homepage
Open menu
beta

SEC586: Blue Team Operations: Defensive PowerShell

Register Now Course Demo
  • In Person (6 days)
  • Online
36 CPEs

Are you a Blue Teamer who has been asked to do more with less? Do you wish you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network? SEC586: Blue Team Operations: Defensive PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defenses. This course will provide you with skills for near real-time detection and response and elevate your defenses to the next level.

Course Authors:
Josh Johnson
Josh Johnson
Certified Instructor
What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor StatementTraining & Pricing

What You Will Learn

Effective Blue Teams work to harden infrastructure, minimize time to detection, and enable real-time response to keep pace with modern adversaries. Automation is a key component to facilitate these capabilities, and PowerShell can be the glue that holds together and enables the orchestration of this process across disparate systems and platforms to effectively act as a force multiplier for Blue Teams. This course will enable Information Security professionals to leverage PowerShell to build tooling that hardens systems, hunts for threats, and responds to attacks immediately upon discovery.

PowerShell is uniquely positioned for this task of enabling Blue Teams. It acts as an automation toolset that functions across platforms and it is built on top of the .NET framework for nearly limitless extensibility. SEC586 maximizes the use of PowerShell in an approach based specifically on Blue Team use cases.

Students who take SEC586 will learn:

  • PowerShell scripting fundamentals from the ground up with respect to the capabilities of PowerShell as a defensive toolset
  • Ways to maximize performance of code across dozens, hundreds, or thousands of systems
  • Modern hardening techniques using Infrastructure-as-Code principles
  • How to integrate disparate systems for multi-platform orchestration
  • PowerShell-based detection techniques ranging from Event Tracing for Windows to baseline deviation to deception
  • Response techniques leveraging PowerShell-based automation

This course is meant to be accessible to beginners who are new to the PowerShell scripting language as well as to seasoned veterans looking to round out their skillset. Language fundamentals are covered in-depth, with hands-on labs to enable beginning students to become comfortable with the platform. For skilled PowerShell users who already know the basics, the material is meant to solidify knowledge of the underlying mechanics while providing additional challenges to further this understanding.

The PowerPlay platform built into the lab environment enables practical, hands-on drilling of concepts to ensure understanding, promote creativity, and provide a challenging environment for anyone to build on their existing skillset. PowerPlay consists of challenges and questions mapping back to and extending the course material.

Between the course material and the PowerPlay bonus environment, SEC586 students will leave the course well equipped with the skills to automate everyday cyber defense tasks. You will return to work ready to implement a new set of skills to harden your systems and accelerate your capabilities to more immediately detect and respond to threats.

Syllabus (36 CPEs)

  • Overview

    Even for seasoned PowerShell users, a deep and robust understanding of the language fundamentals can be incredibly powerful for writing more efficient, readable, and usable code. Section 1 of the course focuses on building a solid foundation upon which more complex use cases can then be constructed. With a focus on Blue Team specific functions, well frame the discussion around the PowerShell basics in terms that will be immediately useful for students. For example, common data structures are discussed as a fundamental aspect of PowerShell and immediately applied as Blue Team triage and analysis tactics. This base is built from the ground up and accessible to students with no prior scripting experience, but with enough nuance to shed light on the "why does it work this way" question for more seasoned PowerShell users. For professionals already familiar with the basic concepts, PowerPlay offers an interactive, out-of-band challenge system for students to drill various concepts and techniques related to the course material.

    Exercises
    • Hands-on PowerShell: Get comfortable with PowerShell cmdlets, objects, and the pipeline to start making meaningful tools
    • Triage the VM: Quickly understand the state of a system, from networking details to process execution and removable devices
    • Scripting in PowerShell: Leverage an understanding of the language basics to build high-quality tooling that will be supportable by Blue Teams
    • Debugging: Save time and frustration, easily identifying complex bugs in PowerShell through built-in debugging capabilities and Pester tests
    • Source Control: Become familiar with Git concepts to effectively manage version control
    Topics

    Getting to Know PowerShell

    • Background and history
    • Why PowerShell is such a good fit for Blue Teams
    • How to use commands and find them
    • Objects and pipelines as PowerShell differentiators
    • Extending PowerShell with .NET

    Blue Team Use Cases

    • Network inspection
    • Triage at the operating system level
    • File discovery and inspection

    Language Basics

    • Variables, data structures, and flow control
    • Input and output
    • Functions and script blocks

