• Building a successful SOC
• Functions of SOC
• Heart of SOC- SIEM
• Gartner’s magic quadrant
• SIEM guidelines and architecture

ELK Stack:

• Introduction and an overview of Elastic SIEM
• User interface
• How to as a part of alert investigations or interactive threat hunting
• MDR vs. Traditional SIEM; and other various solutions
• Elastic search: Understanding of Architecture, curator fundamentals
• Index template for routing, mapping
• KIBANA: Configuration, policies, visualization
• Deep-dive of Log architecture, parsing, alerts

SecurityOnion

• What is Security Onion?
• Monitoring and analysis tools
• Security Onion Architecture
• Deployment types
• Installing a Standalone server: checking system services with sostat, security onion with web browser tools, security onion terminal
• Replaying traffic on a standalone server

Splunk In-Depth

• Industrial requirements of Splunk in various fields
• Splunk terminologies, search processing language, and various industry use cases AlienVault OSSIM fundamentals
• AlienVault fundamentals and architecturedeployment
• Vulnerability scanning & monitoring with OSSIM

Introduction to QRadar

• IBM QRadar SIEM component architecture and data flows
• Using the QRadar SIEM User Interface

Fun with logs

• Working with offense triggered by events
• Working with offense triggered by flows

Monitoring

• Monitor QRadar Notifications and error messages.
• Monitor QRadar performance
• Review and interpret system monitoring dashboards.
• Investigate suspected attacks and policy breaches
• Search, filter, group, and analyze security data

Tools exposure provided in the above section:

• SecurityOnion
• ELK Stack
• SGUILD
• Wireshark
• Splunk
• AlienVault OSSIM
• IBM Qradar CE

• Section Introduction
• What is Digital Forensics?
• Collecting evidence typically related to cybercrime
• Digital Subject Access Requests
• Computer Forensics Process
• Identification, Preservation, collection, examination, analysis, reporting
• Working with Law Enforcement
• The difference between an internal security issue and one that requires external assistance

2. Forensics Fundamentals Section Introduction

• Introduction to Data Representation hexadecimal, octal, binary files vs. txt files, timestamp formats: UNIX epoch, MAC, Chrome, Windows, FILETIME
• Hard Drive Basics
• Platters, sectors, clusters, slack space
• SSD Drive Basics
• garbage, collection, TRIM, wear leveling
• File Systems
• FAT16, FAT32, NTFS, EXT3/EXT4, HFS+/APFS
• Metadata & File Carving
• Memory, Page File, and Hibernation File
• Order of Volatility

3. Evidence Forms

• Section Introduction
• Volatile Evidence
• Memory RAM, Cache, Registers content, Routing tables, ARP cache, process table,kernel statistics, temporary filesystem/swap space
• Disk Evidence
• Data on Hard Disk or SSD
• Network Evidence
• Remotely Logged Data, Network Connections/Netflow, PCAPs, Proxy logs
• Web & Cloud Evidence
• Cloud storage/backups, chat rooms, forums, social media posts, blog posts
• Evidence Forms
• Laptops, desktops, phones, hard drives, tablets, digital cameras, smartwatches, GPS

4. Chain of Custody

• Section Introduction
• What is the Chain of Custody?
• Why is it Important?
• In regard to evidence integrity and examiner authenticity
• Guide for Following the Chain of Custody
• evidence collection, reporting/documentation, evidence hashing, write-blockers, working on a copy of original evidence

5. Windows Investigations

• Section Introduction
• Artifacts
• Registry, Event Logs, Prefetch, .LNK files, DLLs, services, drivers, common malicious locations, schedules tasks, start-up files
• Limitations
• Example Investigations

6. *nix Investigations

• Section Introduction
• Artefacts
• Limitations
• Example Investigations
• Artefact Collection
• Section Introduction
• Equipment
• non-static bags, faraday cage, labels, clean hard drives, forensic workstations,

Disk imagers, hardware write blockers, cabling, blank media, and photographs

• Tools
• Wireshark, Network Miner, and others
• ACPO Principles
• Live Forensics
• Fast acquisition of key files
• How to Collect Evidence
• Laptops, desktops, phones, hard drives, tablets, websites, forum posts, blog posts, social media posts, chat rooms

