homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Roadmap
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • GIAC Certifications
    • Training Events & Summits
      • Event Locations
        • Americas
        • Europe & Middle East
        • Asia Pacific
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Bachelors & Masters Degrees
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
      • Why Work with SANS
      • Industries
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • Healthcare Training
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
    • Blog
    • Partners
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Courses >
  3. SEC564: Red Team Exercises and Adversary Emulation

SEC564: Red Team Exercises and Adversary Emulation

Course Demo
    12 CPEs

    SEC564 is a 2-day intensive course that enables students to plan and manage Red Team Exercises, including building and executing a adversary emulation. Students will learn the tactics, techniques, and procedures (TTPs) used by the adversary to create an adversary emulation plan, leveraging MITRE ATT&CK, then emulate the adversary during multiple labs.

    Course Authors:
    Jorge Orchilles
    Jorge Orchilles
    Principal Instructor
    What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor Statement

    What You Will Learn

    In SEC564, you will learn how to plan and execute an end-to-end adversary emulation, including how to plan and build a red team program, leverage threat intelligence to map against adversary tactic, techniques, and procedures (TTPs), emulate TTPs, report and analyze the results of red team exercises, and ultimately improve the overall security posture of the organization.

    You will do all of this in a course-long exercise, in which we perform a adversary emulation against a target organization modeled on an enterprise environment. This environment includes Active Directory, email, web, and file servers, as well as endpoints running the latest operating systems. We will start by consuming cyber threat intelligence to identify and document an adversary that has the intent, opportunity, and capability to attack the target organization. You will discover the TTPs used by the adversary while creating an adversary emulation plan leveraging MITRE ATT&CK (Adversary Tactics, Techniques, and Common Knowledge).

    We'll cover the planning phase of these exercises, showcasing various industry frameworks and methodologies for red teaming and adversary emulation. These frameworks are industry standards used by various regulatory bodies to ensure consistent and repeatable red team exercises.

    Using strong planning and threat intelligence, students will follow the same unified kill chain as the adversaries to reach the same objective, from setting up attack infrastructure with command and control to emulating multiple TTPs mapped to MITRE ATT&CK.

    The course concludes with exercise closure activities such as analyzing the response of the blue team (people and process), reporting, and remediation planning and retesting. Finally, you will learn how to show the value that red team exercises and adversary emulations bring to an organization. The main job of a red team is to make a blue team better. Offense informs defense and defense informs offense.

    This Course Will Prepare You To:

    • Build a Red Team program
    • Leverage Red Team exercises and adversary emulation to obtain a holistic view of an organization's security posture
    • Measure, train, and improve people, processes, and technology for the organization

    You Will Receive With This Course:

    • Two Virtual Machines:Windows 10 and SANS Slingshot C2 Matrix Edition which includes multiple Red Team tools for all exercises including Command and Control Frameworks (C2)
    • Cheat Sheets
    • Frameworks and Methodologies
    • Threat Intelligence reports for two popular threat actors/adversaries
    • Sample Adversary Emulation Plan

    Additional Resources:

    • C2 Matrix
    • Red Team Development and Operations: A practical guide by Joe Vest and James Tubberville
    • Using MITRE ATT&CK for Cyber Threat Intelligence Training

    Syllabus (12 CPEs)

    Download PDF
    • Overview

      The first section begins by introducing Red Team exercises and adversary emulation, showing how they differ from other security testing types such as vulnerability assessments, penetration tests, and purple teaming. Following the hybrid approach of the course, you will be introduced to a number of industry frameworks (including the Cyber Kill Chain, Unified Kill Chain, and MITRE ATT&CK) for Red Team exercises and adversary emulation. Threat Intelligence is critical to performing Red Team exercises and will be covered early in the course. A red teamer needs to know how to obtain and consume threat intelligence in order to successfully emulate an adversary. Red Team exercises require substantial planning, and you will learn what triggers an exercise and how to define objectives and scope, set up attack infrastructure, understand roles and responsibilities (including those of the Trusted Agents), and establish the rules of engagement. With a strong plan in place, the exercise execution phase begins. You will learn how to perform the steps to emulate an adversary and carry out a high-value Red Team exercise. We will cover reconnaissance, social engineering, weaponization, and delivery. Day 1 concludes with a lab testing your payload and attack infrastructure.

