Plus, 12 months free XINTRA Labs
Apply your new skills to emulated APT-level incidents with XINTRA Labs. Valued at up to $540.
Course Syllabus
128Videos
33Labs
40+Hours of Content
Introduction
Introduction
Course Set-up
Course Set-Up
Attack Scenario & Labs
Attack Scenario & Labs
Incident Timelining
Incident Timelining
Network Log Analysis
Introduction to ELK
Network Log Analysis
Firewall Logs
Proxy Log Analysis
LAB: Proxy Log Analysis
SOLUTION: Proxy Log Analysis
IIS Log Analysis
LAB: IIS Log Analysis
SOLUTION: IIS Log Analysis
Webshells & Exploitation
Webshells & Exploitation
Java Deserialisation
IIS Webshell Abuse
LAB: ASPX Webshell Analysis
SOLUTION: ASPX Webshell Analysis
Other Webshell Abuse
User Access Log Analysis
LAB: Webshell Analysis For Functionality
SOLUTION: Webshell Analysis For Functionality
LAB: MsManagement Exchange Analysis
SOLUTION: MsManagement Exchange Analysis
Entra ID & Azure Forensics
Entra ID & Azure
Oauth 2.0 Abuse
LAB: OAuth Abuse
SOLUTION: OAuth Abuse
M365 Business Email Compromise
LAB: Unified Audit Log
SOLUTION: Unified Audit Log
Artifacts of Execution & File Presence
Artifacts of Execution
Prefetch
LAB: Prefetch
SOLUTION: Prefetch
SRUM
Shimcache
Amcache
LAB: Amcache Analysis
SOLUTION: Amcache Analysis
PowerShell Logs
Entra ID & Azure Host Logs
LAB: PowerShell Analysis
SOLUTION: PowerShell Analysis
LAB: Entra Commandline logs
SOLUTION: Entra Commandline logs
ActivitiesCache.DB
MPLog
LAB: MPLog Analysis
SOLUTION: MPLog Analysis
NTFS Deep Dive
NTFS Overview
$MFT Forensics (Master File Table)
LAB: $MFT Analysis
SOLUTION: $MFT Analysis
$USNJRNL & $J
$Logfile
$I30
LAB: $J Analysis on Deleted Files
SOLUTION: $J Analysis on Deleted Files
Credential Dumping
Credential Dumping Deepdive
Kerberos Attacks - Gold, Silver, Diamond, Sapphire
Hashes
LAB: Hash Credential Compromise
SOLUTION: Hash Credential Compromise
Cached Credentials
Tokens
SAM Hive
NTDS.dit
LAB: NTDS.dit
SOLUTION: NTDS.dit
Golden SAML
Golden SAML Attack Overview
LAB: Golden SAML
SOLUTION: Golden SAML
APT Persistence Techniques
APT Persistence Techniques
BYOVD (Bring Your Own Vulnerable Driver)
Abusing Services
LAB: Malicious Service
SOLUTION: LAB Malicious Service
Scheduled Tasks
LAB: Scheduled Tasks
SOLUTION: Scheduled Tasks
LSA SSP/AP & Skeleton Key
DLL Search Order Hijacking
DLL Proxying
Phantom DLL Hijacking
COM Hijacking
Image File Execution Options (IFEO)
Application Shimming
Registry, File Access & Browser Forensics
Registry Artifacts
LNK File Analysis
LAB: LNK File Abuse
SOLUTION: LNK File Abuse
LAB: LNK File Access
SOLUTION: LNK File Access
Browser Forensics
LAB: Browser Forensics
SOLUTION: Browser Forensics
LAB: Registry Artifacts
SOLUTION: Registry Artifacts
Lateral Movement & Event Log Analysis
Lateral Movement & Event Log Analysis
LAB: User Creation
SOLUTION: User Creation
LAB: File Share Lateral Movement
SOLUTION: File Share Lateral Movement
LAB: WMIEXEC
SOLUTION: WMIEXEC
APT Defence Evasion Techniques
Defence Evasion Techniques
Timestomping Files
LAB: File Timestomping
SOLUTION: File Timestomping
Registry Timestomping
Abusing SDELETE
LAB: SDELETE
SOLUTION: SDELETE
Windows Event Log Evasion (Services)
Event Log Modification
Event Tracing for Windows Bypass (ETW)
Exfiltration Methods
Overview of Exfiltration
File Share Service
LAB: Cloud File Share Service Exfiltration
SOLUTION: Cloud File Share Service Exfiltration
Detecting Cobalt Strike
LAB: Cobalt Strike Lateral Movement
SOLUTION: Cobalt Strike Lateral Movement
Cobalt Strike Interface
LAB: Cobalt Config Extraction
SOLUTION: Cobalt Config Extraction
What Actually Happened?