• Types of Hard Drive Copies visible data, bit for bit, slackspace

7. Live Forensics

• Section Introduction
• Live Acquisition
• What is a live acquisition/live forensics? Why is it beneficial?
• Products
• Carbon Black, Encase, memory analysis with agents, Custom Scripts
• Potential Consequences
• Damaging or modifying evidence making it invalid

8. Post-Investigation

• Section Introduction
• Report Writing
• Evidence Retention
• Legal retention periods, internal retention periods
• Evidence Destruction
• Overwriting, degaussing, shredding, wiping
• Further Reading

9. Tools exposure provided in the above section:

• Command-LINE for Windows / Linux
• FTK IMAGER
• MAGNATE RAM CAPTURE
• AUTOPSY
• Volatility
• Volatility WorkBench
• ENCASE

• What is Incident Response?
• Why is IR Needed?
• Security Events vs. Security Incidents
• Incident Response Lifecycle – NIST SP 800 61r2
• What is it, why is it used
• Lockheed Martin Cyber Kill Chain
• What is it, why is it used
• MITRE ATT&CK Framework
• What is it, why is it used

2. Preparation

• Incident Response Plans, Policies, and Procedures
• The Need for an IR Team
• Asset Inventory and Risk Assessment to Identify High-Value Assets
• DMZ and Honeypots
• Host Defenses
• HIDS, NIDS
• Antivirus, EDR
• Local Firewall
• User Accounts
• GPO
• Network Defenses
• NIDS
• NIPS
• Proxy
• Firewalls
• NAC
• Email Defenses
• Spam Filter
• Attachment Filter
• Attachment Sandboxing
• Email Tagging
• Physical Defenses
• Deterrents
• Access Controls
• Monitoring Controls
• Human Defenses
• Security Awareness Training
• Security Policies
• Incentives

3. Detection and Analysis

• Common Events and Incidents
• Establishing Baselines and Behavior Profiles
• Central Logging (SIEM Aggregation)
• Analysis (SIEM Correlation)

4. Containment, Eradication, Recovery

• CSIRT and CERT Explained
• What are they, and why are they useful?
• Containment Measures
• Network Isolation, Single VLAN, Powering System(s) Down, Honeypot Lure
• Taking Forensic Images of Affected Hosts
• Linking Back to Digital Forensics Domain
• Identifying and Removing Malicious Artefacts
• Memory and disk analysis to identify artefacts and securely remove them
• Identifying Root Cause and Recovery Measures

5. Lessons Learned

• What Went Well?
• Highlights from the Incident Response
• What could be improved?
• Issues from the Incident Response, and How These Can be addressed
• Important of Documentation
• Creating Runbooks for Future Similar Incidents, Audit Trail
• Metrics and Reporting
• Presenting Data in Metric Form
• Further Reading

6. Tools exposure provided in the above section:

• SYSINTERNAL SUITE
• Hash Calculator
• Online Sources
• CyberChef
• Wireshark
• Network Minor

• Threat Intelligence Explained
• What is TI, why is it used?
• Why Threat Intelligence can be Valuable
• Situational awareness, investigation enrichment, reducing the attack surface
• Criticisms/Limitations of Threat Intelligence
• Attribution issues, reactive nature, old IOCs, false-positive IOCs
• The Future of Threat Intelligence
• Tenable Predictive Prioritization (mixing threat intel with vulnerability management data to calculate dynamic risk scores)
• Types of Intelligence
• SIGINT, OSINT, HUMINT, GEOINT

2. Threat Actors

• Common Threat Agents
• Cybercriminals, hacktivists, insider threats, nation-states
• Motivations
• Financial, social, political, other
• Skill Levels/Technical Ability
• Script Kiddies, Hackers, APTs
• Actor Naming Conventions
• Animals, APT numbers, other conventions
• Common Targets
• Industries, governments, organizations

