SEC-T - 0x11****

10-12th of September 2025

Network forensics for incident response

May 7th, 2022

A hands-on network forensics training that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a completely new and unique data set captured during 30 days on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices.

We will analyze traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!

Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.

 

Day 1 : Theory and Practice using Open Source Tools

 

Investigating spear phishing email with malware attachment

Reassembling exfiltrated data

Identifying C2 traffic in decrypted HTTPS traffic

Analyzing decrypted HTTPS traffic from a transparent TLS inspection proxy

Using NetFlow with Argus

Tracking lateral movement with stolen AD credentials

Searching application layer data with Wireshark, tshark, tcpflow and ngrep

Threat Hunting with Security Onion

Leveraging passive DNS to track C2 domains

Decoding proprietary C2 traffic from a RAT

Extracting files from PCAP with NetworkMiner

Sandbox execution of malware and behavioral analysis

Supply chain attacks

Extracting files from SMB and SMB2 traffic

Analyzing exfiltration by an APT style attacker

Investigating a spear phishing attack with credential theft

 

Day 2 : Advanced Network Forensics using Netresec Tools

 

Theory: HTTP Cookies

Analyzing Cobalt Strike beacons

Investigation of botnet infection (TrickBot)

Extracting and verifying X.509 certificates from network traffic

Learning about Man-on-the-Side (MOTS) attacks, such as NSA’s QUANTUMINSERT and HackingTeam’s “Network Injection”

Investigating a brute force attack on a web CMS

Analyzing exploitation of a web server

Tracking commands sent to web shells

Tracking lateral movement via Linux servers

Using JA3 to track TLS encrypted malware traffic

Live TLS decryption lab

Securing public cloud infrastructure

May 7th, 2022

This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.

 

By the end of this training, we will be able to:

* Use cloud technologies to detect IAM attacks.

* Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.

* Use serverless functions to perform on-demand threat scans.

* containers to deploy threat detection services at scale.

* build notification services to create alerts

* analyze malware-infected virtual machines to perform automated forensic investigations and artifacts collection.

* Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.

 

**Day 1:**

 

 *Introduction*

 

– Introduction to cloud services

– Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.

– Understanding cloud deployment architecture.

– Introduction to Logging services in cloud.

– Introduction to shared responsibility model.  

– Setting up your free tier account.

– Setting up AWS command-line interface.

– Understanding Cloud attack surfaces.

 

 *Detecting and monitoring against IAM attacks.*

   

   – Identity & Access management crash course.

   – Policy enumeration from an attacker’s & defender’s perspective.

    – Detecting and responding to user account brute force attempts.

    – Building anomaly detection using CloudWatch events.

– Building controls against privilege escalation and access permission flaws.

– Attacking and defending against user role enumeration.

– Brute force attack detection using cloudTrail.

– Automated notification for alarms and alerts.

– Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.  

 

  *Malware detection and investigation on/for cloud infrastructure*

 

– Quick Introduction to cloud infrastructure security.

– Building clamAV based static scanner for S3 buckets using AWS lambda.

– Integrating serverless scanning of S3 buckets with yara engine.

– Building signature update pipelines using static storage buckets to detect recent threats.

– Malware alert notification through SNS and slack channel.

– Adding advanced context to slack notification for quick remediation.  

– Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.

   

 

**Day 2:**

 

*Threat Response & Intelligence analysis techniques on/for Cloud infrastructure*

   

– Integrating playbooks for threat feed ingestion and Virustotal lookups.

– Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.

– Creating a Security datalake for advance analytics and intelligence search.

– Building dashboards and queries for real-time monitoring and analytics.

– CTF exercise to correlate multiple logs to determine the source of infection.

 

*Network Security & monitoring for Cloud Infrastructure*

 

    – Understanding Network flow in cloud environment.

    – Quick introduction to VPC, subnets and security groups.

    – Using VPC flow logs to discover network threats.

    – VPC traffic mirroring to detect malware command & Control.

 

*Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s.*

 

– Analysis of an infected VM instance.

– Building an IR ‘flight simulator’ in the cloud.

– Creating a step function rulebook for instance isolation and volume snapshots.

– lambda functions to perform instance isolation and status alerts.

– Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.

– Automated timeline generation and memory dump.

– Storing the artifacts to S3 bucket.

– On-demand execution of Sleuthkit instance for detailed forensic analysis.

– Enforcing security measures and policies to avoid instance compromise.

Attacking and securing APIs

May 7th, 2022

This is a fully hands-on practical concentrated course on securing and attacking web and cloud APIs. APIs are everywhere nowadays: In web apps, embedded systems, enterprise apps, cloud environments and even IoT, and it is becoming increasingly necessary to learn how to defend, secure and attack API implementation and infrastructure. This training aims to engage you in creating secure modern APIs, while showing you both modern and contemporary attack vectors.

