SEC699: SANS Amsterdam October 2025
Provided by SANS
What You Will Learn
This cutting-edge purple team training immerses participants in the world of adversary emulation to fortify defenses against data breaches. Delving into the realm of real-life threat actors, students undergo hands-on experiences within a dynamic enterprise setting, mastering the art of detection and emulation of adversarial techniques.Sixty percent of class time is spent on labs, and class activities include:
The SEC699 journey is structured as follows:
This cutting-edge purple team training immerses participants in the world of adversary emulation to fortify defenses against data breaches. Delving into the realm of real-life threat actors, students undergo hands-on experiences within a dynamic enterprise setting, mastering the art of detection and emulation of adversarial techniques.Sixty percent of class time is spent on labs, and class activities include:
- A course section on typical automation strategies such as Ansible, Docker, and Terraform, which can be used to deploy a multi-domain enterprise environment for adversary emulation at the press of a button.
- Building a proper process as well as tooling and planning for purple teaming.
- Building adversary emulation plans that mimic real-life threat actors such as APT-28, APT-34, and Turla, using tools such as Covenant and Caldera to execute the plans.
- In-depth techniques such as Kerberos Delegation attacks, Attack Surface Reduction/Applocker bypasses, EDR bypasses, AMSI, process injection, and COM Object Hi-jacking.
- Detection engineering and delemetry review to detect the above techniques.
- A dynamic capstone where your adversary emulation skills are put to the test.
The SEC699 journey is structured as follows:
- In section one, we will lay the foundations that are required to perform successful adversary emulation and purple teaming. As this is an advanced course, we will go in-depth on several tools that we'll be using and learn how to further extend existing tools.
- Sections two through four will be heavily hands-on with a focus on advanced techniques and their defenses (particularly detection strategies). Section two focuses on Initial Access techniques, section three covers Lateral Movement and Privilege Escalation, while section four deals with Persistence.
- Finally, in section five, we will build an emulation plan for a variety of threat actors. These emulation plans will be executed both manually using popular C2 frameworks and automatically using BAS (Breach Attack Simulation) tools.
- Build realistic adversary emulation plans to better protect your organization
- Deliver advanced attacks, including application whitelisting bypasses, cross-forest attacks (abusing delegation), and stealth persistence strategies
- Building SIGMA rules to detect advanced adversary techniques
- A SEC699 course VM that includes necessary scripts and dependencies that are used to spin up a detection lab on-demand
Enquire
Start date | Location / delivery | |
---|---|---|
20 Oct 2025 | Amsterdam | Book now |