On This Page

Adversary Tactics: Detection

SpecterOps | August 4-5 & August 6-7


Enterprise networks are under constant attack from adversaries of all skill levels. Blue teamers are facing a losing battle; as the attacker only needs to be successful once to gain access. Since the scales are heavily tipped in the attacker's favor, a new defensive mindset is required. Rather than focusing just on preventing attacks from being successful, assume a breach could occur and proactively search for evidence of compromise in the environment. Malicious techniques used to laterally spread, pivot, and privilege escalate are not normal in networks and can be detected. A proper Threat Hunting program is focused on maximizing the effectiveness of scarce network defense resources to protect against a potentially limitless threat.

Threat Hunting takes a different perspective on performing network defense, relying on skilled operators to investigate and find the presence of malicious activity. This course builds on standard network defense and incident response (which target flagging known malware) by focusing on abnormal behaviors and the use of attacker Tactics, Techniques, and Procedures (TTPs). We will teach you how to create threat hunting hypotheses based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will use free and open source data collection and analysis tools (Sysmon, ELK and Automated Collection and Enrichment Platform) to gather and analyze large amounts of host information to detect malicious activity. You will use these techniques and toolsets to create threat hunting hypotheses and perform threat hunting in a simulated enterprise network undergoing active compromise from various types of threat actors.

The following topics will be covered in this course:

Day 1:
  • Threat Hunting Introduction
  • MITRE ATT&CK & Adversary TTPs
  • Pre-Hunt Activities
    • Data quality assessment
    • Environment host baseline configuration
  • Synthesize Threat Intelligence
  • Hunt Hypothesis Generation Process
    • Identify the Tactic & Technique
    • Identify the Procedures
    • Identify the Collection Requirements
    • Identify the Scope
    • Identify Excluded Factors
  • Post-Hunt Activities
    • Program Metrics
    • Enhance SOC Capabilities

Day 2:
  • Indicator Triage
    • Digital Signature Validation
    • Third Party Intelligence
    • Basic Static Analysis
  • Develop Multiple Hunt Hypotheses
    • Develop threat hunting hypothesis to detect malicious activity in environment
  • Threat Hunting Execution - Implement your hypothesis
    • Data Collection
    • Data Analytics
  • Capstone - Open threat hunting engagement in live network with ongoing malicious activity

Who Should Take this Course

This class is intended for defenders wanting to learn how to effectively Hunt in enterprise networks. Participants should have previous network defense/incident response experience and/or knowledge of offensive tools and techniques, primarily post-exploitation techniques. Additionally, familiarity with using a SIEM, such as ELK or Splunk, will be helpful.

Student Requirements

Please see the "Who Should Take This Course" section.

What Students Should Bring

Students will be supplied with a customized virtual machine that includes all tools needed to perform the training. Students need to bring a laptop with at least 8 gigabytes of RAM, the ability to run a virtual machine (VMWare Fusion, Player, or workstation), and a wireless network adapter.

What Students Will Be Provided With

Students will be provided connections into the labs and all course materials in PDF form.


Jared is a security researcher who specializes in Digital Forensics and Incident Response. Recently, he has been building and leading private sector Hunt Operations capabilities. In his previous life, Jared lead incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of PowerForensics, Uproot, and maintains a DFIR focused blog at http://www.invoke-ir.com.

Roberto Rodriquez is a Senior Threat Hunter at SpecterOps where he specializes in the development of analytics to detect advanced adversaries techniques. His experience performing incident response and threat hunting engagements, in various industries, has encouraged him to help organizations improve their security posture and share his knowledge with the information security community. He is also the author of several open source projects, such as the Threat Hunter Playbook and HELK, to aid the community development of techniques and tooling for hunting campaigns. He currently maintains his blog at https://cyberwardog.blogspot.com.

Robby Winchester is the Adversary Detection Lead at SpecterOps, leading Threat Hunting, Breach Assessment, and physical security assessments.. Over the course of Robby's career, he has developed and supervised penetration testing, physical security, and breach assessments for several private-sector and government clients. Previously Robby worked for the U.S. Air Force Information Aggressors, providing full-scope network and physical red team operational assessments and further worked integrating information security operations with traditional military operations for the U.S. Air Force's RED FLAG exercise. Robby has presented at DerbyCon, Black Hat Arsenal, and Black Hat Europe, as well as, co-authoring the Automated Collection and Enrichment (ACE) Platform.