Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

Brussels October 2018

Brussels, Belgium | Mon, Oct 8 - Sat, Oct 13, 2018
This event is over,
but there are more training opportunities.

SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses Waitlist

Mon, October 8 - Sat, October 13, 2018

Interesting insight into Exploit Guard that will certainly drive great conversation at work. Best labs of the 10+ Iíve taken before.

Jeremiah Hainly, The Hershey Company

This course is well balanced and a great means to educate blue teamers of offensive capabilities.

Mohammed Hleihel, Mary Kay Inc.

You just got hired to help our virtual organization "SyncTechLabs" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service...We're not even sure where to start!"

Cyber threats are on the rise: ransomware is affecting small, medium and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will provide an in-depth understanding of how current adversaries operate and arm you with the knowledge and expertise you need to detect and respond to today's threats.

SEC599 aims to leverage the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.

Course authors Erik Van Buggenhout & Stephen Sims (both certified as GIAC Security Experts) are hands-on practitioners who have achieved a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked "But how do I prevent this type of attack?" With more than 20 labs plus a full-day "Defend-The-Flag" exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment, SEC599 gives students real world examples of how to prevent attacks.


Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce the Advanced Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization "SyncTechLabs" in our Day 1 exercises.

Throughout days 2 through 5 we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will address include:

  • How red and blue teams can improve collaboration, forming a true purple team;
  • How current advanced adversaries are breaching our defenses;
  • Security controls structured around the Kill Chain, including:
    • Setting up a fundamental detection capability using ELK, OSQuery, and Suricata
    • Building your own mail sandbox solution to stop spear phishing using Suricata and Cuckoo
    • Leveraging YARA rules to detect malicious payloads on disk and in memory
    • Developing effective group policies to stop malicious code execution and implement script control (AppLocker, Software Restriction Policies, Script hardening, etc.)
    • Stopping 0-day exploits using exploit mitigation techniques (leveraging EMET and ExploitGuard)
    • Preventing malware persistence using least-privilege (UAC, Just-Enough-Admin, privileged account management, etc.)
    • Detecting malware persistence using OSQuery
    • Preventing lateral movement by hardening Windows Active Directory environments (e.g. CredentialGuard, Privileged Access Workstations, Protected Processes, etc.)
    • Detecting lateral movement through Sysmon and Windows event monitoring
    • Blocking and detecting command and control through network traffic analysis
    • Managing, sharing and operationalizing threat intelligence using MISP
    • Hunting for compromise in the network by leveraging Loki

In designing the course and its exercises, the authors went the extra mile to ensure that attendees "build" something that can be used later on. For this reason, the different technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes, visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.

SEC599 will finish with a bang. During the "Defend-the-Flag" challenge on the final course day you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?


Course Syllabus

Erik Van Buggenhout
Mon Oct 8th, 2018
9:00 AM - 5:00 PM


Our six-day journey will start with an introduction on the purple team concept. What is it all about? Should you form another dedicated cyber security team? We will focus on how red and blue teams can be encouraged to form a strong feedback loop for maximum effect.

We will explain how recent attacks operate through in-depth case studies and introduce the APT attack cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization "SyncTechLabs" during the day's exercises.

Once we understand how adversaries are operating, we will flip over to the blue side and explain how defenders can better understand their own environments, set up a fundamental detection capability, and understand their own "soft spots."

  • One click is all it takes - You will compromise our virtual organization through a series of offensive tasks to mimic that of an adversary or red team, including gaining an initial foothold, performing lateral movement, and maintaining persistence, all while remaining stealthy
  • Fundamental logging using Suricata, OSQuery & ELK - You will learn how a fundamental logging infrastructure can be set up using Suricata for network monitoring, OSQuery for endpoint visibility, and the ELK stack for central log storage, parsing, indexing, and visualization
  • Vulnerability scanning with Nessus - You will learn how to obtain a good understanding of your current cyber security posture by executing authenticated vulnerability scans/configuration reviews using Nessus

