Note that learners can generate a set of course materials (PDF and videos) once their access to the course starts. To make the learning experience seamless we have provided a one-to-one mapping of the video-downloaded material to the course portal.
Copyright | ||
Portal Text Name | Portal Video | Offline (Folder - N/A) |
Copyright | ||
Copyright | Copyright | COPY_00_00 |
Module 3 Windows Endpoint Introduction | ||
Portal Text Name | Portal Video | Offline (Folder - WEI) |
3.1. Windows Processes | ||
3.2. Windows Registry | ||
3.3. Command Prompt, VBScript, and Powershell | ||
3.3. Command Prompt, VBScript, and Powershell | 1.1 Command Prompt, VBScript, and Powershell | WEI_03_00 |
3.3.1. Command Prompt | 1.1.1. Command Prompt | WEI_03_01 |
3.3.2. Visual Basic Script (VBScript) | 1.1.2. Visual Basic Script (VBScript) | WEI_03_02 |
3.3.3. PowerShell | 1.1.3. PowerShell | WEI_03_03 |
3.4. Programming on Windows | ||
3.4.1. Component Object Model | N/A | N/A |
3.4.2. .NET and .NET Core | N/A | N/A |
3.5. Windows Event Log | ||
3.5. Windows Event Log | 1.2 Windows Event Log | WEI_05_00 |
3.5.1. Introduction to Windows Events | 1.2.1. Introduction to Windows Events | WEI_05_01 |
3.5.2. PowerShell and Event Logs | 1.2.2. PowerShell and Event Logs | WEI_05_02 |
3.6. Empowering the Logs | ||
3.6. Empowering the Logs | 1.3. Empowering the Logs | WEI_06_00 |
3.6.1. System Monitor (Sysmon) | 1.3.1. System Monitor (Sysmon) | WEI_06_01 |
3.6.2. Sysmon and Event Viewer | 1.3.2. Sysmon and Event Viewer | WEI_06_02 |
3.6.3. Sysmon and PowerShell | 1.3.3. Sysmon and PowerShell | WEI_06_03 |
3.6.4. Remote Access with PowerShell Core | 1.3.4. Remote Access with PowerShell Core | WEI_06_04 |
Module 4 Windows Server Side Attacks | ||
Portal Text Name | Portal Video | Offline (Folder - WSSA) |
4.1. Credential Abuse | ||
4.1.1. The Security Account Manager (SAM) and Windows Authentication | N/A | N/A |
4.1.2. Suspicious Logins | N/A | N/A |
4.1.3. Brute Force Logins | 2.1.1. Brute Force Logins | WSSA_01_03 |
4.2. Web Application Attacks | ||
4.2.1. Internet Information Services (IIS) | N/A | N/A |
4.2.2. Local File Inclusion | 2.2.1. Local File Inclusion | WSSA_02_02 |
4.2.3. Command Injection | 2.2.2. Command Injection | WSSA_02_03 |
4.2.4. File Upload | 2.2.3. File Upload | WSSA_02_04 |
4.2.5. Extra Mile | N/A | N/A |
4.2. Web Application Attacks | ||
4.3.1. Binary Attacks | 2.3.1. Binary Attacks | WSSA_03_01 |
4.3.2. Windows Defender Exploit Guard (WDEG) | 2.3.2. Windows Defender Exploit Guard (WDEG) | WSSA_03_02 |
Module 5 Windows Client-Side Attacks | ||
Portal Text Name | Portal Video | Offline (Folder - WCSA) |
5.1. Attacking Microsoft Office | ||
5.1.1. Social Engineering and Spearphishing | N/A | N/A |
5.1.2. Installing Microsoft Office | N/A | N/A |
5.1.3. Using Macros | 3.1.1. Using Macros | WCSA_01_03 |
5.2. Monitoring Windows PowerShell | ||
5.2.1. Introduction to PowerShell Logging | 3.2.1. Introduction to PowerShell Logging | WCSA_02_01 |
5.2.2. PowerShell Module Logging | 3.2.2. PowerShell Module Logging | WCSA_02_02 |
