In & Out – Detection as Code vs Adversary Simulations – Purple Edition

Course Description

In & Out – Detection as Code vs Adversary Simulations – Purple Edition is an advanced lab-based training created to present participants: 

  • Significance of security events correlation including context to reduce the number of false positives and better detection of adversary activities 
  • Advanced detection methods and techniques against exfiltration and lateral movement including event mapping, grouping, and tagging 
  • Understand the tactics and behaviours of the adversary after gaining initial access to the network (Linux/Windows) 
  • Detection methods of C2 traffic, tunnelling, hiding, pivoting and custom, simulated malicious network events 
  • Capabilities of many popular Open Source tools and integration with 3rd party security (IDS/IPS/WAF/EDR/FPC) and analytics solutions against adversaries C2-based actions 
  • Verification methods and techniques for product and service providers from IT Security space in terms of internal testing and PoC / PoV programs 

The primary goal of this training is to generate offensive attack events/symptoms within PurpleLABS infrastructure that later should be detected by Open Source SOC stack including Sigma – the open standard event description rule set and the rest of dedicated, open-source security solutions in use. In this way, participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules and eventually bypassing them. We called this approach ‘Flip mode’, i.e. learn detection through the attack in an attractive, standardized form driven by the Open Source community. In addition, participants will use a whole range of open-source (and free commercial) solutions dedicated to SOC environments. 

We believe that the unique approach of ‘Detection as Code vs Adversary Simulations’ in a condensed format will allow increasing the level of knowledge in the field of RED / BLUE / PURPLE to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performed tasks – detection does not have to be boring and tedious! 

Virtual infrastructure 

This training is based on PurpleLABS – a dedicated virtual infrastructure for conducting detection and analysis of attackers’ behaviour in terms of used techniques, tactics, procedures, and offensive tools. The environment has been set up to serve the constant improvement of competences in the field of threat hunting (threat hunting) and learning about current trends of offensive actions (red-teaming) vs detection phases (blue-teaming). 

PurpleLABS provides analytical interfaces for all relevant data sources from individual systems and network services available in the virtual infrastructure (sysmon, windows events, fw, bro, suricata, fpc, osquery, auth, powershell, waf, proxy, audit, and more). 

Saying that you will get a chance for doing *bonus* detection and hunting steps against all the offensive labs we have available during the training. The coolest thing is after the training you will get an additional 14-days of access to PurpleLabs! Just take a look: 

Key Learning Objectives 

  • Learn ways to improve your detection and event correlations skills across many different data sources 
  • Find the malicious activities and identify threats details on the network 
  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling 
  • Profile your critical OS and network segments in terms of ‘normal vs exotic’ behaviour 
  • Find out how DFIR / IR Open Source Software can support your SIEM infrastructure 
  • Learn current trends, techniques, and tools for network exfiltration and lateral movements 
  • Understand the value of DLP / IDS / IPS / FW / WAF / Memory Forensics against real adversary lab scenarios 
  • Understand values from an automated approach to simulating attackers and generating anomalies 
  • Identify blind spots in your network security posture 

Then this training is for you! 

Course contents

Introduction to Adversary Simulations and Open Source Attack Emulation projects:

  • Atomic Red Team 
  • PurpleSharp 
  • RTA 
  • APT simulator 
  • Dumpster Fire 
  • Firebolt 
  • Flightsim 
  • BYOB 
  • Metta 
  • Infection Monkey 
  • Caldera and more

PCAP Exfiltration CTF-style challenge

MITRE Attack Framework & Sigma rules → detection map based on recent examples of chained attack scenarios. 

Finding malicious artifacts using yara, ssdeep, Volatility and memtriage: 

  • How yara works and why it could be your best friend 
  • Yarascan + Volatility Framework 
  • memtriage 
  • Yara vs webshells 

Collecting, analyzing and correlating data from different data sources using: 

  • Splunk 
  • Hunting ELK 
  • Wazuh 
  • Graylog 
  • Netflow 
  • Zeek IDS 
  • Suricata IDS 
  • Moloch 
  • Auditd / go-audit 
  • eBPF 
  • OSquery 
  • Velociraptor 

Windows Sysinternals Suite: 

  • Sysmon:
    • Process execution events
    • Network connection events
    • Image load events
    • Named pipe events
    • WMI events
    • PSexec events
    • Process Explorer
    • Process Monitor
    • Autoruns
  • Evidence traces of file download and execution:
    • cmd.exe
    • HTA
    • JS
    • VBS
    • WSF
    • JSE
    • CSharp
    • certutil
    • Powershell
    • Bitsadmin
  • Shellcode injection techniques 
  • WebDAV / SMB / NFS share mapping 

Low level Linux security tracing and profiling for critical services: 

  • eBPF 
  • sysdig 

Playing with Zeek IDS / Suricata IDS for anomaly detection → finding malicious artifacts at the network level: 

  • The importance of network baseline for high-risk environments 
  • Virtual SPAN / TAP and Netflow OpenVswitch 
  • Feature definition and extraction 
  • Bro-cut syntax 
  • Bro Script Index 
  • Client / server Fingerprinting:
    • JA3
    • HASSH
  • Security feature extraction per many different network protocols

Detection and traces of C2 and network exfiltration techniques → use cases: 

  • ICMP 
  • TCP / UDP 
  • SSL / TLS 
  • DNS / DoH / DGA / anomalies 
  • HTTP / HTTP2 / QUIC 
  • LDAP Exfil 
  • Dropbox / Twitter / Google / Mozilla / Discord / Slack 
  • SMB bind named pipes 
  • Legitimate website covert channel 
  • Intelligent HTTP C2 Redirection 
  • Port knocking 
  • Domain fronting 
  • ngrok / shooter 
  • Egress testing and common network traffic on non-standard ports

Detection and traces of C2 post-exploitation, lateral movements → use cases: 

  • AD Reconnaissance / AD Snapshot 
  • Bloodhound artifacts 
  • Golden Ticket 
  • Silver Ticket 
  • Kerberoasting 
  • RPC over TCP/IP 
  • DCsync / DCShadow 
  • Mimikatz agent/server 
  • Pass The Hash 
  • SMBexec 
  • Invoke-WMI 
  • WinRM 
  • Invoke-PSexec 
  • PSRemoting 
  • RDP wrapping 
  • Offensive Powershell:
    • WMI multiple sessions
    • Remote network relaying
    • Copy VSS
    • Keylogging
    • LSA secrets extraction
    • Sandbox / virtual environment detection
    • UAC bypassing
    • Poisoning LLMNR, NBT-NS, MDNS, WPAD and WSUS
    • SMB ransomware detection.
    • Browser pivoting
    • SSH Tunneling and pivoting
    • RDP Tunneling and pivoting / RDP Inception

Detection of brute-force attacks → use cases: 

  • SQL 
  • AD / Kerberos 
  • SSH 
  • Web Apps 

Windows Malware Persistence Methods: 

  • Service 
  • Winlogon registry entries 
  • Run / RunOnce 
  • Scheduled Tasks 
  • Startup Folder 
  • WMI 
  • DLL 

Linux Malware Persistence Methods: 

  • Service 
  • Startup scripts 
  • SSH magic password 
  • Port knocking / iptables 
  • Kernel modules 

Describing and creating relevant log events in generic and open signature → Sigma rules:

  • Application 
  • APT 
  • Linux 
  • Network 
  • Proxy 
  • Web 
  • Windows 

Who should take this course?

  • Red and Blue team members 
  • Security / Data Analytics 
  • CIRT / Incident Response Specialists 
  • Network Security Engineers 
  • SOC members and SIEM Engineers 
  • AI / Machine Learning Developers 
  • Chief Security Officers and IT Security Directors


  • An intermediate level of command-line syntax experience using Linux and Windows 
  • Fundament knowledge of TCP/IP network protocols 
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required 
  • Basic programming skills are a plus, but not essential 

Hardware / Software Requirements 

  • VPN client installed according to VPN Setup instructions 
  • Slack account as an invite to dedicated training channel will be sent 
  • Stable internet connection 
  • Recommended:
    • Zoom client installed
    • HD Camera to have 1:1 access to an instructor and the rest of the participants. Even virtually, let’s feel each other like we were in the class:)

Comment: This training is based on dedicated PurpleLABS cloud infrastructure, so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience!

Trainer Biography

Leszek Miś is the Founder of Defensive Security (, Principal Trainer and Security Researcher with over 16 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator, and system developer and DevOps, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European and global market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform. 

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019/2020, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL 

Member of OWASP Poland Chapter. 

Author of many IT Security training: 

  • Open Source Defensive Security The Trinity of Tactics for Defenders 
  • In & Out Network Exfiltration and Post-Exploitation Techniques [RED EDITION] 
  • In & Out Detection of Network Exfiltration and Post-Exploitation Techniques [BLUE EDITION] 
  • System Internals – Network, OS and Memory Forensics 
  • SELinux Development & Administration of Mandatory Access Control Policy 
  • Advanced RHEL/CentOS Defensive Security & Hardening 
  • ModSecurity Development and Management of Web Application Firewall rules 
  • FreeIPA Identity Management for Linux Domain Environments & Trusts 

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect. 

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun. Still learning hard every single day. 

Social Media

Twitter: @cr0nym