Welcome to SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

Instructor: Matt Edmondson | 38 CPEs
Associated Certification:
GIAC Certified Incident Handler (GCIH)

SEC504 will prepare you to turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still so prevalent, and everything in between.

You will learn the most modern, step-by-step processes for incident response; how attackers undermine systems so you can prepare, detect, and respond to them; and how to discover holes in your system before the bad guys do.

You will learn:

  • How to best prepare for an eventual breach
  • The step-by-step approach used by many computer attackers
  • Proactive and reactive defenses for each stage of a computer attack
  • How to identify active attacks and compromises
  • The latest computer attack vectors and how you can stop them
  • How to properly contain attacks
  • How to ensure that attackers do not return
  • How to recover from computer attacks and restore systems for business
  • How to understand and use hacking tools and techniques
  • Strategies and tools to detect each type of attack
  • Application-level vulnerabilities, attacks, and defenses
  • How to develop an incident handling process and prepare a team for battle
  • Legal issues in incident handling

Pricing & Registration

This class is Live ONLINE, please click on the blue "Register Now" button below. Price: 7,270 USD GCIH Certification 849 USD | OnDemand 849 USD

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the hundreds to thousands of daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

This course will enable you to turn the tables on computer attackers by helping you understand their tactics and strategies, providing you with hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process to respond to computer incidents and a detailed description of how attackers undermine systems so you can prevent, detect, and respond to them. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. Applying these skills in your own organization will enable you to discover the flaws in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to thwart attacks.

This course is for those who have very little knowledge of computers & technology with no prior knowledge of cyber security. The hands-on, step-by-step teaching approach enables you to grasp all the information presented, even if some of the topics are new to you. You'll learn real-world cyber security fundamentals to serve as the foundation of your career skills and knowledge for years to come.

Written by a cyber security professional with over 35 years of industry experience in both the public and private sectors, SEC301 provides uncompromising real-world insight from start to finish. The course prepares you for the Global Information Security Fundamentals (GISF) certification test, as well as getting you ready for your next training course. It also delivers on the SANS promise: "You can use the knowledge and skills you learn in SEC301 as soon as you return to work."

You Will Be Able To:

  • Communicate with confidence regarding information security topics, terms, and concepts
  • Understand and apply the Principles of Least Privilege
  • Understand and apply the Confidentiality, Integrity, and Availability (CIA) for prioritization of critical security resources
  • Build better passwords that are more secure while also being easier to remember and type
  • Grasp basic cryptographic principles, processes, procedures, and applications
  • Understand how a computer works
  • Understand computer network basics
  • Have a fundamental grasp of any number of technical acronyms: TCP/IP, IP, TCP, UDP, MAC, ARP, NAT, ICMP, and DNS, and the list goes on.
  • Utilize built-in Windows tools to see your network settings
  • Recognize and be able to discuss various security technologies, including anti-malware, firewalls, intrusion detection systems, sniffers, ethical hacking, active defense, and threat hunting.
  • Understand wireless technologies including WiFi, Bluetooth, mobile phones and the Internet of Things (IoT)
  • Explain a variety of frequent attacks such as social engineering, drive-by downloads, watering hole attacks, lateral movement, and other attacks
  • Understand different types of malware
  • Understand browser security and the privacy issues associated with web browsing
  • Explain system hardening
  • Discuss system patching
  • Understand virtual machines and cloud computing
  • Understand backups and create a backup plan for your personal life that virtually guarantees you never have to pay ransom to access your data

If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.

We are often asked the differences between SEC504 and SEC560, and what is covered in each course. Please see our FAQ to further clarify the course details.

SEC504 vs. SEC560 FAQ

"The content was well thought out and provided a great foundation on which to apply IR techniques. I also really enjoyed the bonus activities at the end of the lab. While gaining muscle memory through repeating commands provided in the lab is great, nothing beats having to apply what you've learned without having the answers fed to you." - Rob Walters, Humana

Course Syllabus

SEC504.1: Incident Response and Computer Crime Investigations

Mon Aug 16th, 2021
9:00 AM - 7:15 PM


Responding to an incident of any size is a complex task. Effective response requires careful consideration and input from several stakeholders, including business and information security concerns. With new vulnerabilities being discovered on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents such as fires, floods, and crime all require a solid incident handling approach to getting systems and services back online as quickly and securely as possible.