3. Advanced Persistent Threats

• What are APTs?
• What makes an APT? Real-world examples of APTs + their operations
• Motivations for Cyber Operations
• Why APTs do what they do (financial, political, social)
• Tools, Techniques, Tactics
• What do APTs actually do when conducting operations
• Custom Malware/Tools
• Exploring custom tools used by APTs, why they’re used
• Living-off-the-land Techniques
• What LOTL is, why it’s used, why it can be effective

4. Operational Intelligence

• Indicators of Compromise Explained & Examples
• What IOCs are, how they’re generated and shared, using IOCs to feed defenses
• Precursors Explained & Examples
• What precursors are, how they’re different from IOCs, how we monitor them
• TTPs Explained & Examples
• What TTPs are, why they’re important, using to maintain defences (preventative)
• MITRE ATT&CK Framework
• Framework explained and how we map cyber-attacks, real-world example
• Lockheed Martin Cyber Kill Chain
• Framework explained and how we map cyber-attacks, real-world example
• Attribution and its Limitations
• Why attribution is hard, impersonation, sharinginfrastructure, copy-cat attacks

5. Tactical Threat Intelligence

• Threat Exposure Checks Explained
• What TECs are, how to check your environment for the presence of bad IOCs
• Watchlists/IOC Monitoring
• What are watchlists, how to monitor for IOCs (SIEM, IDPS, AV, EDR, FW)
• Public Exposure Assessments
• What PEAs are, how to conduct them, google dorks, harvester, social media
• Open-Web Information Collection
• How OSINT data is scraped, why it’s useful
• Dark-Web Information Collection
• How intel companies scrape dark web intel, why it’s useful, data breach dumps, malicious actors on underground forums, commodity malware for sale
• Malware Information Sharing Platform (MISP)
• What is MISP, why is it used, how to implement MISP

Tools exposure provided in the above section:

• AlienVAULT OTX
• MITRE & ATTACK
• MISP
• Maltego
• ONLINE SOURCES

6. Strategic Threat Intelligence

• Intelligence Sharing and Partnerships
• Why sharing intel is important, existing partnerships, US-CERT, NCCIC, NCSC, ISACs
• IOC/TTP Gathering and Distribution
• Campaign Tracking & Situational Awareness
• Why we track actors, why keeping the team updated is important
• New Intelligence Platforms/Toolkits
• Undertaking proof-of-value demos to assess the feasibility of new tooling
• OSINT vs. Paid-for Sources
• Threat Intelligence Vendors, Public Threat Feeds, National Vulnerability Database, Twitter

7. Malware and Global Campaigns

• Types of Malware Used by Threat Actors
• Trojans, RATs, Ransomware, Back- doors, Logic Bombs
• Globally recognized Malware Campaigns
• Emotet, Magecart, IcedID, Sodinikobi, Trickbot, Lokibot

8. Further Reading

• Further Reading Material
• Links to more resources that students may find helpful.

• Building a successful SOC
• Functions of SOC
• Heart of SOC- SIEM
• Gartner’s magic quadrant

• IBM QRadar SIEM component architecture and data flows
• Using the QRadar SIEM User Interface

• Working with offense triggered by events
• Working with offense triggered by flows
• Working with events of an offense

• Monitor QRadar Notifications and error messages.
• Monitor QRadar performance
• Review and interpret system monitoring dashboards.
• Investigate suspected attacks and policy breaches
• Search, filter, group, and analyze security data

• Investigate the vulnerabilities and services of assets
• Investigate events and flows
• Use index management
• Index and Aggregated Data Management
• Use AQL for advanced searches
• Creating Alerts for intrusions
• Explain error messages and notifications.
• Analyze a Real-World Scenario.
• Creating Reports
• Case Studies

• Creating log source types
• Leveraging reference data collections
• Developing custom rules
• Creating Custom Action Scripts
• Developing Anomaly Detection Rules

• OWASP Top 10 Vulnerabilities
• Threat Modelling Principle
• Site Mapping & Web Crawling
• Server & Application Fingerprinting
• Identifying the entry points
• Page enumeration and brute forcing
• Looking for leftovers and backup files

