SEC699: SANS Tokyo Winter 2024

Provided by

Enquire about this course

What You Will Learn

This cutting-edge purple team training immerses participants in the world of adversary emulation to fortify defenses against data breaches. Delving into the realm of real-life threat actors, students undergo hands-on experiences within a dynamic enterprise setting, mastering the art of detection and emulation of adversarial techniques.Sixty percent of class time is spent on labs, and class activities include:
  • A course section on typical automation strategies such as Ansible, Docker, and Terraform, which can be used to deploy a multi-domain enterprise environment for adversary emulation at the press of a button.
  • Building a proper process as well as tooling and planning for purple teaming.
  • Building adversary emulation plans that mimic real-life threat actors such as APT-28, APT-34, and Turla, using tools such as Covenant and Caldera to execute the plans.
  • In-depth techniques such as Kerberos Delegation attacks, Attack Surface Reduction/Applocker bypasses, EDR bypasses, AMSI, process injection, and COM Object Hi-jacking.
  • Detection engineering and delemetry review to detect the above techniques.
  • A dynamic capstone where your adversary emulation skills are put to the test.
SEC699 is a natural follow-up to SEC599. Course authors Erik Van Buggenhout (lead author of SEC599) and Jean-Francois Maes (lead author of SEC565) are both certified GIAC Security Experts as well as experienced practitioners with a deep understanding of how cyber attacks work through both red and blue team activities. In SEC699, they combine these skill sets to teach students adversary emulation methods for data breach prevention and detection.
The SEC699 journey is structured as follows:
  • In section one, we will lay the foundations that are required to perform successful adversary emulation and purple teaming. As this is an advanced course, we will go in-depth on several tools that we'll be using and learn how to further extend existing tools.
  • Sections two through four will be heavily hands-on with a focus on advanced techniques and their defenses (particularly detection strategies). Section two focuses on Initial Access techniques, section three covers Lateral Movement and Privilege Escalation, while section four deals with Persistence.
  • Finally, in section five, we will build an emulation plan for a variety of threat actors. These emulation plans will be executed both manually using popular C2 frameworks and automatically using BAS (Breach Attack Simulation) tools.
Business Takeaways
  • Build realistic adversary emulation plans to better protect your organization
  • Deliver advanced attacks, including application whitelisting bypasses, cross-forest attacks (abusing delegation), and stealth persistence strategies
  • Building SIGMA rules to detect advanced adversary techniques
What You Will Receive
  • A SEC699 course VM that includes necessary scripts and dependencies that are used to spin up a detection lab on-demand


Start date Location / delivery
02 Dec 2024 Tokyo Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...