    PowerShell Environment

    • Customizing the console
    • Common development environments

    Debugging

    • Static code analysis
    • Tracing and breakpoints
    • Helpful tools like Pester and PSScriptAnalyzer

    Source Control

    • Git terminology
    • Creating repositories and branches
    • Managing code with pull requests
    • Driving release pipelines from source control
  • Overview

    PowerShell-based automation provides a unique, cross-platform mechanism for improving Blue Teams' speed of execution. This course section begins with a discussion on best practices to ensure code is highly functional, readable, and supportable. Students will leave with a deep understanding of how PowerShell works under the hood, but also with a sense of how to build tools that can be supported by team members less familiar with PowerShell.

    This section transitions into taking the fundamentals and executing them at scale. PowerShells remoting capabilities are flexible and nuanced, allowing for fine-tuning of code that needs to be executed against a fleet of systems. This section discusses PowerShell remoting capabilities and how to best use them to accomplish Blue Team use cases, from analysis and triage to response.

    Next, a performance section addresses important aspects of PowerShell. Given its object-oriented nature, PowerShell is sometimes criticized for poor performance. However, if you understand the fundamentals, it becomes clear that very simple tweaks can optimize performance and reduce the overhead associated with these critiques. This section discusses optimizing code so that it is efficient both locally and once scaled out to a fleet of systems.

    The section continues into building integration with other systems. With modern API-driven orchestration, PowerShell can glue together multiple systems for better troubleshooting, investigation, detection, and response. This understanding can unlock functionality that would not otherwise be possible between disparate systems.

    Finally, protection, analysis, triage, and response techniques driven by PowerShell are enabled by Interactive Notebooks where analysts can combine documentation and executable code. Jupyter Notebooks and VS Code's .NET Interactive Notebooks are leveraged to help build PowerShell-based tooling that can be understood and executed by even novice analysts unfamiliar with PowerShell.

    Exercises
    • PowerShell Remoting: Understand how to run remote commands in a way that scales, and build a model for secure remote access
    • Writing Usable PowerShell: Measure the impact of poorly versus well-written PowerShell, and leverage jobs and runspaces and compare performance
    • Integrating Technologies: Build an API-based integration
    • Interactive Notebooks: Build a triage notebook using VS Code and Jupyter
    Topics

    Best Practices

    • Maximizing readability and reusability of code
    • Designing tools with modularity in mind
    • Handling unexpected conditions when working at scale

    Remote Management

    • PowerShell remoting basics and the underlying protocols
    • Running remote commands
    • Managing remote sessions
    • Remoting endpoints/constrained endpoints
    • Enabling WinRM-based and cross-platform remoting
    • Designing around the double-hop problem

    PowerShell Performance

    • Coding techniques to maximize PowerShell performance
    • Remoting performance tweaks
    • Concurrency using native features

    Integrations

    • Making HTTP requests

      • Web scraping

      • API calls
    • Authentication
    • Handling session tokens
    • Non-HTTP based integrations

    Interactive Notebooks

    • Jupyter Notebooks use cases
    • PowerShell on Jupyter/.NET Interactive
    • Use cases and implementation
  • Overview

    Now that we have a strong understanding of the fundamentals, this course section focuses on ways to weaponize PowerShell both from an offensive and defensive perspective. The section begins with a focus on offensive PowerShell use cases. Threat actors have long used PowerShell as an attack platform, delivering fileless malware and living off the land using built-in capabilities. The next section turns this discussion around and focuses on the Blue Team aspects of controlling PowerShell execution.

    The section then dives deep into log analysis and data parsing and discovery. The goal is to maximize the utility of native features of operating systems and applications while fully understanding how to find important data. If Blue Teams can identify sensitive data in unexpected locations, those data can be handled or protected properly.

    The section concludes with a discussion of PowerShell as a platform to enable Blue Teams to work within DevOps development practices. As modern development teams transition practices, Blue Teams must adapt. Automation plays an important role in this process, as Blue Teams fight to scale capabilities to match modern development frameworks. PowerShell provides this automation platform and can be the catalyst to enable continuous assurance of critical business services.

