Talk With an Expert

SEC504: Hacker Tools, Techniques, and Incident Handling

SEC504Offensive Operations
  • 6 Days (Instructor-Led)
  • 38 Hours (Self-Paced)
Course authored by:
Joshua Wright
Joshua Wright
Course authored by:
Joshua Wright
Joshua Wright
  • GIAC Certified Incident Handler Certification (GCIH)
  • 38 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 30 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Transform your incident response skills; think like an attacker as you investigate cybersecurity incidents, develop threat intelligence, and apply defense strategies against real-world threats.

Course Overview

SEC504 training is our flagship incident handling course that equips you with essential incident response skills to detect, respond to, and neutralize threats across Windows, Linux, and cloud platforms. With a focus on hands-on learning, you'll engage in immersive labs to simulate real-world breaches, enhancing your ability to think like an attacker and improve your organization's security posture. This course provides practical skills in Cyber Threat Intelligence (CTI) and threat defense strategies that can be applied immediately.

What You’ll Learn

  • Respond effectively to incidents to limit damage
  • Evaluate breach evidence to determine compromise scope
  • Identify shadow cloud systems and other potential threats
  • Use attack tools to assess cloud and on-premises exposure
  • Apply defenses to enhance security and stop attacks
  • Test defense tools for effectiveness
  • Develop threat intelligence by analyzing attacker tactics

Business Takeaways

  • Adopt a dynamic and holistic incident response strategy
  • Strengthen cloud security posture
  • Leverage automation and AI to accelerate response
  • Understand and counter advanced attacker tactics
  • Protect critical assets with proactive defense strategies
  • Enhance threat detection with multi-layered analysis

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC504: Hacker Tools, Techniques, and Incident Handling.

Section 1Incident Response and Cyber Investigations

The first section covers building an incident response process using the Dynamic Approach to Incident Response (DAIR) to verify, scope, contain, and remediate threats. Through hands-on labs and real-world examples, you’ll apply this method with tools like PowerShell and learn to accelerate analysis using generative AI without compromising accuracy.

Topics covered

  • Incident Response
  • Live Examination
  • Network Investigations
  • Memory Investigations
  • Malware Investigations

Labs

  • Live Windows examination
  • Network Investigation
  • Memory Investigation
  • Malware Investigation
  • WordPress Log Assessment

Section 2Scanning and Enumeration Attacks

This section explores attacker reconnaissance techniques, including open-source intelligence, network scanning, and target enumeration to identify security gaps. You’ll apply these tactics on Windows, Linux, Azure, and AWS targets, then analyze logs and evidence to detect attacks in real time.

Topics covered

  • MITRE ATT&CK® Framework Introduction
  • Network and Host Scanning with Nmap
  • Cloud Spotlight: Cloud Scanning
  • Server Message Block (SMB) Security
  • Defense Spotlight: Hayabusa and Sigma Rules

Labs

  • Host Discovery and Assessment with Nmap
  • Shadow Cloud Asset Discovery with Masscan
  • Windows Server Message Block (SMB) Security Investigation
  • Windows Password Spray Attack Detection
  • The Many Uses of Netcat

Section 3Password Attacks and Exploit Frameworks

This section covers key techniques for password compromises on on-premises and cloud systems, using tools like Legba, Hashcat, and Metasploit to simulate attacks and strengthen defenses. The insights gained help enhance practical defenses and inform incident response strategies.

Topics covered

  • Password Attacks
  • Microsoft 365 Attacks
  • Understanding Password Hashes
  • Password Cracking
  • Metasploit Framework

Labs

  • Using Legba for Password Guessing and Spray Attacks
  • Bypassing Microsoft 365 authentication defenses with Amazon AWS
  • Password Cracking with Hashcat
  • Metasploit Attack and Analysis
  • Client-side Exploitation with the Browser Exploitation Framework (BeEF)

Section 4Web Application Attacks

In this course section we'll begin our look at target exploitation frameworks that take advantage of weaknesses on public servers and client-side vulnerabilities.

Topics covered

  • Forced Browsing and IDOR
  • Command Injection
  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Cloud Spotlight: SSRF and IMDS Attacks

Labs

  • Forced Browsing and Insecure Direct Object Resource (IDOR) Attack
  • Command Injection Attack
  • Cross-Site Scripting Attack
  • SQL Injection Attack
  • Server-Side Request Forgery (SSRF) and Instance Metadata Service (IMDS) Attack

Section 5Evasion and Post-Exploitation Attacks

This section covers advanced post-exploitation tactics, teaching how attackers bypass protections, establish persistence, and exfiltrate data from internal networks and vulnerable cloud deployments. You'll build analysis skills to detect and respond to these threats and apply them in real-world scenarios, preparing for long-term success and certification.

Topics covered

  • Endpoint Security Bypass
  • Pivoting and Lateral Movement
  • Hijacking Attacks
  • Establishing Persistence
  • Defense Spotlight: Real Intelligence Threat Analytics

Labs

  • Endpoint Protection Bypass: Bypassing Application Allow Lists
  • Pivoting and Lateral Movement with Command & Control Frameworks
  • Exploiting Windows as A Network Insider with Responder
  • Establishing Persistence with Metasploit
  • Network Threat Hunting with Real Intelligence Threat Analytics (RITA)

Section 6Capture-the-Flag Event

Our Capture-the-Flag event is a full day of hands-on activity that has you working as a consultant for ISS Playlist, a fictitious company that has recently been compromised.

Things You Need To Know

Relevant Job Roles

Protection

SCyWF: Protection And Defense

This role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.

Explore learning path

Technology Portfolio Management (OPM 804)

NICE: Oversight and Governance

Responsible for managing a portfolio of technology investments that align with the overall needs of mission and enterprise priorities.

Explore learning path

All-Source Analyst (DCWF 111)

DoD 8140: Intelligence (Cyberspace)

Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.

Explore learning path

Threat Analysis (OPM 141)

NICE: Protection and Defense

Responsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.

Explore learning path

Cybersecurity Curriculum Development (OPM 711)

NICE: Oversight and Governance

Responsible for developing, planning, coordinating, and evaluating cybersecurity awareness, training, or education content, methods, and techniques based on instructional needs and requirements.

Explore learning path

Cybersecurity Architect

European Cybersecurity Skills Framework

Plans and designs security-by-design solutions (infrastructures, systems, assets, software, hardware and services) and cybersecurity controls.

Explore learning path

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Systems Security Management (OPM 722)

NICE: Oversight and Governance

Responsible for managing the cybersecurity of a program, organization, system, or enclave.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
  • Location & instructor

    Virtual (OnDemand)

    Instructed by
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Tallinn, EE

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    London, GB & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    £7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
    Registration Options
  • Location & instructor

    Doha, QA & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Raleigh, NC, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Sydney, NSW, AU & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Paris, FR

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Rome, IT

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Mexico, MX & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
Showing 10 of 54

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources