On This Page

Active Deception for Red and Blue Teams

Pentester Academy | August 4-5 & August 6-7


Defending an enterprise network is increasingly challenging. With various components and integrations, implicit trusts, third party applications, various operating systems, backward compatibility and legacy applications present in a network, often an adversary just need to go for a weak default misconfiguration or feature to get a foothold. Once a foothold is available, adversaries can laterally move and abuse features and trusts to gain access to key information and data. This can be done by "living off the land" and using only the built-in tools of an operating system.

The days of reacting to an attack are past. Defenders and Blue Teams must exploit the attacker mind-set of going for "the lowest hanging fruit". Deception provides capabilities of detecting and shaping the path an adversary with less chances of false positives, increased certainty and reveal what an adversary wants to get from your network. Deception definitely increases the costs for an adversary.

In this training, we will understand, learn, implement and design different types of deceptions and use of decoys, lures, canaries, accounts, tokens and a lot more. We will use built-in OS tools and scripts to quickly deploy deception techniques enterprise-wide with and without agents on computers. We will see some unique deception techniques and also use existing ones.

Deception for Red Teams will also be practiced. Red Teams have been using deception more effectively – Social engineering, phishing, fake documents and more attacks. We will practice some of the attacks but focus more on identifying deception by Blue Team and counter-deception. We will also see case studies of stopping advanced adversaries using deception techniques.

Some of the deception techniques, used in the course:
  • Documents – MS Office and others
  • Files – Trusted executables, scripts and more
  • Active Directory – Groups, SPNs, ACLs and more
  • Credentials – Windows, SSH, AD
  • Databases – data, credentials and more
  • Host and Enterprise applications
  • Designing deception
  • Wireless Deception
  • Identification
  • Rapid deployment at scale using WMI and PowerShell

Who Should Take this Course

Network administrators, security researchers, red-blue teams, pentesters

Student Requirements

Basic understanding of Windows domains

What Students Should Bring

System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.

What Students Will Be Provided With

Attendees will get free one month access to a lab mimicking an Enterprise network, during and after the training.

One month subscription to Pentester Academy


Phil was born at an early age. He cleaned out his savings as a boy in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since. Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015). Phil has also published books on Linux Forensics (Pentester Academy, 2015), USB Forensics (Pentester Academy, 2017), and Windows Forensics (Pentester Academy, 2016). Phil is is a recognized expert in several areas of information security including hardware hacking, Linux forensics, Windows forensics, USB forensics, and hacking with networks of small, low-power devices. He has shared his expertise worldwide through numerous speaking and training engagements. These include multiple appearances at some of the top conferences including BlackHat, DEFCON, 44CON, GrrCON, B-sides, and many others. Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, skydive, teach others to fly and skydive, hack electronics (find his Daddy and Daughter Electronics show on YouTube), build things (find his Two Philips, Two ShopSmiths shown on YouTube), and has been known to build airplanes.

Sahir Hidayatullah is the CEO of Smokescreen, one of the industry's leading deception technology companies. He developed one of the first commercial memory forensics solutions for rootkit and stealth malware detection, and has delivered workshops on deception, red-teaming, and digital forensics for numerous premier institutions. He is a regular speaker on cyber deception strategy, including a keynote session at RSA Abu Dhabi 2016. Sahir is a serial cybersecurity entrepreneur whose past ventures have undertaken red team assessments and performed incident response for multiple data breaches. His work has been a cover story in Fortune Magazine, India, and he's often quoted on cybersecurity in print and television media.