    Exercises
    • Offensive PowerShell: Build a fileless keylogger that automatically exfiltrates keystrokes to cloud storage
    • Controlling PowerShell: Analyze the impact of a stronger security posture surrounding PowerShell usage in the enterprise
    • Efficient Log Analysis: Understand how to efficiently analyze and filter Windows events and plaintext log files, and find attacks within sample log files
    • Parsing and Discovery: Build tools to extract important data from unstructured text-based logs and use these same techniques for sensitive data discovery
    • DevOps: Leverage PowerShell as an orchestration engine, building containers for automated web application scanning and identifying potentially compromised containers in the environment
    Topics

    Offensive PowerShell

    • Common tactics used by attackers leveraging PowerShell
    • Fileless implementation techniques
    • .NET utilization by PowerShell-based attack tools

    Controlling PowerShell

    • Limiting attack surface on PowerShell-enabled systems
    • Controlling, not attempting to block, PowerShell in the enterprise
    • Just Enough Administration for enabling secure usage of administrative PowerShell sessions

    Log Analysis

    • Enabling appropriate logging
    • Reading and filtering Windows Event Logs
    • Reading and filtering plaintext logs

    Text Parsing

    • Regular expressions and string operations to enable efficient parsing

    DevOps

    • Automating static and dynamic application security testing
    • Pipeline assurance automation
    • Container interaction, security assessment, and triage
  • Overview

    This course section focuses on better understanding one's own environment, maximizing visibility and testing defensive capabilities using PowerShell. The section begins with in-depth discussions on hardening infrastructure and maximizing visibility and detection capabilities. For basics such as ensuring that proper access controls exist, the theory is simple. But using traditional techniques, scaling in practice is difficult. With an automation platform like PowerShell, hardening and auditing practices can be scaled with ease, providing consistent assurance.

    Next, Desired State Configuration, PowerShells configuration-as-code utility, can be used to consistently define and configure infrastructure using PowerShell to help ensure system integrity. Additional hardening techniques are discussed based on maximizing native security functionality.

    The section then turns to improving understanding of visibility and detection capabilities in a repeatable format via automated testing techniques that provide for a reliable and repeatable means of measuring capabilities. The focus here is to use PowerShell as a testing utility to identify visibility and detection gaps both in preventive and detective controls, but also in operational processes.

    Finally, a common challenge faced by Blue Teams is the overwhelming amount of data generated by endpoints and security tooling. While large volume is meant to facilitate proper detection, it can be interpreted as noise and actually harm an organizations ability to detect threats. Well discuss analysis techniques that use PowerShell to filter through some of this noise and provide the ability to make better decisions based on available data.

    Exercises
    • Advanced Detections: Leverage native functionality to maximize hardening efforts with a focus on enabling efficient detection
    • Desired State Configuration: Leverage DSC to harden a system and turn it into an incident response powerhouse
    • Measuring Visibility with Atomic Red Team: Leverage Atomic Red Team to test and maximize visibility
    • Analyzing Large Data Sets: Quickly make sense of large volumes of data using statistical analysis, and leverage custom PowerShell to create unique PowerShell objects meant to solve specific problems
    Topics

    System Hardening

    • Filesystem and registry controls
    • Management of native endpoint functionality

    Desired State Configuration

    • Benefits of Configuration as Code
    • DSC architecture and deployment options
    • DSC syntax
    • Finding, building, and implementing DSC resources
    • Workflow and use cases

    Know Thyself

    • Understanding operational capabilities
    • Visibility analysis
    • Testing compliance with and the visibility of the CIS Critical Security Controls against MITRE ATT&CK

    Analyzing Large Data Sets

    • Feeding data to SIEMs and Big Data systems
    • Analysis techniques to identify events of interest
    • N-Gram analysis for identifying unusual strings
    • PowerShell class structure and implementation
  • Overview

    With hardening and protection mechanisms now having been covered, this course section focuses entirely on detection and response strategies enabled by PowerShell automation.

    Advanced detection techniques such as Event Tracing for Windows and deception on endpoints and the network are implemented to provide deep visibility and weaponize existing infrastructure against threat actors. These techniques can be automated at scale to turn a "normal" enterprise network into a mine field, providing deep visibility to Blue Teams while forcing an attacker to work even more slowly and methodically to evade detection.

    Baselining is layered on top of these techniques to provide an ability to understand normal operating circumstances and identify outliers from that dataset. Baseline deviation detection and file integrity monitoring techniques are implemented in a way that is supportable at scale and, of course, automated using PowerShell.