 

You will learn:

 

    Attacking and defending web APIs. (REST, GraphQL):

    Learn REST and GraphQL security best practices.

    Create APIs that are easy to use securely and hard to use insecurely.

    Techniques and tools to design, test and attack APIs and microservices.

    Mitigate and defend against security weaknesses in APIs.

    Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking.

    Attacking and securing Amazon cloud (AWS) APIs and infrastructure.

    Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc

    Perform post exploitation and pivot attacks against AWS environments.

    Performing modern injection attacks:

    Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc

    Securing passwords and secrets in APIs:

    Learn how to effectively manage the problem of credential storage.

    Attack insecure password protection schemes and export credentials.

    Utilize open-source and platform-independent credential management solutions.

    Implement secure password storage and handling.

    API authentication and authorization techniques.

    Understanding the intricate and minute details of authentication and authorization frameworks and technologies.

    Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization.

    Understand OAuth2, JWT/JWS and other authentication technologies.

    Attack and fix insecure JWT and cookie implementations.

    Attack insecure implementations of session management, input validation, output encoding and loosely coupled components.

    Implement and attack multi factor authentication for APIs.

    Designing secure API architecture:

    API and microservices security architecture.

    Handle files securely by allowing only authorized downloads even in segmented microservice architectures.

    Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations.

    Attack and secure cache implementations and infrastructure.

    Securing development environments:

    Securing source code using secure Git configurations and live monitoring.

    Securing software dependency and supply chain.

Introduction to reverse engineering

May 7th, 2022

This one-day training aims to give the participant an introduction into the field of software
reverse engineering. We will look at various types of programs including both machine code,
Java and Javascript. They will be analyzed using a mix of static and dynamic analysis
including using off-the-shelf tools and writing scripts of our own to help us in our effort. The
goal of the training is to both give a general understanding of the different approaches that
are available to us as a reverse engineer but also hands-on experience with applying some
of these techniques.
After completing the training the student will have a solid foundation to continue their reverse
engineering studies with as well as a basic toolbox to approach real-world problems with
whether it’s analysis of simpler malware or debugging third-party software.

Course Contents
The course will cover the following topics. Topics marked with “*” will be covered as part of
the introduction/background without accompanying exercises. Topics marked with “**” are
advanced topics covered as part of an introduction into how to proceed after the training.
● Introduction
○ Why reverse engineering?*
○ Types of reverse engineering*
● Static analysis
○ Disassembly

○ Decompilation
○ Identifying patterns
● Dynamic analysis
○ Debugging
○ Emulation
○ Tracing
○ Hooking
● Technologies
○ Low-level: x86/ARM
○ Mid-level: Java/.NET
○ High-level: Javascript
● Methodology
○ Automation
○ Signatures**
○ Diffing**

Dark side ops 2: Adversary simulation training

April 25th, 2019

Dark Side Ops 2: Adversary Simulation is the combination of sophisticated, red team trade craft and cutting-edge, offensive development to simulate real-world adversary activities. Challenge yourself to move beyond reliance on the typical “low-hanging exploitable fruit” from 1999 and start thinking, persisting, pivoting, and operating like a sophisticated adversary. Application whitelisting got you down? No problem. Can’t catch that callback? Been there. No touching disk? No worries. Dark Side Ops 2: Adversary Simulation helps participants up their offensive game by sharing the latest in initial access and post-exploitation, defensive countermeasure bypasses, and unique malware code execution techniques.

Dark Side Ops 2: Adversary Simulation builds on Silent Break Security’s Dark Side Ops: Custom Penetration Testing training by furthering participants’ abilities to think, operate, and develop tools just like sophisticated, real-world attackers. If you want to

  1. build confidence in your offensive approach and capabilities,
  2. learn about and implement the techniques of stealthy malware and backdoors, and
  3. achieve the operational results of a sophisticated adversary, then Dark Side Ops 2: Adversary Simulation is for you.

Dark Side Ops 2: Adversary Simulation provides participants with hands-on labs over an intense, two-day course.

Network forensics training

April 25th, 2019

The two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 – Theory and Practice using Open Source Tools

Day 2 – Advanced Network Forensics using Netresec Tools

The Scenario

The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We’ve set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:

Class attendees will learn to analyze captured network traffic from these events in order to:

NetworkMiner CapLoader Professional software included FREE of charge

Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.

Target Audience

Q: Who should attend?
A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.

Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools.