CPE/CMU Credits: 6

  • Course outline and lab setup
    • Introducing the purple team
    • Course lab environment
  • Current threat/attack landscape
    • What is happening out there?
  • Introducing the APT attack cycle
    • Recent case studies in-depth
    • Exercise: One click is all it takes
  • A defensible architecture and environment
    • A fundamental detection capability
    • The ELK stack as a central log repository
    • Essential tools for network and endpoint visibility
    • Exercise: Fundamental logging using Suricata, OSQuery, and ELK
  • Preparation - Knowing yourself
    • Understanding your own environment
    • Exercise: Vulnerability scanning with Nessus

Erik Van Buggenhout
Tue Oct 9th, 2018
9:00 AM - 5:00 PM


Day 2 will cover how attackers take their first steps. How do they deliver their initial payload and what can defenders do about it? We will cover the most frequently used payload delivery mechanisms:

  • Delivery through (spear-)phishing
  • Delivery through removable media
  • Delivery through the network (e.g., Server Message Block relays, Responder, etc.)
  • Delivery through HTTP or HTTPS

As always, students will first learn how the adversaries are operating by simulating the attacks in our lab environment, after which they will implement security controls to prevent and detect these attacks. The courseware will cover technical controls, but will also touch upon "soft topics" such as security awareness.

  • Detecting and stopping Server Message Block (SMB) relay attacks in Windows - You will learn some of the most well-known network-based attacks against Windows environments: NTLMv2 challenge/response sniffing and SMB relaying (commonly abused by the well-known Responder tool). Upon illustrating the attacks, we will harden our environments to stop and detect this type of activity
  • Building and sandbox using Suricata, Cuckoo, and YARA - You will learn how a malware detonation system like Cuckoo works and how YARA rules can be crafted to increase malware detection rates
  • Deploying proxy controls with PfSense and ClamAV - You will learn how effective security controls can be implemented at the web proxy level that can help stop delivery of payloads through HTTP(S)
  • Hardening browsers using ADMX - You will learn how effective ADMX templates can be crafted to harden browsers in the enterprise
  • Detecting exploit kit activity using ELK - You will learn a number of effective techniques to detect exploit kit activity at proxy level, based on HTTP(S) logs

CPE/CMU Credits: 6

  • End-user security awareness
  • Stopping delivery through removable media
  • Stopping delivery through the network
    • Introducing Network Access Control & 802.1X
    • Segmenting the environment using VLANs
    • Responder and SMB relaying demystified
    • Exercise: Detecting & stopping SMB relay attacks in Windows
  • Stopping delivery through e-mail
    • Common e-mail security controls
    • Exercise: Building a Sandbox using Suricata, Cuckoo, and YARA
  • Stopping delivery through HTTP(S)
    • Proxy web security controls
    • Exercise: Deploying proxy controls with PfSense and ClamAV
    • Web browser hardening
    • Exercise: Hardening browsers using ADMX
    • Exercise: Detecting exploit kit activity using ELK

Erik Van Buggenhout
Wed Oct 10th, 2018
9:00 AM - 5:00 PM


On Day 3 we will explain how exploitation can be prevented. Attendees will gain an in-depth understanding of current exploitation tactics. We will introduce effective security controls to stop exploitation attempts dead in their tracks. Discussions will include:

  • Operating system hardening
  • Payload execution control (including application whitelisting and script control)
  • Securing applications from the ground up by doing threat modeling and implementing compile-time controls
  • Securing vulnerable applications by implementing exploit mitigating techniques

  • Hardening our Active Directory (AD) environment using Security Content Automation Protocol - You will learn how our overall AD environment can be hardened according to commonly used best practices. In order to do this enterprise-wide, we will rely on group policies
  • Configuring Applocker - You will learn how AppLocker can be effectively deployed to prevent successful execution of delivered payloads
  • Controlling script execution - You will learn how Windows AD environments can be hardened to prevent script execution, thereby restricting Powershell, Jscript, and VBScript execution
  • Detecting payload execution using Sysmon - You will learn how payload execution can be detected by leveraging Sysmon
  • Exploit mitigation using compile-time controls - You will learn how stack canaries can be implemented at compile-time in order to defeat typical buffer overflow exploits.
  • Exploit mitigation using EMET - You will deploy EMET to protect vulnerable applications from being exploited