• Authentication scenarios
• User enumeration
• Guessing passwords – Brute force & Dictionary attacks
• Default users/passwords
• Weak password policy
• Direct page requests
• Parameter modification
• Password flaws
• Locking out users
• Lack of SSL at login pages
• Bypassing weak CAPTCHA mechanisms
• Login without SSL

• Web Agent Model
• Preparing for Web Agent installation
• Install the Web Agent
• Unattended installs
• Settings Added to Web Server
• Test the Web Agent
• Troubleshooting
• Unix Installation Review

• Role-based access control (RBAC)
• Authorization bypassing
• Forceful browsing
• Client-side validation attacks
• Insecure direct object reference

• Input validation techniques
• Blacklist VS. Whitelist input validation bypassing
• Encoding attacks
• Directory traversal
• Command injection
• Code injection
• Log injection
• XML injection – XPath Injection | Malicious files | XML Entity
• bomb
• LDAP Injection
• SQL injection
• Common implementation mistakes – authentication
• Bypassing using SQL Injection
• Cross Site Scripting (XSS)
• Reflected VS. Stored XSS
• Special chars – ‘ &<>, empty

• Path traversal
• Canonicalization
• Uploaded files backdoors
• Insecure file extension handling
• Directory listing
• File size
• File type
• Malware upload

• Session management techniques
• Cookie based session management
• Cookie properties
• Cookies – secrets in cookies, tampering
• Exposed session variables
• Missing Attributes – httpOnly, secure
• Session validity after logoff
• Long session timeout
• Session keep alive – enable/disable
• Session id rotation
• Session Fixation
• Cross Site Request Forgery (CSRF) – URL Encoding
• Open redirect

• Web Services Assessment
• Web Service Testing
• OWASP Web Service Specific Testing
• Testing WSDL
• Sql Injection to Root
• LFI and RFI]
• OWASP Top 10 Revamp

• TCP/IP Packet Analysis
• Overview of Network Security
• Port and Protocols & Analysis
• Linux Server Installation
• Windows Client / Linux Installation
• Basic commands (Windows / Linux)
• Kali Linux Installation

• Introduction
• ICMP Packet Analysis
• ARP Packet Analysis
• 3 way handshake Analysis
• Tracert Command Analysis
• Packet Forensics
• Nmap Packet Forensics

• Network Sweeping
• OS Discovery
• SYN Scan
• UDP Scan
• XMAS Scan
• FIN Scan
• NULL Scan

• Fragment Scan
• Data Length Scan
• TTL Scan
• Source Port Scan
• Decoy Scan
• Spoof IP Scan
• Spoof MAC Scan
• Data String Scan
• Hex String Scan
• IP Options Scan

• Metasploit Basic
• Msfvenom
• Auxiliary scanner
• Windows Reverse TCP
• Windows HTTPS Tunnel
• Hidden Bind TCP
• Macro Payloads
• Shell on the Fly (Transport)
• Bypass User Access Control
• Pass the Hash
• Post Exploitation

• Hydra
• Medussa
• Crunch
• CeWL
• WCE
• Mimikatz
• cUPP
• Online attacks

• Introduction & Lab setup
• Banner Grabbing/Banner Hiding
• Port forwarding /Time Scheduling
• Brute forcing/Secure
• Pivoting/Tunneling [windows]

• Introduction & Lab setup
• Banner Grabbing/Banner Hiding
• Port forwarding /Time Scheduling
• Brute forcing/Secure
• Pivoting/Tunneling
• Multiple way to secure ssh

• Introduction & Lab setup
• Banner Grabbing/Banner Hiding
• Port forwarding /Time Scheduling
• Brute forcing/Secure
• Pivoting/Tunneling

• Introduction & Lab setup
• Banner Grabbing/Banner Hiding
• Port forwarding /Time Scheduling
• Brute forcing/Secure
• Penetration testing with SWAKS

• Introduction & Lab setup
• DNS Enumeration
• DHCP Packet Analysis with Wireshark
• DHCP Starvation attack
• Rogue DHCP Server
• Tools (Gobbler, responder, Yersinia)