5.2.3. PowerShell Script Block Logging | 3.2.3. PowerShell Script Block Logging | WCSA_02_03 |
5.2.4. PowerShell Transcription | 3.2.4. PowerShell Transcription | WCSA_02_04 |
5.2.5. Case Study: PowerShell Logging for Phishing Attacks | 3.2.5. Case Study: PowerShell Logging for Phishing Attacks | WCSA_02_05 |
5.2.6. Extra Mile | N/A | N/A |
5.2.7. Obfuscating/Deobfuscating Commands | 3.2.6. Obfuscating/Deobfuscating Commands | WCSA_02_07 |
Module 6 Windows Privilege Escalation | ||
Portal Text Name | Portal Video | Offline (Folder - WPE) |
6.1. Privilege Escalation Introduction | ||
6.1.1. Privilege Escalation Enumeration | 4.1.1. Privilege Escalation Enumeration | WPE_01_01 |
6.1.2. User Account Control | N/A | N/A |
6.1.3. Bypassing UAC | 4.1.2. Bypassing UAC | WPE_01_03 |
6.2. Escalating to SYSTEM | ||
6.2.1. Service Creation | 4.2.1. Service Creation | WPE_02_01 |
6.2.2. Attacking Service Permissions | 4.2.2. Attacking Service Permissions | WPE_02_02 |
6.2.3. Leveraging Unquoted Service Paths | 4.2.3. Leveraging Unquoted Service Paths | WPE_02_03 |
Module 7 Windows Persistence | ||
Portal Text Name | Portal Video | Offline (Folder - WP) |
7.1. Persistence on Disk | ||
7.1.1. Persisting via Windows Service | 9.1.1. Persisting via Windows Service | WP_01_01 |
7.1.2. Persisting via Scheduled Tasks | 9.1.2. Persisting via Scheduled Tasks | WP_01_02 |
7.1.3. Persisting by DLL-Sideloading/Hijacking | 9.1.3. Persisting by DLL-Sideloading/Hijacking | WP_01_03 |
7.2. Persistence in Registry | ||
7.2.1. Using Run Keys | 9.2.1. Using Run Keys | WP_02_01 |
7.2.2. Using Winlogon Helper | 9.2.2. Using Winlogon Helper | WP_02_02 |
Module 8 Linux Endpoint Introduction | ||
Portal Text Name | Portal Video | Offline (Folder - LEI) |
8.1. Linux Applications and Daemons | ||
8.1. Linux Applications and Daemons | 5.1. Linux Applications and Daemons | LEI_01_00 |
8.1.1. Daemons | 5.1.1. Daemons | LEI_01_01 |
8.1.2. Logging on Linux and the Syslog Framework | 5.1.2. Logging on Linux and the Syslog Framework | LEI_01_02 |
8.1.3. Rsyslog Meets Journal | 5.1.3. Rsyslog Meets Journal | LEI_01_03 |
8.1.4. Web Daemon Logging | 5.1.4. Web Daemon Logging | LEI_01_04 |
8.1. Linux Applications and Daemons | ||
8.1. Linux Applications and Daemons | 5.2. Linux Applications and Daemons | LEI_02_00 |
8.2.1. Python for Log Analysis | 5.2.1. Python for Log Analysis | LEI_02_01 |
8.2.2. DevOps Tools | 5.2.2. DevOps Tools | LEI_02_02 |
8.2.3. Hunting for Login Attempts | 5.2.3. Hunting for Login Attempts | LEI_02_03 |
Module 9 Linux Server Side Attacks | ||
Portal Text Name | Portal Video | Offline (Folder - LSSA) |
9.1. Credential Abuse | ||
9.1. Credential Abuse | 6.1. Credential Abuse | LSSA_01_00 |
9.1.1. Suspicious Logins | 6.1.1. Suspicious Logins | LSSA_01_01 |
9.1.2. Extra Mile I | N/A | N/A |
9.1.3. Password Brute Forcing | 6.1.2. Password Brute Forcing | LSSA_01_03 |
9.1.4. Extra Mile II | N/A | N/A |
9.2. Web Application Attacks | ||
9.2. Web Application Attacks | 6.2. Web Application Attacks | LSSA_02_00 |
9.2.1. Command Injection | 6.2.1. Command Injection | LSSA_02_01 |