    The course section concludes by covering response techniques meant to maximize visibility and help an operations team better understand if anomalous conditions warrant further containment and investigation. Once malicious intent is identified, response techniques focused on containment can be automated to mitigate additional harm. Layering these response techniques inside of automation playbooks can ensure proper response, containing threats but also enabling teams to quickly identify false positives and avoid unnecessary end-user friction and business impact.

    Exercises
    • Event Tracing for Windows: Become familiar with ETW providers and their use for detection purposes
    • Baseline Analysis: Build a baseline object that protects integrity while profiling network and user behavior
    • Deception: Implement several deception techniques to identify attacker behavior
    • Response - Visibility: Build automation to more quickly understand context around an event
    • Response - Containment: Build automation to more quickly contain threats
    Topics

    Event Tracing for Windows

    • Architecture and Blue Team use cases
    • Providers
    • Trace sessions
    • Packet captures in PowerShell
    • ETW tampering and detection

    Baselining

    • Converting baseline data to objects and storing them securely
    • Strategies to create baselines
    • Types of baselines and implementations
    • PowerShell-based tools for baselining

    Automating Deception

    • Network deception techniques
    • System deception techniques
    • User deception techniques
    • Cloud deception techniques

    Short-term Response - Visibility

    • Network and user-based enumeration
    • Enabling deeper auditing as an ad hoc response
    • Enrichment of existing data

    Short-term Response - Containment

    • Mitigating credential theft impact
    • System containment  process and behavior restriction
    • Network containment
  • Overview

    The final section of SEC586 focuses entirely on hands-on application of the skills built throughout the week. Working in teams, each group must solve challenges ranging from log analysis to containment tactics. Several different challenges with increasing levels of difficulty will require groups to work together, mastering PowerShell from the perspective of Blue Team workloads, and providing a safe environment to work with PowerShell while under pressure. Challenges will ensure a deep understanding of the concepts covered throughout SEC586 while offering a fun and competitive platform to test and further build these skills.

Prerequisites

  • Basic understanding of programming concepts
  • Basic understanding of Information Security principles

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the virtual machine to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+ on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
  • USB 3.0 ports highly recommended
  • Disk: 50 gigabytes of free disk space
  • Administrative access to disable any host-based firewall
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+
  • A Windows virtual machine will be provided in class

Author Statement

"My Information Security experience has taught me that human analysis is a critical attribute of effective cyber defense. Yet, the very people who are critical to preventing, discovering, and responding to threats are often bogged down with manual work that, while it needs to be done, is done at the expense of more advanced efforts. At the same time, we're facing a critical personnel and skills shortage in Information Security, and many organizations are struggling to fill open positions.

The immediate answer to these problems is automation. PowerShell is a cross-platform automation engine that is uniquely positioned for this task. Blue Teams can transform their everyday operations by automating wherever possible. System auditing and hardening tasks can be streamlined via configuration as code and substantial automation, leaving room for professionals to interpret reporting and work on higher-level tasks. Detection and response tasks can also be significantly improved. Data aggregation and analysis can be performed automatically, leaving analysts with pre-filtered data of interest to aid in detection. For response, a pre-built toolkit can enable near real-time response actions such as quarantining systems on the network, interrogating suspicious hosts for more information, capturing artifacts for forensic analysis, or even automatically remediating common issues.

SEC586 is designed to help teams raise the bar and spend time on what will provide the most value to their organizations. Deep automation alongside capable professionals flips the script and makes organizations a dangerous target for their adversaries."

- Josh Johnson

Ways to Learn

  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

  • In Person (6 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend SEC586?