• Introduction & Lab setup
• SMB Enumeration
• SMB Null Sessions
• Enum4Linux
• NetBIOS Spoofing
• Banner Grabbing/Banner Hiding
• Brute forcing/Secure
• Pivoting/Tunneling
• Penetration Testing with (PS exec, eternal blue )
• Multiple way to connect smb

• Introduction & Lab setup
• Banner Grabbing/Banner Hiding
• Port forwarding /Time Scheduling
• Brute forcing/Secure
• Penetration Testing with Metasploit and Nmap

• MSSQL Brute force Attack
• Enumerate MSSQL configuration setting
• Identifying SQL Server logins
• Identify Database owner
• Identify a User With masquerade privilege
• Execute SQL Statement
• Retrieve MSSQL Password Hashes of Users
• Decode Password Hashes of Users
• Extracting MYSQL Schema Information

• Introduction and Lab setup
• MYSQL Brute Force Attack
• mysql banner user/file/ Enumeration
• Stealing MYSQL information
• Check File Privileges
• Enumerate MYSQL writeable directories
• Extract MYSQL Username with Hash Password
• Crack Hash Password with John the Ripper
• Secure MYSQL through port forwarding
• Prevent Mysql against brute force attack

• Introduction & Lab setup
• Banner Grabbing/Banner Hiding
• Port forwarding /Time Scheduling
• Brute forcing/Secure
• Pivoting/Tunneling
• DOS Attack

• Introduction & Lab setup
• Banner Grabbing/Banner Hiding
• Port forwarding /Time Scheduling
• Brute forcing/Secure
• Penetration Testing with Metasploit and Nmap
• Pivoting/Tunneling

• Introduction
• ARP Poisoning
• MAC Address Snooping
• DNS Spoofing
• DNS Poisoning
• Capture NTLM Hashes
• Xerosploit

• Socks proxy lab setup
• SSH
• FTP
• HTTP

• Setup Snort Lab in Ubuntu
• Understanding Snort Rules
• Introduction to IPtables
• Introduction to Windows Firewall
• ICMP Detect
• TCP Packet Detect
• Detect Nmap Scan
• Detect Dos Attack
• Antivirus Evasion with veil

• Introduction to DOS Attack
• Botnet
• D-DOS Attack
• SYN Flood Attack
• UDP Flood
• Smurf Attack
• Packet Crafting
• Others DOS Attack Tools

• Introduction to Social Engineering Attack
• Payload and Listener Attack
• Java Applet Attack
• HTA Attack
• MSFPC
• DOS Attack
• PowerShell Attack Vector
• VNC Attack

• Persistence
• s4u_persistence
• VSS_Persistence
• Registry Persistence
• Netcat
• Clear Event Logs

• Nessus
• GFI Languard
• Nexpose
• Openvas
• MBSA

MITREAtt&ck – Cyber Att&ck Lifecycle
Pyramid of pain
Cyber Kill Chain
Threat Intelligence using MITREAtt&ck

• MITRE PRE-ATT&CK threat modelling methodology for pre-exploit activities
• Enterprise Matrix: Windows, MacOS, Linux, Etc.
• Mobile
• ICS.

ATT&CK portable detection tests
Raw Data vs Finished Reports
Case Studies.

MITRE ATT&CK Navigator
Utilizing the MITRE ATT&CK Matrix
MITRE ATT&CK Use Cases
Warming Up Using ATT&CK for Self-Advancement.

Concept of Active Defense
MITRE SHIELD
Defensive Recommendation with SHIELD
MITRE CAR
Getting started using MITRE ATT&CK for Threat Hunting
Different TTP’s on attacking Active Directory

Set up MITRE Caldera
Atomic Red Team Test
MITRE LAB Practical.