Training Preparations

Laptop Required
Attendees will need to bring a laptop that fits the following specs:

A VirtualBox VM will be provided on USB flash drives at the beginning of the training. Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off “Intel Trusted Execution” in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Basics of binary exploitation training

April 25th, 2019

Overview

Binary exploitation is the topic concerning the finding and exploitation of vulnerabilities in low-level code, particularly machine level code. It is usually considered one of the more complex areas of IT security and some of the exploits produced sometimes chain together dozens of moving parts in mind-boggling ways to cause programs to behave in a completely unintended manner. The field is the basis of high-severity exploits such as OS privilege escalation, jailbreaks and browser exploits.

Learning goals and expected outcomes

This two-day training aims to give the participant a deeper understanding of how programs execute and interact with the rest of the system, an understanding of the basic building blocks, terminology and anatomy of binary exploitation as well as hands on experience and creating some basics exploits of their own. It will also cover various protection mechanisms, how they work and how to deal with them. Throughout the course, techniques for finding vulnerabilities, analyzing and turning them into exploits will be covered and practiced in the form of hands on exercises.

After completing the training the student will have a solid foundation from which they can continue exploring the field of binary exploitation and allowing them to start learning advanced topics such as kernel exploitation, different architectures and exploiting real-world software such as browsers and phones. The student will also have a basic understanding of some of the various techniques used for working with analysis and exploitation of programs.

Course contents

The course will cover the following topics will be covered in the course. Topics marked with “*” will be covered as part of the introduction/background without accompanying exercises. Topics marked with “**” are advanced topics covered as part of an introduction into how to proceed after the training.

Outline

Below is a rough outline of the planned schedule for the training. This is preliminary and subject to change. A more definitive schedule will be posted prior to the training.

Tools used

We will be using mostly free and open source tools throughout the training. Programs will be debugged with gdb with the pwndbg addon. The exercises can be solved with a programming language of your choice but examples will be presented in Python with the pwntools framework.

The only commercial tool we will use is Binary Ninja which is a reverse engineering platform. A personal non-commercial license for Binary Ninja is included in the price of the training which you get to keep and can, if desired be upgraded to a commercial license. All tools and exercises will be available as a pre-packaged VM/container. Instructions on how to obtain and get it set up on your computer will be provided to all participants ahead of the training.

Prerequisites

The student is expected to have basic understanding of computers, programs and operating systems. Some basic programming skills are also required, particularly some basic Python knowledge is very helpful. Finally it is expected that the student can read simple C code and understand very basic concepts of assembler.

The instructor

Carl Svensson is a security professional and hobbyist currently working as the head of security at Swedish healthcare startup, KRY. He is a frequent CTF player for the Swedish top team HackingForSoju and an active member of the Swedish and international security community with a great fondness for a broad range of topics, reverse engineering being one of his favorites. If you have questions about the contents of this training, feel free to get in touch at [email protected].

Dark Side Ops: Custom Penetration Testing Workshop

April 19th, 2018

Hackers penetrate enterprise networks in the flash of an eye, ravage endpoints for sensitive data, and
silently exfiltrate the keys to your kingdom without ever popping an alert. Dark Side Ops: Custom
Penetration Testing enables participants to “break through” to the next level by removing their
dependence on 3rd-party penetration testing tools, allowing for outside-the-box thinking and custom
tool development designed specifically for the target environment. Participants are provided with
hands-on experience into the black hat techniques currently used by hackers to bypass network-based
enterprise intrusion detection and prevention systems (IDS/IPS), layer 7 web proxies, and data loss
prevention (DLP) solutions. The custom approach doesn’t stop there. Participants learn advanced
evasion techniques of corporate host-based countermeasures including antivirus and application
whitelisting solutions by developing, compiling, and deploying custom backdoors, payloads, and
persistence deep into protected enterprise networks.

At the end of this course students will be able to:
• Build custom payload droppers, beaconing backdoors, and interactive shells.
• Conduct highly targeted and sophisticated custom client-side and social engineering attacks.
• Escalate workstation and network privileges without an exploit.
• Bypass defensive host and network countermeasures such as anti-virus applications, firewalls,
IDS, IPS, SIEMs, and strict egress filtering.
• Establish custom, stealthy persistence in a target network.
• Exfiltrate data from a target networks using custom applications and network monitoring
evasion techniques.
• Compile and deploy an advanced, custom HTTP beaconing payload developed internally by the
trainers and used regularly on engagements to effectively infiltrate company networks.

Participants will receive source code to a variety of offensive tools, including custom shells, backdoors,
C2 listening posts, and social engineering exploitation techniques. To reinforce the knowledge provided
through instruction, participants will have realistic lab projects throughout the day, where the coding
skills, custom payload delivery, and advanced pivoting techniques from course instruction will all be
necessary.