  • Security Operations Center analysts
  • System engineers
  • System administrators
  • Technical security managers
  • Cyber threat investigators
  • Certified Network Defender analysts
See prerequisites
Africa/Abidjan
Africa/Accra
Africa/Addis Ababa
Africa/Algiers
Africa/Asmara
Africa/Asmera
Africa/Bamako
Africa/Bangui
Africa/Banjul
Africa/Bissau
Africa/Blantyre
Africa/Brazzaville
Africa/Bujumbura
Africa/Cairo
Africa/Casablanca
Africa/Ceuta
Africa/Conakry
Africa/Dakar
Africa/Dar es Salaam
Africa/Djibouti
Africa/Douala
Africa/El Aaiun
Africa/Freetown
Africa/Gaborone
Africa/Harare
Africa/Johannesburg
Africa/Juba
Africa/Kampala
Africa/Khartoum
Africa/Kigali
Africa/Kinshasa
Africa/Lagos
Africa/Libreville
Africa/Lome
Africa/Luanda
Africa/Lubumbashi
Africa/Lusaka
Africa/Malabo
Africa/Maputo
Africa/Maseru
Africa/Mbabane
Africa/Mogadishu
Africa/Monrovia
Africa/Nairobi
Africa/Ndjamena
Africa/Niamey
Africa/Nouakchott
Africa/Ouagadougou
Africa/Porto-Novo
Africa/Sao Tome
Africa/Timbuktu
Africa/Tripoli
Africa/Tunis
Africa/Windhoek
America/Adak
America/Anchorage
America/Anguilla
America/Antigua
America/Araguaina
America/Argentina/Buenos Aires
America/Argentina/Catamarca
America/Argentina/ComodRivadavia
America/Argentina/Cordoba
America/Argentina/Jujuy
America/Argentina/La Rioja
America/Argentina/Mendoza
America/Argentina/Rio Gallegos
America/Argentina/Salta
America/Argentina/San Juan
America/Argentina/San Luis
America/Argentina/Tucuman
America/Argentina/Ushuaia
America/Aruba
America/Asuncion
America/Atikokan
America/Atka
America/Bahia
America/Bahia Banderas
America/Barbados
America/Belem
America/Belize
America/Blanc-Sablon
America/Boa Vista
America/Bogota
America/Boise
America/Buenos Aires
America/Cambridge Bay
America/Campo Grande
America/Cancun
America/Caracas
America/Catamarca
America/Cayenne
America/Cayman
America/Chicago
America/Chihuahua
America/Coral Harbour
America/Cordoba
America/Costa Rica
America/Creston
America/Cuiaba
America/Curacao
America/Danmarkshavn
America/Dawson
America/Dawson Creek
America/Denver
America/Detroit
America/Dominica
America/Edmonton
America/Eirunepe
America/El Salvador
America/Ensenada
America/Fort Nelson
America/Fort Wayne
America/Fortaleza
America/Glace Bay
America/Godthab
America/Goose Bay
America/Grand Turk
America/Grenada
America/Guadeloupe
America/Guatemala
America/Guayaquil
America/Guyana
America/Halifax
America/Havana
America/Hermosillo
America/Indiana/Indianapolis
America/Indiana/Knox
America/Indiana/Marengo
America/Indiana/Petersburg
America/Indiana/Tell City
America/Indiana/Vevay
America/Indiana/Vincennes
America/Indiana/Winamac
America/Indianapolis
America/Inuvik
America/Iqaluit
America/Jamaica
America/Jujuy
America/Juneau
America/Kentucky/Louisville
America/Kentucky/Monticello
America/Knox IN
America/Kralendijk
America/La Paz
America/Lima
America/Los Angeles
America/Louisville
America/Lower Princes
America/Maceio
America/Managua
America/Manaus
America/Marigot
America/Martinique
America/Matamoros
America/Mazatlan
America/Mendoza
America/Menominee
America/Merida
America/Metlakatla
America/Mexico City
America/Miquelon
America/Moncton