• Penetration Testing Benefits
• Types of Penetration Testing
• Penetration Testing Methodologies
• Law & Compliance
• Planning, Managing & Reporting

• Finding Files
• Services in Kali
• SSH Service
• FTP Services
• HTTP Service
• SNMP Service
• Mysql Services
• Service Management
• IP Protocols, Networking Protocols, IPSec, VOIP
• Network Architecture, Mapping & Target Identification

• Locate
• Which
• Find
• Sed
• Awk
• Cut
• Sort
• Grep
• Head
• Tail
• Wget
• Cat

• Getting start with NC
• Connecting to a Server
• Fetching HTTP header
• Chatting
• Creating a Backdoor
• Verbose Mode
• Save Output to Disk
• Port Scanning
• TCP Delay Scan
• UDP Scan
• Reverse TCP Shell Exploitation
• Randomize Port
• File Transfer
• Reverse Netcat Shell Exploitation
• Banner grabbing

• TCP Connect Scan with wireshark
• Network sweeping with wireshark
• SYN Scan with wireshark
• UDP Scan with wireshark
• FIN Scan with wireshark
• Null Scan with wireshark
• OS Discovery with wireshark
• NSE Scripts with wireshark
• Nmap Firewall Scan

• Overview
• Structure, interpretation and analysis of DNS records
• DNS Enumeration
• Forward DNS Lookup
• Reverse DNS Lookup
• Zone Transfers
• NetBIOS & SMB Enumeration
• Null Sessions
• Enum4Linux
• SMB NSE Scripts
• MYSQL Enumeration
• MSSQL Enumeration
• SMTP Enumeration
• VRFY Script
• Python Port
• SNMP Enumeration
• SNMP MiB
• SNMPWalk

• Overview
• Google Search
• Google Hacking
• GHDB
• NNTP Newsgroups & Information Leakage from Mail Headers

• Dirb
• Dirbuster
• Dirsearch
• Metasploit

• Domain Reconnaissance
• User Enumeration
• Active Directory
• Windows Patch Management Strategies
• Desktop Lockdown & Exchange Server

• Php reverse shell
• Python reverse shell
• Perl reverse shell
• Bash reverse shell
• Msfvenom shell

• Overview
• Vulnerable Code
• Stack Overflow
• Heap Overrun/Overflow

• Overview DEP, ASLR and CFG
• Fuzzing
• Crash Replication
• Controlling EIP
• Locating space for our Shellcode
• Bad Characters
• Redirecting Execution
• Introducing Mona
• Shellcode Payload

• Overview DEP, ASLR and Canaries
• Controlling EIP
• Locating Space
• First Stage Shellcode
• Locating RET
• Generating Shellcode

• Overview
• Finding Exploits
• Exploit-DB
• Fixing Exploits 1
• Fixing Exploits 2
• Cross-Compiling

• FTP
• Python HTTP Server
• php http server
• HFS Tool
• Netcat
• CURL
• Wget
• TFTP
• Python SMB Server
• Powershell File Transfer
• Bitsadmin

• Suid Binaries
• AbsuingSudo’s Right
• Kernel Exploit
• Path Variables
• Multiple Ways to edit /etc/passwd file

• Suid Binaries
• AbsuingSudo’s Right
• Kernel Exploit
• Path Variables
• Multiple Ways to edit /etc/passwd file

• Weak File Permissions
• Always Install Elevated
• Bypass UAC
• Unquoted Service Path
• Kernel Exploits

• Overview
• Web Servers Flaws
• Web Protocols
• Local File Inclusion
• SQL Injection
• Authentication Bypass
• Error Based Enum
• Blind SQL Injection
• Attack Proxies
• XSS, LDAP & XML Injection
• SQLMap
• Web APIs
• Web Sub-Components

• Overview
• Crunch
• Passing the Hash
• Password Profiling
• Online Attacks
• Medusa
• Ncrack
• Hydra
• Password Hashes
• Cracking Hashes
• LM / NTLM

• Overview
• Port Forwarding
• SSH Tunnels
• Dynamic Proxies
• Proxy Chains

• Overview
• AUX Modules
• SNMP Modules
• SMB Modules
• WEBDAV Modules
• Database Services
• Exploits
• Payloads
• Meterpreter
• Meterpreter in Action
• Additional Payloads
• Binary Payloads
• Multihandler
• Porting Exploits
• Post Exploitation

• Overview
• Shellter
• Veil-Evasion
• thefatrat

• WordPress lab Setup & Pentesting
• Joomla Lab Setup & Pentesting
• Drupal Lab Setup & Pentesting