Day 1
Lab 0 Introduction Review course topics
Lab 1 Throwback Learn about stage 1 malware Build and deploy Throwback
Lab 2 Client Side Exploitation Client-side exploitation techniques Build custom payloads
Lab 3 Windows API Windows API abuse and bypasses Build and inject a reflective DLL
Lab 4 Slingshot (RAT) Learn about reflective DLL injection Build Slingshot and convert to a reflective DLL
Lab 5 Post-exploitation hashdump module Learn about post-exploitation techniques Add hashdump module to Slingshot
Lab 6 Post-exploitation Mimikatz module Learn about post-exploitation techniques Add Mimikatz module to Slingshot
Day 2
Lab 7 Covert operations Learn about covert infrastructure and operational security Configure SOHO IP tables as redirector
Lab 8 Evading antivirus Learn how to evade antivirus Build dynamic APIs and in-memory PE loader
Lab 9 Windows persistence Learn about persistence stealthy techniques Identify a DLL hijacking vulnerability for persistence
Lab 10 In-memory Powershell Learn about Powershell execution techniques Run Powershell completely in-memory
Lab 11 Advanced Windows pivoting Learn about named pipes and other pivoting techniques Compile and execute SlingshotSMB
Lab 12 In-memory keylogger Learn Windows API keylogging techniques Implement a keylogger into Slingshot
Lab 13 Privilege escalation Learn about privilege escalation techniques Escalate privileges using DllHijacker
Bonus module Screen-grabber Learn addition post-exploitation tools Take a screenshot through Slingshot

Network Forensics Workshop

April 19th, 2018

The two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 – Theory and Practice using Open Source Tools
* Theory: Ethernet signaling
* Hardware: Network TAPs and Monitor ports / SPAN ports
* Sniffers: Recommendations for high-performance packet interception
* PCAP analysis: Extracting evidence and indicators of compromise using open source tools
* Defeating Big Data: Techniques for working with large data sets
* Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures
* Challenge Day 1: Find the needle in our haystack and win a honorable prize!

Day 2 – Advanced Network Forensics using Netresec Tools
* NetworkMiner Professional: Learning to leverage the features available in the Pro version
** Port Independent Protocol Identification (PIPI)
** DNS Whitelisting
* NetworkMinerCLI: Automating content extraction with our command line tool
* CapLoader: Searching, sorting and drilling through large PCAP data sets
** Super fast flow transcript (aka Follow TCP/UDP stream)
** Filter PCAP files and export frames to other tools
** Keyword search
* Challenge Day 2

The Scenario
The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We’ve set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:
* Defacement of the Bank’s web server (see zone-h mirror)
* Man-on-the-Side (MOTS) attack (much like NSA/GCHQ’s QUANTUM INSERT)
* Backdoor infection through trojanized software
* Spear phishing
* Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin
* Infection with real malware (Nemucod, Miuref / Boaxxe and more

Class attendees will learn to analyze captured network traffic from these events in order to:
* Investigate web server compromises and defacements
* Detect Man-on-the-Side attacks
* Identify covert backdoors
* Reassemble incoming emails and attachments
* Detect and decode RAT/backdoor traffic
* Detect malicious traffic without having to rely on blacklists, AV or third-party detection services

NetworkMiner CapLoader Professional software included FREE of charge
Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.

Target Audience
Q: Who should attend?
A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.

Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools.

Training Preparations
Laptop Required
Attendees will need to bring a laptop that fits the following specs:
* A PC running any 64 bit Windows OS (can be a Virtual Machine)
* At least 4GB RAM
* At least 40 GB free disk space
* VirtualBox (64 bit) installed
(VMWare will not be supported in the training)

A VirtualBox VM will be provided on USB flash drives at the beginning of the training.
Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off “Intel Trusted Execution” in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Hands-on SAP Hacking and Defense Workshop

April 19th, 2018

SAP is a core part of the business-critical infrastructure of 95% of the biggest companies in the world, these companies rely on SAP to perform their most sensitive daily operations such as processing employees payroll and benefits, managing logistics, managing suppliers / customers, material management, releasing payments to providers, credit cards processing, business intelligence, etc.

This training provides the latest information on SAP specific attacks and remediation / protection activities.

This training starts with an introduction to SAP (No previous SAP knowledge is required), you will learn through several hands-on exercises and demos, how to perform your own vulnerability assessments, audits and penetration tests on your SAP platform,  you will be very well equipped to understand the critical risks your SAP platform may be facing, how to assess them and more importantly, you will know which are the best-practices to effectively mitigate them, pro-actively protecting your business-critical platform.

We take proud in creating the most comprehensive SAP security agenda:

Day 1

Day 2