The course starts by examining the key components of both incident response and digital investigations. Informed by several incidents, we consider the goals and outcomes that are important to both business operations and security. The dynamic approach put forth can be applied to the specific needs of an individual business and incident. We then shift to more practical matters, examining issues surrounding live systems and identifying abnormal activity. Continuing the practical focus, we look at investigative techniques for examining evidence from the network and memory. We also cover techniques to determine if an unknown program is malicious, and if so, what footprints are left behind.

  • Live Windows examination
  • Network investigation
  • Memory investigation
  • Malware investigation

Incident Response

  • Common incident response mistakes
  • Incident goals and milestones
  • Post-incident activities

Digital Investigations

  • Asking and answering the right questions
  • Pivoting during an investigation
  • Taking notes and writing reports
  • Artifact and event-based timelines

Live Examination

  • How to start, even with minimal information
  • Examining a live environment
  • Identifying abnormal activity

Digital Evidence

  • Understanding what digital evidence is and how to collect it
  • The role and elements of a chain of custody
  • How to collect digital evidence

Network Investigations

  • Analyzing packet captures using tcpdump
  • Web proxy logs

Memory Investigations

  • How to investigate memory images using the Volatility framework

Malware Investigations

  • Basic approaches for investigating malware
  • Best practices for working with malware
  • Monitoring the environment using snapshot and continuous recording tools

SEC504.2: Recon, Scanning, and Enumeration Attacks

Tue Aug 17th, 2021
9:00 AM - 5:00 PM


Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage and open-source intelligence attackers conduct detailed scans of systems, scouring for openings to get through your defenses. To break into your network, they scope out targets of opportunity, such as weak DMZ systems and turnkey platforms, or vulnerable Wi-Fi and proprietary wireless systems. Attackers will also leverage detailed scanning and interrogation of complex Windows Active Directory domains, identifying and manipulating configuration policies to their significant advantage.

This course section covers the details associated with the beginning phases of many cyber attacks. We will introduce important frameworks for understanding the tools, techniques, and practices of modern attackers through the MITRE ATT&CK Framework, using it as a starting point to investigate the pre-attack steps attackers employ. We will leverage local and cloud-based tools to conduct effective reconnaissance of a target organization, identifying the information disclosure that will reveal weaknesses for initial compromise. We'll then take a deep dive into scanning techniques, both from a network perspective and with a focus on the complexities of modern Windows Active Directory forests to map out an attack plan that will grant an attacker privileged access. We will also spotlight defensive techniques using free and open-source tools that provide you with a competitive advantage to detect attacks on your organization.

  • Using Open Source Intelligence (OSINT) for attack reconnaissance
  • Wi-Fi network scanning for rogue, malicious, and misconfigured access points
  • Server enumeration and analysis with Nmap
  • Vulnerability scanning and scan result prioritization techniques
  • Windows networking scanning and data harvesting techniques
  • Defense Spotlight: DeepBlueCLI

Introducing the MITRE ATT&CK Framework

  • Attacker evolution and the network for tool, technique, and practice (TTP) mapping
  • Using the MITRE ATT&CK Framework for smarter adversary assessment
  • How we integrate SEC504 with the MITRE ATT&CK Framework


  • What does your network reveal?
  • Are you leaking too much information?
  • Using certificate transparency for pre-production server identification
  • Domain Name System harvesting
  • Data gathering from job postings, websites, and government databases
  • Identifying publicly compromised accounts
  • FOCA for metadata analysis
  • Aggregate OSINT data collection with SpiderFoot
  • Mastering SHODAN searches for target discovery


  • Learn the techniques attackers use to enumerate your networks
  • Locating and attacking personal and enterprise Wi-Fi
  • Identifying and exploiting proprietary wireless systems
  • Port scanning: small and large-scale enumeration tasks
  • Quick and effective intel collection from web servers
  • Characterizing network targets by OS, service, patch level
  • Vulnerability scanning and finding prioritization