America/Monterrey
America/Montevideo
America/Montreal
America/Montserrat
America/Nassau
America/New York
America/Nipigon
America/Nome
America/Noronha
America/North Dakota/Beulah
America/North Dakota/Center
America/North Dakota/New Salem
America/Nuuk
America/Ojinaga
America/Panama
America/Pangnirtung
America/Paramaribo
America/Phoenix
America/Port-au-Prince
America/Port of Spain
America/Porto Acre
America/Porto Velho
America/Puerto Rico
America/Punta Arenas
America/Rainy River
America/Rankin Inlet
America/Recife
America/Regina
America/Resolute
America/Rio Branco
America/Rosario
America/Santa Isabel
America/Santarem
America/Santiago
America/Santo Domingo
America/Sao Paulo
America/Scoresbysund
America/Shiprock
America/Sitka
America/St Barthelemy
America/St Johns
America/St Kitts
America/St Lucia
America/St Thomas
America/St Vincent
America/Swift Current
America/Tegucigalpa
America/Thule
America/Thunder Bay
America/Tijuana
America/Toronto
America/Tortola
America/Vancouver
America/Virgin
America/Whitehorse
America/Winnipeg
America/Yakutat
America/Yellowknife
Antarctica/Casey
Antarctica/Davis
Antarctica/DumontDUrville
Antarctica/Macquarie
Antarctica/Mawson
Antarctica/McMurdo
Antarctica/Palmer
Antarctica/Rothera
Antarctica/South Pole
Antarctica/Syowa
Antarctica/Troll
Antarctica/Vostok
Arctic/Longyearbyen
Asia/Aden
Asia/Almaty
Asia/Amman
Asia/Anadyr
Asia/Aqtau
Asia/Aqtobe
Asia/Ashgabat
Asia/Ashkhabad
Asia/Atyrau
Asia/Baghdad
Asia/Bahrain
Asia/Baku
Asia/Bangkok
Asia/Barnaul
Asia/Beirut
Asia/Bishkek
Asia/Brunei
Asia/Calcutta
Asia/Chita
Asia/Choibalsan
Asia/Chongqing
Asia/Chungking
Asia/Colombo
Asia/Dacca
Asia/Damascus
Asia/Dhaka
Asia/Dili
Asia/Dubai
Asia/Dushanbe
Asia/Famagusta
Asia/Gaza
Asia/Harbin
Asia/Hebron
Asia/Ho Chi Minh
Asia/Hong Kong
Asia/Hovd
Asia/Irkutsk
Asia/Istanbul
Asia/Jakarta
Asia/Jayapura
Asia/Jerusalem
Asia/Kabul
Asia/Kamchatka
Asia/Karachi
Asia/Kashgar
Asia/Kathmandu
Asia/Katmandu
Asia/Khandyga
Asia/Kolkata
Asia/Krasnoyarsk
Asia/Kuala Lumpur
Asia/Kuching
Asia/Kuwait
Asia/Macao
Asia/Macau
Asia/Magadan
Asia/Makassar
Asia/Manila
Asia/Muscat
Asia/Nicosia
Asia/Novokuznetsk
Asia/Novosibirsk
Asia/Omsk
Asia/Oral
Asia/Phnom Penh
Asia/Pontianak
Asia/Pyongyang
Asia/Qatar
Asia/Qostanay
Asia/Qyzylorda
Asia/Rangoon
Asia/Riyadh
Asia/Saigon
Asia/Sakhalin
Asia/Samarkand
Asia/Seoul
Asia/Shanghai
Asia/Singapore
Asia/Srednekolymsk
Asia/Taipei
Asia/Tashkent
Asia/Tbilisi
Asia/Tehran
Asia/Tel Aviv
Asia/Thimbu
Asia/Thimphu
Asia/Tokyo
Asia/Tomsk
Asia/Ujung Pandang
Asia/Ulaanbaatar
Asia/Ulan Bator
Asia/Urumqi
Asia/Ust-Nera
Asia/Vientiane
Asia/Vladivostok
Asia/Yakutsk
Asia/Yangon
Asia/Yekaterinburg
Asia/Yerevan
Atlantic/Azores
Atlantic/Bermuda
Atlantic/Canary
Atlantic/Cape Verde
Atlantic/Faeroe
Atlantic/Faroe
Atlantic/Jan Mayen
Atlantic/Madeira
Atlantic/Reykjavik
Atlantic/South Georgia
Atlantic/St Helena
Atlantic/Stanley
Australia/ACT
Australia/Adelaide
Australia/Brisbane
Australia/Broken Hill
Australia/Canberra
Australia/Currie
Australia/Darwin
Australia/Eucla
Australia/Hobart
Australia/LHI
Australia/Lindeman
Australia/Lord Howe
Australia/Melbourne
Australia/NSW
Australia/North