9.2.2. Extra Mile III | N/A | N/A |
9.2.3. SQL Injection | 6.2.2. SQL Injection | LSSA_02_03 |
9.2.4. Extra Mile IV | N/A | N/A |
Module 10 Linux Privilege Escalation | ||
Portal Text Name | Portal Video | Offline (Folder - N/A) |
10.1. Attacking the Users | ||
10.1.1. Becoming a User | 7.1.1. Becoming a User | |
10.1.2. Backdooring a User | 7.1.2. Backdooring a User | |
10.2. Attacking the System | ||
10.2.1. Abusing System Programs | 7.2.1. Abusing System Programs | |
10.2.2. Extra Mile I | N/A | N/A |
10.2.3. Weak Permissions | 7.2.2. Weak Permissions | |
10.2.4. Extra Mile II | N/A | N/A |
Module 11 Network Detections | ||
Portal Text Name | Portal Video | Offline (Folder - ND) |
11.1. Intrusion Detection Systems | ||
11.1.1. Theory and Methodology | N/A | N/A |
11.1.2. Foundations of IDS and Rule Crafting | 8.1.1. Foundations of IDS and Rule Crafting | ND_01_02 |
11.2. Detecting Attacks | ||
11.2.1. Known Vulnerabilities | 8.2.1. Known Vulnerabilities | ND_02_01 |
11.2.2. Extra Mile I | N/A | N/A |
11.2.3. Novel Vulnerabilities | 8.2.2. Novel Vulnerabilities | ND_02_03 |
11.3. Detecting C2 Infrastructure | ||
11.3.1. C2 Infrastructure | 8.3.1. C2 Infrastructure | ND_03_01 |
11.3.2. Extra Mile II | N/A | N/A |
11.3.3. Network Communications | 8.3.2. Network Communications | ND_03_03 |
Module 12.Antivirus Alerts and Evasion | ||
Portal Text Name | Portal Video | Offline (Folder - AAE) |
12.1. Antivirus Basics | ||
12.1.1. Antivirus Overview | N/A | N/A |
12.1.2. Signature-Based Detection | 10.1.1. Signature-Based Detection | AAE_01_02 |
12.1.3. Real-time Heuristic and Behavioral-Based Detection | 10.1.2. Real-time Heuristic and Behavioral-Based Detection | AAE_01_03 |
12.2. Antimalware Scan Interface (AMSI) | ||
12.2.1. Understanding AMSI | 10.2.1. Understanding AMSI | AAE_02_01 |
12.2.2. Bypassing AMSI | 10.2.2. Bypassing AMSI | AAE_02_02 |
Module 13 Network Evasion and Tunneling | ||
Portal Text Name | Portal Video | Offline (Folder - NET) |
13.1. Network Segmentation | ||
13.1.1. Network Segmentation Concepts and Benefits | N/A | N/A |
13.1.2. Segmentation Theory | N/A | N/A |
13.2. Egress Busting | ||
13.2.1. Detecting Egress Busting | 12.1.1. Detecting Egress Busting | NET_02_01 |
13.3. Port Forwarding and Tunneling | ||
13.3.1. Port Forwarding and Tunneling Theory | N/A | N/A |
13.3.2. Port Forwarding and Tunneling in Practice | 12.2.1. Port Forwarding and Tunneling in Practice | NET_03_02 |
Module 14 Active Directory Enumeration | ||
Portal Text Name | Portal Video | Offline (Folder - ADE) |
14.1. Abusing Lightweight Directory Access Protocol | ||
14.1.1. Understanding LDAP | N/A | N/A |
14.1.2. Interacting with LDAP | 11.1.1. Interacting with LDAP | ADE_01_02 |
14.1.3. Enumerating Active Directory with PowerView | 11.1.2. Enumerating Active Directory with PowerView | ADE_01_03 |
14.2. Detecting Active Directory Enumeration | ||
14.2.1. Auditing Object Access | 11.2.1. Auditing Object Access | ADE_02_01 |
14.2.2. Baseline Monitoring | 11.2.2. Baseline Monitoring | ADE_02_02 |
14.2.3. Using Honey Tokens | 11.2.3. Using Honey Tokens | ADE_02_03 |