Enumerating Windows Active Directory Targets

  • Windows Active Directory domain enumeration with BloodHound, SharpView
  • Windows Command and Control with PowerShell Empire
  • Operating system bridging from Linux to Windows targets
  • Defending against SMB attacks with sophisticated Windows networking features
  • Understanding SMB security features through Windows Server 2019

Defense Spotlight: DeepBlueCLI

  • Using PowerShell to enumerate Windows systems
  • Fast and effective Windows event log analysis
  • Leveraging PowerShell output modifiers for reporting, analysis
  • Characterizing common Windows scans and attacks against Windows servers

SEC504.3: Password and Access Attacks

Wed Aug 18th, 2021
9:00 AM - 5:00 PM


Any attacker will tell you the same thing: Password compromise is better than exploit compromise. Not only is system access through a valid username and password more reliable than exploits, using authenticated credentials will also blend into normal system use, creating fewer logs and system anomalies that could lead to detection. Because these attacks are so prevalent, we dig into password-based attacks in significant detail, equipping you with the tools to test your systems with the same skill and technique as the sophisticated adversaries you must defend against.

This course day starts with straightforward password guessing attacks, quickly investigating the techniques attackers employ to make this an effective process that bypasses defense systems such as account lockout. We will investigate the critical topics of creating effective password guessing lists from other network compromises, and how attackers leverage user password reuse against your organization. We'll dig into the algorithms behind password hashing, using several tools to recover plaintext passwords while optimizing the cracking process to complete in days, not years. We will also get a jump-start on understanding essential network attack topics through the use of easy backdoors, forward and reverse shells, and discrete data transfer within the organization, all through an unassuming system binary. We will also investigate defensive measures that you can immediately apply when you get back to work, including the use of the Domain Password Audit Tool (DPAT) and Elastic Stack (formerly ELK) tools for monitoring authentication logs in your organization.

  • Online password guessing attacks with Hydra
  • Defense Spotlight: Password guessing attack analysis with Elastic Stack
  • Effective password cracking using Hashcat and John the Ripper
  • Defense Spotlight: Domain Password Exposure Analysis with DPAT
  • Data exfiltration, scanning, and pivoting with Netcat

Password Attacks

  • How attackers bypass account lockout policies
  • Choosing a target protocol for password guessing attacks
  • Techniques for choosing password lists
  • How attackers reuse compromise password lists against your organization
  • Techniques for password cracking
  • Recommendations for password cracking in your organization

Defense Spotlight: Log Analysis with Elastic Stack (formerly ELK)

  • Establishing a lightweight log analysis system with Elasticsearch, Logstack, Beats, and Kibana
  • Understanding Linux and UNIX authentication logging data
  • Configuring Filebeat for simple log ingestion
  • Using Kibana to identify password attack events
  • Customizing Kibana visualization for effective threat hunting

Understanding Password Hashes

  • Hashing algorithms, processes, and problems
  • Understanding Windows hashing function through Windows Server 2019
  • Password hash function strength and quality metrics
  • Extracting Windows domain password hashes using built-in tools
  • Getting password hashes from Windows 10 systems
  • Decoding UNIX and Linux password hashes
  • Mitigating GPU-based cracking: PBKDF2, bcrypt, and scrypt

Password Cracking Attacks

  • John the Ripper: single, wordlist, incremental, and external cracking modes
  • Cracking hashes with Hashcat: straight and combinator attacks
  • Effective hash computation using mask attacks
  • Breaking user password selection weaknesses with Hashcat rules
  • Three simple strategies for defeating password cracking

Defense Spotlight: Domain Password Auditing

  • Enumerating Windows domain settings with simple PowerShell one-line scripts
  • Characterizing systemic behavior in user password selection
  • Identifying bad password offenders in your organization
  • Mitigating password sharing in Windows domains

Netcat: The Attacker's Best Friend

  • Transferring files, creating backdoors, and shoveling shells
  • Netcat relays to obscure the source of an attack
  • Replay attacks with Netcat

SEC504.4: Public-Facing and Drive-By Attacks

Thu Aug 19th, 2021
9:00 AM - 5:00 PM


Public-facing and drive-by attacks represent significant risk areas for organizations, and they are a popular attack vector for adversaries targeting your organization. Public-facing targets such as web applications, VPN servers, email systems, and other supporting protocols are quickly identified by an adversary and assessed for vulnerabilities. In drive-by attacks, adversaries compromise and leverage the trust inherent to third-party websites to trick users into taking actions that render their systems vulnerable.

