Threat Hunting Bootcamp for SOC Analyst

Over the course of 3 days participants will learn some of the modern attack techniques, local privilege escalation methods, and identity infrastructure attacks as well as the ways how those attacks could be detected and mitigated. This knowledge will be enhanced with case studies which will demonstrate how real-world attacks happen using the methods learned. Additionally, participants will be introduced to Microsoft Sentinel SIEM solution and will learn how to properly set-up, configure, and use this solution. The course will conclude with showcasing how threat hunting and threat detection design can be performed by leveraging manual and
automated methods. This is an international course, which means you will share the learning experience in a group of IT pros from around the world! The class is taught in English by CQURE Cybersecurity Experts! 
During this course you will have an opportunity to interact with the instructor and get their help with any problems you might encounter, just as if it was a regular class.
 

• SOC analysts
• Enterprise administrators
• Infrastructure architects, security professionals
• Systems engineers
• Network administrators
• IT professionals
• Security consultants and other people responsible for implementing network and perimeter security

To attend this training, you should have a good hands on experience in administering Windows infrastructure and basic around public cloud concept (Office 365, Azure).

Module 1: Modern Attack Techniques and Tracing Them 
1. Discussion: Top attack techniques 
2. Advanced Persistent Threats 
3. Initial access vectors 
4. Phishing – rev shell mail phishing bob 
5. Valid Credentials– password spray exc. 
6. Spoofing – DSN Twist 
7. Vulnerable components (drive by 
download) 
8. Weak defaults 
a. Other vectors Escalation through 
Windows Services 

Module 2: Local Privilege Escalation Techniques and Tracing Them 
1. Unquoted service path 
2. Image and DLL manipulation 
3. Schedule Tasks 
4. Access Token Manipulation 
5. SeImpersonate 
6. SeTcb 
7. Create User Token 
8. Process Injection 
9. DLL Injection and Reflective DLL Injection 
10. CreateRemoteThread 
11. Memory Injection 
12. Other techniques 

Module 3: Case Study – Investigating In-Place Attacks 

Module 4: Windows Authentication Architecture & Cryptography 
1. Windows Logon 
2. Windows Logon Types 
3. LSASS Architecture 
4. NTLM 
5. Kerberos 
6. SAM Database 
7. NTDS.dit 
8. LSA Secrets & gMSA accounts 
9. Secrets, credentials and Logon Data 
10. SSP Providers 
11. Data Protection API 

Module 5: Case Study –Investigating Identity Theft 
 
Module 6: Attacks on Identity Infrastructure and Tracing Them 
1. Pass-the-Hash, OverPTH attacks 
a. Pass the ticket 
b. Golden and silver ticket 
c. Pass the PRT 
d. Shadow Credentials / NGC 
2. NBNS/LLMNR spoofing, NTLM Relay, 
Kerberoasting 
3. DCSync and DCShadow 
4. AdminSDholder 
5. Other Modern identity attack techniques 

Module 7: Case Study – Determining Identity Theft in the Infrastructure 

Module 8: eXtended Detection and Response with Sentinel 
1. Sentinel 101 - Azure Sentinel Dashboards, Connectors 
2. Understanding Normalization in Azure Sentinel 
3. Cloud & on-prem architecture 
4. Workbooks deep dive - Visualize your security threats and hunts 
5. Incidents 
6. KQL intro (KQL hands-on lab exercises) and Optimizing Azure Sentinel KQL 
7. Auditing and monitoring your Azure Sentinel workspace 
8. Sentinel configuration with Microsoft Cloud stack, EDR and MCAS 
9. Fusion ML Detections with Scheduled Analytics Rules 
10. Deep Dive into Azure Sentinel Innovations 
11. Investigating Azure Security Center alerts using Azure Sentinel 
12. Introduction to Monitoring GitHub with Azure Sentinel for Security Professionals 
13. Hunting in Sentinel 
14. Deep Dive on Threat Intelligence 
15. End-to-End SOC scenario with Sentinel 

Module 9: Case Study – Detecting a Complex Threat with Sentinel 
 
Module 10: Practical and Advanced Use Cases of Sentinel 
1. Visualizing Sentinel data with Workbooks 
2. Creating automation playbooks in Microsoft Sentinel 
3. KQL for Sentinel hands-on lab 
4. Proactively hunt for threats using Microsoft Sentinel 
5. Basic SOC investigation scenario 
6. Auditing and monitoring Microsoft Sentinel workspace 
7. Creating scheduled analytics rules for Microsoft Sentinel alerts 
8. Manage Cloud App Discovery and protect your environment from risky applications 
9. Microsoft Cloud App Information Protection activities 
10. Investigating risky users with Defender for Cloud apps user entity behavioral analytics