CPE/CMU Credits: 6

  • Operating System (OS) hardening
    • Effective OS hardening using templates
    • Exercise: Hardening our AD environment using SCAP
  • Preventing execution of payloads
    • Application whitelisting to stop payload execution
    • Exercise: Configuring AppLocker
    • Controlling script execution in the enterprise
    • Exercise: Controlling script execution
    • Leveraging Sysmon to detect payload execution
    • Exercise: Detecting payload execution using Sysmon
  • Securing applications
    • Software Development Lifecycle (SDL) and threat modeling
    • Patch management
    • Exploit mitigation techniques
    • Exercise: Exploit mitigation using compile-time controls
    • Exploit mitigation techniques - Exploit Guard, EMET, and others
    • Exercise: Exploit mitigation using EMET

Erik Van Buggenhout
Thu Oct 11th, 2018
9:00 AM - 5:00 PM


On Day 4 we will continue our journey in the Kill Chain, with a key focus on how malicious adversary persistence can be avoided, how command and control channels can be detected, and how lateral movement can be stopped. Topics to be discussed include:

  • Principle of least privilege to prevent malware persistence
  • Detecting malware persistence in user land
  • Network monitoring to detect command and control
  • Hardening Windows to prevent lateral movement
  • Analyzing Windows event logs to detect ongoing lateral movement
  • Catching persistence using AutoRuns and OSQuery - You will learn how malware persistence can be detected by leveraging AutoRuns and OSQuery
  • Local Windows privilege escalation techniques - You will learn what typical Windows privilege escalation issues are and how you can mitigate them
  • Detecting command and control channels using Bro - You will learn how command and control channels can be detected using Bro as a Network Security Monitoring solution and for entropy analysis of domain names and URLs
  • Hardening Windows to stop lateral movement - You will learn essential hardening strategies aimed at preventing lateral movement in your AD environment. The key focus area is to prevent adversaries from stealing administrative credentials
  • Detecting lateral movement using Windows event logs - You will learn how lateral movement activity in your organization can be detected by analyzing Windows event logs

CPE/CMU Credits: 6

  • Avoiding installation
    • Typical persistence strategies
    • Exercise: Catching persistence using AutoRuns and OSQuery
    • Principle of least privilege and user access control
    • Exercise: Local Windows privilege escalation techniques
  • Foiling command and control
    • Common command and control channels
    • Suricata, Bro, and for traffic analysis
    • Exercise: Detecting command and control channels using Bro and
  • Thwarting lateral movement
    • Introducing common lateral movement strategies
    • Active Directory architecture and attacks
    • Active Directory hardening and segmentation
    • Exercise: Hardening Windows to stop lateral movement
    • Detecting lateral movement using Windows event logs
    • Exercise: Detecting lateral movement using Windows event logs

Erik Van Buggenhout
Fri Oct 12th, 2018
9:00 AM - 5:00 PM


Day 5 focuses on stopping the adversary during the final stages of the attack:

  • How can data exfiltration be detected and stopped?
  • How can cyber deception be used to slow and stop advanced adversaries?
  • How can threat intelligence aid defenders in the APT attack cycle?
  • How can defenders perform effective incident response?

As always, theoretical concepts will be illustrated during the different exercises performed throughout the day.

  • Detecting data exfiltration using Suricata and flow information - You will learn how data exfiltration typically takes place and how we can detect it using IDS rules and volume detection
  • Making your honeypot irresistibly sweet - You will learn how honeypots and canaries can be set up/planted in order to trick, detect, and ultimately defeat adversaries
  • Hunting your environment using OSQuery - You will learn how routine data collection can be configured using OSQuery, after which baseline analysis and threat hunting can be performed
  • Leveraging threat intelligence with MISP and Loki