This course section examines the hacker tools for compromising your exposed systems through exploit frameworks such as Metasploit. We also dig into the concepts and techniques behind drive-by and watering-hole attacks, and how attackers create the exploits and system-compromise tools through malicious installers, browser JavaScript, and malicious Microsoft Office documents. We'll examine the attacks specific to web applications in an organization, both from the perspective of the unauthenticated and the authenticated user, with practical exploit steps for the most popular web application vulnerabilities. In addition to examining the hacker tools, we'll also investigate several freely available and practical defense steps, including the use of the Windows SRUM database for historical system activity reporting, and the use of Elastic Stack (formerly ELK) tools for assessing web server logging data to identify signs of attack.

  • Metasploit Attack and Analysis
  • Software Update Browser Exploitation
  • System Resource Utilization Database Analysis
  • Command Injection Attack
  • Cross Site Scripting Attack
  • SQL Injection Attack
  • SQL Injection Log Analysis

Using Metasploit for System Compromise

  • Using the Metasploit framework for specific attack goals
  • Matching exploits with reconnaissance data
  • Deploying Metasploit Meterpreter Command & Control
  • Identifying Metasploit exploit artifacts on the system and network

Drive-By and Watering Hole Attacks

  • Examining the browser attack surface
  • Identifying browser vulnerabilities with JavaScript
  • Code-executing Microsoft Office attacks
  • Backdooring legitimate code with attacker payloads

Defense Spotlight: System Resource Usage Monitor (SRUM)

  • Assessing attacker activity with Windows 10 app history
  • Extracting useful data from the protected SRUM database
  • Converting raw SRUM data to useful post-exploit analysis

Web Application Attacks

  • Account harvesting for user enumeration
  • Command injection attacks for web server remote command injection
  • SQL Injection: Manipulating back-end databases
  • Session Cloning: Grabbing other users' web sessions
  • Cross-Site Scripting: Manipulating victim browser sessions

Defense Spotlight: Effective Web Server Log Analysis

  • Using Elastic Stack (ELK) tools for post-attack log analysis
  • Configuring Filebeat for web server log consumption
  • Using the Kibana Query Language (KQL) to identify custom web attacks
  • Hunting for common SQL Injection attack signatures
  • Decoding obfuscated attack signatures with CyberChef

SEC504.5: Evasion and Post-Exploitation Attacks

Fri Aug 20th, 2021
9:00 AM - 5:00 PM


Rarely is it an attacker's goal to simply compromise a system. More often, the attacker's compromise is the initial step, followed by post-exploitation attacks to gain additional network access, or to retrieve sensitive data within the organization. Along the way, attackers will also have to deal with defense controls designed to thwart their efforts, including endpoint protection, server lock-down, and restricted privilege environments.

This course section examines the attacker steps after the initial compromise is over. We will dig into the techniques attackers use to implant malware after bypassing endpoint detection and response platforms, how they pivot through the network using third-party and built-in tools, and how they leverage the initial foothold on your network for internal network scanning and asset discovery. We will look at how the compromise of a single host grants attackers privileged network insider access to open up a whole new field of attacks, and how they will use that access wisely, covering their tracks on hosts and on the network to evade detection systems. We will look at how attackers, with their initial access established, then access, collect, and exfiltrate data from compromised networks. We will finish the lecture component of the course with a look at where to go from here in your studies, examining resources and best practices to turn your new skills into permanent, long-term recall.