What Actually Happened?
Course Trainers
Trainer
Lina Lau (@InverseCos)
Founder of XINTRA, Lina is a security researcher, Black Hat trainer, SANS advisory board member and has presented at several international conferences and authored a book on cybersecurity. She currently holds the following certifications: GXPN, GASF, GREM, GCFA and OSCP.
We’ve got you covered
Frequently Asked Questions
Course Overview
APTs are constantly evolving their attack techniques putting pressure on responders and blue teamers to stay up-to-date on all the latest tactics, techniques and procedures. Depending on the nature of the organization, responders and blue teamers may have never responded to a nation-state level threat in their environment. This course is built to arm attendees with the ability to detect, respond and remediate an APT-level attack. Attendees will be challenged with practical labs built around a simulated APT intrusion covering each stage of the ATT&CK chain. Students will be exposed to endpoint forensics, log analysis and cloud forensics on up-to-date attack techniques leveraged by Russian, Chinese, North Korean and Iranian APT groups against organizations within the last two years.
Day one of the course begins with an introduction to the APT attack scenario hosted in the labs. Each module of the course is built to introduce various APT techniques and detection methodologies, followed by a practical lab where students are invited to investigate and determine what occurred in the intrusion. The first day will focus on incident tracking, supertimelining and log analysis using ELK. Attendees will be introduced to various exploitation techniques, modern ways to obfuscate webshells and cloud forensics in Azure AD/M365 environment covering advanced techniques like service principal abuse, OAuth abuse and Active Directory backdoors. The day ends with a deep dive into Windows forensics, covering NTFS and artifacts of execution.
Day two is focused on advanced detection and forensics on APT techniques centered around persistence, defense evasion and credential compromise. The day begins with a deep-dive into credential dumping methods with a strong focus on the Golden SAML technique abused by Russian APT groups. Various persistence techniques like abusing LSA SSP/AP to install backdoors will be explored with practical logs and disk data for attendees to triage. The day then dives into various forensic artifacts covering registry timelining, file access artifacts and lateral movement techniques and detections in the event logs. Attendees will then be introduced to APT defense evasion techniques like bypassing write events in the event logs and exfiltration methods that cover various C2 methods and tunnelling techniques.
Do you offer this live?
We do offer this course live. Prior to this course being digitised, it was only offered live/in-person. Please reach out to [email protected] for any enquiries. We have a minimum course size of 10 students.
Who should take this course?
This course is NOT beginner friendly. It is extremely fast-paced and assumes technical knowledge. It is intermediate/advanced and targeted to students who already know how to perform incident response and have actively worked simple incidents such as "ransomware" cases.
Do I get access to the lab platform?
If you purchase this course, you will automatically be granted 1 year's access to the XINTRA Labs platform with a "Personal" license with access to all existing and new labs. We do not give Enterprise labs access with this course.
I already have a lab account
If you already have a lab platform, an additional 12 months complimentary will be added to your account UNLESS you are an enterprise customer. For existing enterprise customers, please reach out at [email protected].
What is this course about?
This course is based on the course creator @InverseCos's experience leading and running multiple APT cases. Over the course of 2-days, you will learn how to solve an APT-level incident using our labs platform.
Plus, 12 months free XINTRA Labs
Apply your new skills to emulated APT-level incidents with XINTRA Labs. Valued at up to $540.