Module 15 Windows Lateral Movement | ||
Portal Text Name | Portal Video | Offline (Folder - WLM) |
15.1. Windows Authentication | ||
15.1.1. Pass The Hash | 13.1.1. Pass The Hash | WLM_01_01 |
15.1.2. Brute Force Domain Credentials | 13.1.2. Brute Force Domain Credentials | WLM_01_02 |
15.1.3. Terminal Services | 13.1.3. Terminal Services | WLM_01_03 |
15.2. Abuse The Kerberos Ticket | ||
15.2.1. Pass The Ticket | 13.2.1. Pass The Ticket | WLM_02_01 |
15.2.2. Kerberoasting | 13.2.2. Kerberoasting | WLM_02_02 |
Module 16 Active Directory Persistence | ||
Portal Text Name | Portal Video | Offline (Folder - ADP) |
16.1. Keeping Domain Access | ||
16.1.1. Domain Group Memberships | 14.1.1. Domain Group Memberships | ADP_01_01 |
16.1.2. Domain User Modifications | 14.1.2. Domain User Modifications | ADP_01_02 |
16.1.3. Golden Tickets | 14.1.3. Golden Tickets | ADP_01_03 |
Module 17 SIEM Part One: Intro to ELK | ||
Portal Text Name | Portal Video | Offline (Folder - SIEM_I) |
17.1. Log Management Introduction | ||
17.1.1. SIEM Concepts | N/A | N/A |
17.1.2. Elastic Stack (ELK) | 15.1.1. Elastic Stack (ELK) | SIEM_01_02 |
17.1.3. ELK Integrations with OSQuery | 15.1.2. ELK Integrations with OSQuery | SIEM_01_03 |
17.2. ELK Security | ||
17.2.1. Rules and Alerts | 15.2.1. Rules and Alerts | SIEM_02_01 |
17.2.2. Timelines and Cases | 15.2.2. Timelines and Cases | SIEM_02_02 |
Module 18 SIEM Part Two: Combining the Logs | ||
Portal Text Name | Portal Video | Offline (Folder - SIEM_II) |
18.1. Phase One: Web Server Initial Access | ||
18.1. Phase One: Web Server Initial Access | 16.1. Phase One: Web Server Initial Access | SIEM02_01_00 |
18.1.1. Enumeration and Command Injection of web01 | 16.1.1. Enumeration and Command Injection of web01 | SIEM02_01_01 |
18.1.2. Phase One Detection Rules | 16.1.2. Phase One Detection Rules | SIEM02_01_02 |
18.2. Phase Two: Lateral Movement to Application Server | ||
18.2. Phase Two: Lateral Movement to Application Server | 16.2. Phase Two: Lateral Movement to Application Server | SIEM02_02_00 |
18.2.1. Brute Force and Authentication to appsrv01 | 16.2.1. Brute Force and Authentication to appsrv01 | SIEM02_02_01 |
18.2.2. Phase Two Detection Rules | 16.2.2. Phase Two Detection Rules | SIEM02_02_02 |
18.3. Phase Three: Persistence and Privilege Escalation on Application Server | ||
18.3. Phase Three: Persistence and Privilege Escalation on Application Server | 16.3. Phase Three: Persistence and Privilege Escalation on Application Server | SIEM02_03_00 |
18.3.1. Persistence and Privilege Escalation on appsrv01 | 16.3.1. Persistence and Privilege Escalation on appsrv01 | SIEM02_03_01 |
18.3.2. Phase Three Detection Rules | 16.3.2. Phase Three Detection Rules | SIEM02_03_02 |
18.4. Phase Four: Perform Actions on Domain Controller | ||
18.4. Phase Four: Perform Actions on Domain Controller | 16.4. Phase Four: Perform Actions on Domain Controller | SIEM02_04_00 |
18.4.1. Dump AD Database | 16.4.1. Dump AD Database | SIEM02_04_01 |
18.4.2. Phase Four Detection Rules | 16.4.2. Phase Four Detection Rules | SIEM02_04_02 |