  • Advanced network pivoting with Metasploit
  • Insider network attack event analysis
  • Hijacking Windows: Responder attacks
  • Post-exploitation command history analysis
  • Hiding (and finding) valuable data on Windows servers
  • Selectively editing Windows event logs
  • Network threat hunting with RITA

Endpoint Security Bypass

  • Evading EDR analysis with executable manipulation: ghostwriting
  • Manipulating Windows Defender for attack signature disclosure
  • Using LOLBAS to evade application whitelisting
  • Adapting Metasploit payloads on protected platforms

Pivoting and Lateral Movement

  • Pivoting from initial compromise to internal networks
  • Effective port forwarding with Meterpreter payloads
  • Leveraging compromised hosts for internal network scanning, exploitation
  • Windows netsh and attacker internal network access

Privileged Insider Network Attacks

  • Leveraging initial access for network attacks
  • Deploying packet sniffers, MITM attack tools
  • Native packet capture on compromised Windows hosts
  • Abusing weak protocols: DNS, HTTP
  • Network service impersonation attacks with Flamingo
  • Abusing Windows name resolution for password disclosure

Covering Tracks

  • Maintaining access by manipulating compromised hosts
  • Editing log files on Linux and Windows systems
  • Hiding data in Windows ADS
  • Network persistence through hidden Command & Control

Defense Spotlight: Real Intelligence Threat Analytics (RITA)

  • Characterizing advanced Command & Control activity over the network
  • Capturing and processing network data with Zeek
  • Network threat hunting: beacons, long connections, strobes, and DNS analysis

Post-Exploitation Data Collection

  • Harvesting passwords from compromised Linux hosts
  • Password dumping with Mimikatz and EDR bypass
  • Defeating Windows and macOS password managers
  • Windows keystroke logging attacks
  • Data exfiltration over blended network protocols

Where To Go From Here

  • Techniques for solving the problem of needing time for study
  • Understanding the Forgetting Curve dilemma
  • Techniques for developing long-term retention from what you have learned
  • Building study strategies for certification, applying your knowledge

SEC504.6: Capture the Flag Event

Sat Aug 21st, 2021
9:00 AM - 5:00 PM


Over the years, the security industry has become smarter and more effective in stopping attackers. Unfortunately, attackers themselves are also getting smarter and more sophisticated. One of the most effective ways to stop an adversary is to actually test the environment with the same tools and tactics that the attacker will use against you. Our Capture-the-Flag event is a full day of hands-on activity that involves you working as a consultant for a fictitious company that has recently been compromised. You will apply all of the skills you've learned in class, using the same techniques attackers use to compromise modern, sophisticated network environments. Working together as teams, small groups will scan, exploit, and complete post-exploitation tasks against a cyber range of target systems including Windows, Linux, Internet of Things, and cloud targets. This hands-on challenge is designed to help players practice their skills and reinforce concepts learned throughout the course while challenging each individual player in an environment that replicates modern networks. Powered by the NetWars engine, the event guides players to successfully compromise target systems, bypass endpoint protection platforms, pivot to internal network high-value hosts, and exfiltrate data that are of greatest value to the target organization. The winners will win the coveted SEC504 challenge coin.


Hands-on Analysis

  • Exploiting user password misuse
  • Completing scanning, reconnaissance analysis
  • Using OSINT resources to collect information about a target network
  • Matching reconnaissance data with public exploits
  • Privilege escalation on Linux and Windows systems
  • Exploiting common Windows Domain vulnerabilities
  • Pillaging data on compromised systems
  • Pivoting from initial compromise to internal network access
  • Identifying attacker artifacts following a network compromise

Who Should Attend

  • Incident handlers
  • Leaders of incident response teams
  • System administrators who are on the front lines defending their systems and responding to attacks
  • Other security personnel who are first responders when systems come under attack
  • General security practitioners and security architects who want to design, build, and operate their systems to prevent, detect, and respond to attacks

"SEC504 is a great class overall that is perfect for pen testers and defenders alike. It has greatly helped me understand how attackers think, how they gather information, and how they maintain and gain control of systems." - Evan Brunk, Acuity Insurance

Lab Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.


  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".


  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.


  • 8 GB RAM is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

Hard Drive Free Space

  • 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

  • Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install VMware virtualization software and meet additional hardware and software requirements as described below.

Network, Wi-Fi Adapter

  • A USB Wi-Fi adapter
  • A USB Wi-FI network adapter is required. This USB Wi-Fi network adapter provides the virtual machine access to the wireless network directly. Your internal Wi-Fi adapter will not meet this requirement. We recommend this one.

Additional Software Requirements

VMware Player Install

  • VMware Workstation Player 15, VMware Fusion 11, or VMware Workstation 15
  • Install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.