      Exercises
      • Consuming Threat Intelligence
      • Attack Infrastructure
      • Recon and Social Engineering
      • C2 and Weaponization
      Topics
      • About the Course
      • Defining Terms
      • Motivation and Introduction
      • Frameworks and Methodologies
      • Threat Intelligence
      • Planning
        • Triggers, Objectives, and Scope
        • Roles and Responsibilities
        • Rules of Engagement
        • Attack Infrastructure
      • Red Team Exercise Execution
        • Reconnaissance
        • Social Engineering
        • Weaponization
        • Delivery
    • Overview

      This section continues with executing a red team exercise and wraps up with closure activities. The day is filled with exercises that walk students through the course-long red team exercise. Multiple red team exercise phases are explored that use realistic TTPs to ultimately meet the emulated adversary objective. During the exercises, you gain initial access, perform discovery of the target network from patient zero, attempt privilege escalation, create advanced command-and-control channels, and establish persistence. These exercises reinforce the lecture portion of the course. You will learn various methods covering defensive evasion and execution, access to credentials, and lateral movement and pivoting techniques. You'll then use those skills in exercises to obtain the emulated adversary's objective. Lastly, you will complete the exercise by performing various closure activities.

      Exercises
      • Discovery, Privilege Escalation, and Persistence
      • Defense Evasion, Credential Access, and Pivoting
      • Action on Objectives
      • Exercise Closure
      Topics
      • Red Team Exercise Execution
        • Initial Access
        • Network Propagation
        • Discovery
        • Privilege Escalation
        • Persistence
        • Defense Evasion and Execution
        • Credential Access
        • Lateral Movement and Pivoting
        • Action on Objectives
        • Target Manipulation, Collection, and Exfiltration
      • Exercise Closure
        • Analysis and Response
        • Reporting
        • Remediation and Action Plan

    Prerequisites

    The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid foundation upon which to build Red Team concepts.

    Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

    Laptop Requirements

    Important! Bring your own system configured according to these instructions!

    A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

    It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

    Baseline Hardware Requirements

    • CPU

      • 64-bit Intel i5/i7 2.0+ GHZ processor

    • BIOS

      • Enabled "Intel-VT"

    • RAM

      • 16 GB RAM (8GB min)

    • Hard Drive Free Space

      • 60 GB Free space

    • Operating System

      • Windows 10 Pro or macOS 10.12+
      • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

    Additional Hardware Requirements

    The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

    Additional Software Requirements

    Google Chrome, Adobe Acrobat or Other PDF reader

    • You will need Google Chrome, Adobe Acrobat or other PDF reader.

    Microsoft Office or OpenOffice

    • Install Microsoft Office (any version) with Excel or OpenOffice on your host. Note: You can download Office Trial Software online (free for 60 days). OpenOffice is a free product that can be downloaded here.

    VMware Player

    • Install VMware Player 15, VMware Fusion 11, or VMware Workstation 15.
    • Older Versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.

    System Configuration Settings

    Local Admin

    • Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.

    If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

    Author Statement

    "Organizations are maturing their security testing programs to include Red Team exercises and adversary emulations. These exercises provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and improve detection and prevention controls. This course will teach you to plan Red Team exercises, leverage threat intelligence to map against adversary tactics, techniques, and procedures, build a Red Team program and plan, execute a Red Team exercise and report and analyze the results, and improve the overall security posture of the organization." - Jorge Orchilles

    No scheduled events for this course.

    Who Should Attend SEC564?

    • Security professionals interested in expanding their knowledge of Red Team exercises in order to understand how they are different from other types of security testing
    • Penetration testers and Red Team members looking to better understand their craft
    • Blue Team members, defenders, and forensic specialists looking to better understand how Red Team exercises can improve their ability to defend by better understanding offensive methodologies, tools, tactics, techniques, and procedures
    • Auditors who need to build deeper technical skills and/or meet regulatory requirements
    • Information security managers who need to incorporate or participate in high-value Red Team exercises
    See prerequisites
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    • © 2022 SANS™ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn