ＨｉｄｅＺｅｒｏＯｎｅ

As a cyber security defender and investigator, we often just get to analyze an environment that suffered a ransomware attack after the ransomware execution, where we are trying to make our way back in time to understand the scope and initial infection vectors of a breach. However, knowing how attackers operate and having an understanding of their tools can help tremendously to conduct a more effective analysis and response and ultimately lower the impact of such attacks. This is why in this workshop we will teach you how to perform the common steps of every phase in a ransomware attack scenario as the attacker, from initial infection to impact.

We will set up a basic C2 infrastructure with PowerShell Empire, and execute attack phases such as initial access and reconnaissance, persistence mechanisms, privilege escalation, credential dumping, lateral movement, defense evasion, data exfiltration, and encryption with ransomware. In every step you will also learn about the fundamental concepts that are required to conduct the attack and defend against those including hands-on analysis using Splunk, Velociraptor and forensic tools as needed. In the last part of the workshop, you will learn best practices on how to effectively conduct investigations of the attacked environment using various tools that are part of the lab setup. Upon completion of the workshop, participants will have a better understanding of the steps ransomware threat actors take to achieve their objectives, as well as the best practices for detecting and ultimately preventing ransomware attacks.

Antisyphon: Ransomware Attack Simulation and Investigation for Blue Teamers

For most security teams, high operational tempo (measured in dumpster fire lumens) incentivizes analysts to stick to well-tailored playbooks that prioritize remediation at the expense of proper incident scoping and root cause analysis. Though modern endpoint security products have significantly improved host visibility, most critical incidents will require the acquisition and analysis of additional endpoint data. This course focuses on four core investigative competencies: endpoint data collection, investigative triage, incident response pivots, and root cause analysis.

Antisyphon: Advanced Endpoint Investigations

Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between. In this class, you will learn how to force an attacker to take more moves to attack your network. These moves may increase your ability to detect them. You will learn how to gain better attribution as to who is attacking you and why. You will also find out how to get access to a bad guy’s system. And most importantly, you will find out how to do the above legally.

Active Defense & Cyber Deception w/ John Strand

This is  a collection of Offensive Security’s curated cyber security learning paths These learning paths are designed to provide a comprehensive understanding of various cyber security domains, such as network penetration testing, web application security, wireless security, secure software development, and cloud security . Each learning path is tailored to suit the needs of cyber security enthusiasts, from beginners to advanced learners

 List Of Learning Paths

Security Operations Essentials (SOC-100)

Introduction to Cloud Security (CLD-100)

Introduction to Secure Software Development (SSD-100)

Kali Linux Essentials

OffSec Learning Paths

Syllabus

• Attacker Methodology Introduction
• Windows Endpoint Introduction
• Windows Server Side Attacks
• Windows Client-Side Attacks
• Windows Privilege Escalation
• Windows Persistence
• Linux Endpoint Introduction
• Linux Server Side Attacks
• Network Detections
• Antivirus Alerts and Evasion
• Network Evasion and Tunneling
• Active Directory Enumeration
• Windows Lateral Movement
• Active Directory Persistence
• SIEM Part One: Intro to ELK
• SIEM Part Two: Combining the Logs

SOC-200: Foundational Security Operations and Defensive Analysis