On This Page

Active Deception for Red and Blue Teams

Pentester Academy | August 4-5 & August 6-7


Defending an enterprise network is increasingly challenging. With various components and integrations, implicit trusts, third party applications, various operating systems, backward compatibility and legacy applications present in a network, often an adversary just need to go for a weak default misconfiguration or feature to get a foothold. Once a foothold is available, adversaries can laterally move and abuse features and trusts to gain access to key information and data. This can be done by "living off the land" and using only the built-in tools of an operating system.

The days of reacting to an attack are past. Defenders and Blue Teams must exploit the attacker mind-set of going for "the lowest hanging fruit". Deception provides capabilities of detecting and shaping the path an adversary with less chances of false positives, increased certainty and reveal what an adversary wants to get from your network. Deception definitely increases the costs for an adversary.

In this training, we will understand, learn, implement and design different types of deceptions and use of decoys, lures, canaries, accounts, tokens and a lot more. We will use built-in OS tools and scripts to quickly deploy deception techniques enterprise-wide with and without agents on computers. We will see some unique deception techniques and also use existing ones.

Deception for Red Teams will also be practiced. Red Teams have been using deception more effectively – Social engineering, phishing, fake documents and more attacks. We will practice some of the attacks but focus more on identifying deception by Blue Team and counter-deception. We will also see case studies of stopping advanced adversaries using deception techniques.

Some of the deception techniques, used in the course:
  • Documents – MS Office and others
  • Files – Trusted executables, scripts and more
  • Active Directory – Groups, SPNs, ACLs and more
  • Credentials – Windows, SSH, AD
  • Databases – data, credentials and more
  • Host and Enterprise applications
  • Designing deception
  • Wireless Deception
  • Identification
  • Rapid deployment at scale using WMI and PowerShell

Who Should Take this Course

Network administrators, security researchers, red-blue teams, pentesters

Student Requirements

Basic understanding of Windows domains

What Students Should Bring

System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.

What Students Will Be Provided With

Attendees will get free one month access to a lab mimicking an Enterprise network, during and after the training.

One month subscription to Pentester Academy


Sahir Hidayatullah is the CEO of Smokescreen, one of the industry's leading deception technology companies. He developed one of the first commercial memory forensics solutions for rootkit and stealth malware detection, and has delivered workshops on deception, red-teaming, and digital forensics for numerous premier institutions. He is a regular speaker on cyber deception strategy, including a keynote session at RSA Abu Dhabi 2016. Sahir is a serial cybersecurity entrepreneur whose past ventures have undertaken red team assessments and performed incident response for multiple data breaches. His work has been a cover story in Fortune Magazine, India, and he's often quoted on cybersecurity in print and television media.