Australia/Perth
Australia/Queensland
Australia/South
Australia/Sydney
Australia/Tasmania
Australia/Victoria
Australia/West
Australia/Yancowinna
Brazil/Acre
Brazil/DeNoronha
Brazil/East
Brazil/West
CET
CST6CDT
Canada/Atlantic
Canada/Central
Canada/Eastern
Canada/Mountain
Canada/Newfoundland
Canada/Pacific
Canada/Saskatchewan
Canada/Yukon
Chile/Continental
Chile/EasterIsland
Cuba
EET
EST
EST5EDT
Egypt
Eire
Etc/GMT
Etc/GMT+0
Etc/GMT+1
Etc/GMT+10
Etc/GMT+11
Etc/GMT+12
Etc/GMT+2
Etc/GMT+3
Etc/GMT+4
Etc/GMT+5
Etc/GMT+6
Etc/GMT+7
Etc/GMT+8
Etc/GMT+9
Etc/GMT-0
Etc/GMT-1
Etc/GMT-10
Etc/GMT-11
Etc/GMT-12
Etc/GMT-13
Etc/GMT-14
Etc/GMT-2
Etc/GMT-3
Etc/GMT-4
Etc/GMT-5
Etc/GMT-6
Etc/GMT-7
Etc/GMT-8
Etc/GMT-9
Etc/GMT0
Etc/Greenwich
Etc/UCT
Etc/UTC
Etc/Universal
Etc/Zulu
Europe/Amsterdam
Europe/Andorra
Europe/Astrakhan
Europe/Athens
Europe/Belfast
Europe/Belgrade
Europe/Berlin
Europe/Bratislava
Europe/Brussels
Europe/Bucharest
Europe/Budapest
Europe/Busingen
Europe/Chisinau
Europe/Copenhagen
Europe/Dublin
Europe/Gibraltar
Europe/Guernsey
Europe/Helsinki
Europe/Isle of Man
Europe/Istanbul
Europe/Jersey
Europe/Kaliningrad
Europe/Kiev
Europe/Kirov
Europe/Lisbon
Europe/Ljubljana
Europe/London
Europe/Luxembourg
Europe/Madrid
Europe/Malta
Europe/Mariehamn
Europe/Minsk
Europe/Monaco
Europe/Moscow
Europe/Nicosia
Europe/Oslo
Europe/Paris
Europe/Podgorica
Europe/Prague
Europe/Riga
Europe/Rome
Europe/Samara
Europe/San Marino
Europe/Sarajevo
Europe/Saratov
Europe/Simferopol
Europe/Skopje
Europe/Sofia
Europe/Stockholm
Europe/Tallinn
Europe/Tirane
Europe/Tiraspol
Europe/Ulyanovsk
Europe/Uzhgorod
Europe/Vaduz
Europe/Vatican
Europe/Vienna
Europe/Vilnius
Europe/Volgograd
Europe/Warsaw
Europe/Zagreb
Europe/Zaporozhye
Europe/Zurich
GB
GB-Eire
GMT
GMT+0
GMT-0
GMT0
Greenwich
HST
Hongkong
Iceland
Indian/Antananarivo
Indian/Chagos
Indian/Christmas
Indian/Cocos
Indian/Comoro
Indian/Kerguelen
Indian/Mahe
Indian/Maldives
Indian/Mauritius
Indian/Mayotte
Indian/Reunion
Iran
Israel
Jamaica
Japan
Kwajalein
Libya
MET
MST
MST7MDT
Mexico/BajaNorte
Mexico/BajaSur
Mexico/General
NZ
NZ-CHAT
Navajo
PRC
PST8PDT
Pacific/Apia
Pacific/Auckland
Pacific/Bougainville
Pacific/Chatham
Pacific/Chuuk
Pacific/Easter
Pacific/Efate
Pacific/Enderbury
Pacific/Fakaofo
Pacific/Fiji
Pacific/Funafuti
Pacific/Galapagos
Pacific/Gambier
Pacific/Guadalcanal
Pacific/Guam
Pacific/Honolulu
Pacific/Johnston
Pacific/Kiritimati
Pacific/Kosrae
Pacific/Kwajalein
Pacific/Majuro
Pacific/Marquesas
Pacific/Midway
Pacific/Nauru
Pacific/Niue
Pacific/Norfolk
Pacific/Noumea
Pacific/Pago Pago
Pacific/Palau
Pacific/Pitcairn
Pacific/Pohnpei
Pacific/Ponape
Pacific/Port Moresby
Pacific/Rarotonga
Pacific/Saipan
Pacific/Samoa
Pacific/Tahiti
Pacific/Tarawa
Pacific/Tongatapu
Pacific/Truk
Pacific/Wake
Pacific/Wallis
Pacific/Yap
Poland
Portugal
ROC
ROK
Singapore
Turkey
UCT
US/Alaska
US/Aleutian
US/Arizona
US/Central
US/East-Indiana
US/Eastern
US/Hawaii
US/Indiana-Starke
US/Michigan
US/Mountain
US/Pacific
US/Samoa
UTC
Universal
W-SU
WET
Zulu
Filters:
Training Formats
Location
Dates

Register for SEC586

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more

Loading...