Get educated

Advanced Detection Engineering in the Enterprise training

FalconForce is proud to offer a comprehensive training for security professionals that will help them boost their detection engineering skills. With ample flexibility allowing participants to accommodate the program into even busy schedules, and get hands-on experience with realistic lab exercises, this course provides an unparalleled opportunity.

The instructor-led training focuses on the entire detection engineering cycle. Guiding participants in defining a scope, researching the relevant (sub-)techniques, building the detection analytic, investigating which logs can be utilized, and validating the resilience of the analytic against evasion.

Interactive training
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises, in which the students execute all attacks themselves in a dedicated lab environment. These exercises are extensively documented in our lab guide and provide the option to get hints and (partial) solutions where needed. This allows the students to get familiar with the detection engineering methodology and prepare them to start implementing this practice at their organizations.

We will provide a full lab environment for students to perform various exercises. The training and exercises are built around the following scenario: “your company has performed a red teaming exercise to test your resilience against a realistic attack. After the engagement, it turns out a lot of techniques and procedures performed by the red team were not detected by your current detections. You have received the red teaming report and have been tasked to develop additional detection capabilities that will detect the behavior of used techniques and procedures in the future.”

Who should take the training
Our training is intended for medior and senior level detection engineers / threat hunters / red teamers. The methodology will also enable anyone with a hands-on role in security to learn more to improve the security posture of a company.

Students should be familiar with Windows endpoints, Active Directory and Azure cloud and have basic PowerShell experience. Furthermore, at least some experience with Microsoft Sentinel and its query language (Kusto) is required. Recommended study material to prepare will be supplied to the students several weeks in advance. To connect to our student lab environment, students should be able to use Microsoft RDP (Remote Desktop Protocol) via the internet on port 3389 TCP. Students are required to bring their own laptop.

Training contents
We offer a 4-day training that is an intense mix of theory, discussion and hands-on exercises.

The following topics will be covered in the training:

Detection Engineering methodology

• Introduction
• Detection Engineering principles
• Testing, maintenance and improvement
• Automation

Endpoint

• Initial access
• Command & control use and detection
• Credential dumping
• Lateral movement

Active Directory and server-side attacks

• Kerberos attacks
• Active Directory Certificate Services (ADCS)
• SQL and Linux servers

Cloud infrastructure

• Microsoft EntraID (f.k.a. Azure Active Directory) abuse and misconfigurations
• Azure Keyvault and storage accounts
• Azure Virtual Machine attacks

The training covers a full, realistic attacker scenario in an enterprise environment: from the endpoint, through the Active Directory and into the cloud environment. This training is led by experienced instructors that teach students to:

• Understand how to research an attacker technique used in corporate environments.
• Build resilient detections that are harder to evade by an attacker.
• Validate their detections to make sure they keep functioning as intended.

FalconForce successfully facilitated this training at both well-known security conferences, such as Black Hat US, as well as at various private organizations in different sectors.

In the training, students will use platforms like:

• C2: Mythic
• IDA / Ghidra / Process Hacker / API Monitor / ETW / FRIDA / Procmon, etc.
• Sysmon / Microsoft Sentinel / Defender for Endpoint
• Linux

“We love sharing our knowledge and help you growing your skills!”

FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.

KVK 76682307
BTW NL860745314B01