Understand the components of a C2framework ●
Learn how to detect a well-knownC2 communication through Snortrule sets
Antivirus Detections
Antivirus Basics ●Understand an Overview of Antivirus ●
Understand Signature-Based Detection●
Understand Heuristic and Behavioral-Based Detection
Antimalware Scan Interface AMSI ●
Understand the basics of AMSI ●
Understand how attackers bypassAMSI
Active Directory Enumeration
Abusing Lightweight Directory AccessProtocol ●Understand LDAP ●
Interact with LDAP ●
Enumerate Active Directory withPowerView
Detecting Active DirectoryEnumeration ●Audit Object Access ●
Perform Baseline Monitoring ●
Use Honey Tokens
Network Evasion and Tunneling
Network Segmentation ●Understand the concept of networksegmentation ●
Learn the benefits of networksegmentation ●
Understand possible methods ofimplementing network segmentationin an enterprise
Detecting Egress Busting ●Understanding the concept of egressfiltering
Understanding an iptables firewallsetup and application of egressfiltering ●
Evaluate an “egress busting”technique and the logging artifacts itcreates
Port Forwarding and Tunneling ●
Understand the concept of tunnelingand port forwarding ●
Learn how attackers use it tocompromise additional machines inthe network ●
Understand the possible methods andtools attackers use to tunnel into thenetwork and how to detect them
Windows Lateral Movement
Windows Authentication ●Understanding Pass the Hash ●Understanding Brute Forcing DomainCredentials ●Understanding Terminal Services
Abusing Kerberos Tickets ●Understanding Pass the Ticket ●
Understanding Kerberoasting
Active Directory Persistence
Keeping Domain Access ●Understanding Domain GroupMemberships ●
Understanding Domain UserModifications ●
Understanding Golden Tickets
SIEM Part One: Intro to ELK
Log Management Introduction ●Understand SIEM Concepts ●
Learn about the ELK Stack ●
Use ELK Integrations with OSQuery
ELK Security ●Understand Rules and Alerts ●
Understand Timelines and Cases
SIEM Part Two: Combining the Logs
Phase One: Web Server InitialAccessDetect enumeration and commandinjection
Implement Phase One detectionrules
Phase Two: Lateral Movement toApplication Server ●Discover brute forcing andauthentication ●
Create Phase Two detection rules
Phase Three: Persistence andPrivilege Escalation on ApplicationServer ●Understand persistence andprivilege escalation ●
Build Phase Three detection rules
Phase Four: Perform Actions on theDomain Controller ●Identify dumping the AD database ●
Create Phase Four detection rule