CPE/CMU Credits: 6

  • Data exfiltration
    • Typical data exfiltration strategies
    • Exercise: Detecting data exfiltration using Suricata
  • Cyber deception strategies
    • Tricking the adversary
    • Exercise: Making your honeypot irresistibly sweet
  • Patrolling your network
    • Proactive threat hunting strategies
    • Exercise: Hunting your environment using OSQuery
  • Leveraging threat intelligence
    • Defining threat intelligence
    • Exercise: Leveraging threat intelligence with MISP and Loki
  • Incident response
    • Incident response process
    • Exercise: Extracting a malware sample from Volatility
    • Exercise: Generating YARA rules using YarGen

Erik Van Buggenhout
Sat Oct 13th, 2018
9:00 AM - 5:00 PM


The course culminates in a team-based Defend-the-Flag competition. Day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber security controls studied all week long. This challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.

CPE/CMU Credits: 6

  • Applying previously covered security controls in-depth
  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and control
  • Action on objectives

Additional Information

As the course leverages the SANS OnDemand platform, the labs will be browser-based. The following are key requirements for optimal lab experience:

Operating System

Students must bring a laptop to class running any of the following OS families:

  • Windows 7, 8.1 or 10
  • MacOS Mavericks, Yosemite, El Capitan, or Sierra
  • Linux-based distributions could work, but this will depend on your exact distribution
  • For troubleshooting reasons, please ensure you have local administrator privileges to your laptop


An up-to-date version of the following browser families is supported:

  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox


  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • A wireless network adapter
  • 10 GB available hard-drive space

During the course, you will be connecting to a network filled with security experts! As a best practice, do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it during the course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Security architects
  • Security engineers
  • Technical security managers
  • Security Operations Center analysts, engineers, and managers
  • Penetration testers who want to better understand how defensive controls work
  • IT administrators
  • Individuals looking to better understand how persistent cyber adversaries operate and how the IT environment can be improved to better prevent, detect, and respond to incidents
  • Experience with Linux and Windows from the command line
  • Familiarity with Windows Active Directory concepts
  • A solid understanding of TCP/IP and networking concepts
  • MP3 audio files of the complete course lecture
  • 32GB USB 3.0 stick that includes the key solutions built through the course:
    • A mail sandbox solution
    • An open-source IDS/IPS system
    • An ELK stack for data visualization and dashboarding
    • An open-source firewall with built-in web proxy capabilities

SEC599 leverages the SANS OnDemand platform, where attendees will be able to complete more than 20 labs in the course using a full-fledged browser environment. This eliminates possible issues with hardware and software compatibility by spooling up a "per-instance" virtual environment for each exercise mimicking that of a real-world production environment. Each student will be sandboxed into a unique instance providing domain isolation and preventing other students from impacting the student's environment.

Authors' Statements

"After writing and teaching many advanced penetration testing and exploit development courses over the past 10 years I started to see a trend developing. Often, over half of the students in each class were not actually penetration testers or those who would be writing 0-days. In fact, they most often work in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they can better defend their networks. This led to our idea to write a course that focused on teaching just enough of the offense to demonstrate the impact, and then focus the majority of the time on implementing controls to break the techniques used by adversaries and red team testers."

- Stephen Sims

"During my InfoSec career, I first focused on penetration testing for five years, then shifted my focus more and more to the world of incident response. It is during my incident response activities that I started observing the need for a structured approach to cyber defense. Single, stand-alone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have a defense-in-depth approach that enables us to implement security controls that counter each and every one of adversaries' attacking moves."

"SEC599 arms defenders with an in-depth understanding of how advanced adversaries are attempting to penetrate organizations. The APT attack cycle will provide in-depth technical insight into how attacks work from start to finish."

"Both Stephen Sims and I have extensive experience in penetration testing and incident response, which ideally positioned us to develop this course. I'm very excited about the course because I believe it fills a gap in the cyber defense curriculum. It is ideal for IT professionals who want to understand how adversaries are currently compromising IT environments and how every one of their moves can be prevented, detected, and even responded to. I strongly believe in learning by applying, so the course was designed to be highly hands-on. Throughout the week, students will complete 20+ labs and exercises, culminating in a full-day 'Defend-the-Flag' exercise on Day 6."

- Erik Van Buggenhout