Training Objective: Train analysts in maintaining systems shadow copies to use them in case of malicious activity.

Pre-Requisites: Experience with Windows, Knowledge of Live Backups to Mitigate Encryption

Course Description: Windows uses Shadow Copies to create backup file copies or snapshots of machine files or volumes, even when in use. These copies could be the answer to your ransomware problem, allowing you to recover encrypted or corrupted data from a machine or your network. In this lab you will gain a master level understanding of shadow copies and learn how to use shadow copies in response to malicious activity.

Training Objective: Learn to detect and mitigate the use of Zerologon by attackers.

Pre-Requisite: Basic knowledge of Wireshark filtering and usage; Basic knowledge of Process Monitor filtering and usage.

Course Description: ZeroLogon, a Windows vulnerability rated 10/10 by the Common Vulnerability Scoring System (CVSS) allows attackers to impersonate the domain controller, providing them with quick access to the entire network. Used in a variety of attacks, this vulnerability allows attackers to spread their malware or move laterally in a matter of minutes. Learn to detect and mitigate the use of ZeroLogon while investigating a PCAP file from an exploited machine.

Training Objective: Learn to use your provided EDR platform to investigate a machine infected with Turla as you map out the attack path and uncover attacker objectives.

Pre-Requisite: Experience with EDR tools; Knowledge of malware analysis.

Course Description: Turla is responsible for some of the most sophisticated ongoing cyber-espionage campaigns. As a persistent malware, Turla delivers information related to the user machine and is capable of receiving pre-configured payloads with multiple commands for execution. Learn to use your provided EDR platform to investigate a machine infected with Turla as you map out the attack path and uncover attacker objectives.

Training Objective: Learn to use your provided EDR platform to investigate a machine infected with Kovter as you map out the attack path and uncover attacker objectives.

Pre-Requisite: Experience with EDR tools; Knowledge of malware analysis.

Course Description: Kovter has a long history, evolving from a click fraud malware to a fileless malware, making it near impossible to detect. Attackers using Kovter often evade detection and avoid traditional endpoint file scanning and sandboxing technologies. Learn to use your provided EDR platform to investigate a machine infected with Kovter as you map out the attack path and uncover attacker objectives.

Training Objective: Learn to use your crontab on a Linux machine and advance your abilities to detect persistence in Linux.

Pre-Requisite: Basic knowledge of Linux Commands; Basic Knowledge of understanding or reading Python scripts

Course Description: Malware often seeks to use the auto-start mechanism on a machine to persist, reloading at system startup or pre-defined schedules. On Linux, this mechanism is known as the cronjob scheduling facility and is often used by attackers to ensure they maintain their connection to the infected server or machine. Learn to use your crontab on a Linux machine and advance your abilities to detect persistence in Linux.

Training Objective: In this complete live-fire attack, you must construct a complete and accurate chain of events, from delivery to encryption, as you conduct a full forensic investigation of an ongoing ransomware attack. During the course of your investigation you will encounter multiple challenges, as you would in real life, and learn to deploy different methods to prevent another ransomware threat.

Pre-Requisite: Familiarity with McAfee EPO; Familiarity with network forensics; Familiarity with Windows forensics; Experience working with MySQL database; Experience with Reverse engineering; Experience working with Firewall

Course Description: With organizations across the world being hit by ransomware attacks, it is imperative that you understand how to counter the threat. In this complete live-fire attack, you must construct a complete and accurate chain of events, from delivery to encryption, as you conduct a full forensic investigation of an ongoing ransomware attack. During the course of your investigation you will encounter multiple challenges, as you would in real life, and learn to deploy different methods to prevent another ransomware threat.

Training Objective: Your team’s job will be to investigate an alert regarding leaked data from your organization. During your investigation you will learn to locate the source of the leak, detect evasive techniques, and restore your network to normal operating activity.

Pre-Requisite: Knowledge of basic and main logs (Windows, Firewalls, AV, Servers, Linux etc.); Experience working with Security Information and Event Management (SIEM); Basic knowledge of cyber-attacks and attackers’ TTP’s (Tactics, techniques, and procedures); Experience working with process investigation tools; Familiarity with network forensics

Course Description: Cybercriminals often take advantage of trusted vendors of an organization as a means to gain access to the internal network of their victims. These attacks are targeted at the organizations weakest link, trusted vendors with privilege access, like SolarWinds. Your team’s job will be to investigate an alert regarding leaked data from your organization. During your investigation you will learn to locate the source of the leak, detect evasive techniques, and restore your network to normal operating activity.

Training Objective: Forensics Analysis: From discovering the privilege escalation technique used by the attacker, to conducting forensic investigation on the SQL Server and decoding suspicious data found, trainees will face a major data breach, resulting in the leakage of the organization`s top-secret files.

Pre-Requisite: Experience working with Firewall; Familiarity with Windows forensics; Experience working with Security Information and Event Management (SIEM); Familiarity with Microsoft Structured Query Language (MSSQL) Server management

Course Description: A major data breach occurs almost every day, with some breaches not being discovered until days, months, or even years after the occurrence. From discovering the privilege escalation technique used by the attacker, to conducting forensic investigation on the SQL Server and decoding suspicious data found, trainees will face a major data breach, resulting in the leakage of the organization`s top-secret files.