Talk With an Expert
Major updates

SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses

SEC599Offensive Operations
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course authored by:
Erik Van BuggenhoutStephen Sims
Erik Van Buggenhout & Stephen Sims
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Course authored by:
Erik Van BuggenhoutStephen Sims
Erik Van Buggenhout & Stephen Sims
  • GIAC Defending Advanced Threats (GDAT)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 25 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Learn advanced defensive techniques through hands-on labs and real-world scenarios to effectively prevent, detect, and respond to sophisticated cyber-attacks through a purple team strategy.

Course Overview

SEC599 is an intensive, hands-on course designed to equip security professionals with practical skills for defending against advanced cyber threats. Through more than 20 hands-on labs and a culminating full-day Defend-the-Flag exercise, students learn how to implement effective security controls across the entire attack chain. The course combines real-world attack analysis, adversary emulation, and defensive strategy implementation using industry-standard frameworks like MITRE ATT&CK and Cyber Kill Chain.

From building custom sandboxes to detecting lateral movement and preventing command and control communications, students gain practical experience with modern security tools and techniques. The course emphasizes both prevention and detection, ensuring professionals can both stop attacks and quickly identify when defenses have been breached. It also prepares students for the GDAT certification, validating their expertise in purple team tactics and advanced adversary defense.

What You’ll Learn

  • Leverage MITRE ATT&CK for threat-informed defense
  • Deploy custom security controls and sandboxing
  • Implement advanced Windows hardening and detection
  • Build logging and monitoring with Elastic and Sysmon
  • Design threat detection using intel and traffic analysis
  • Practice purple teaming with real-world attack scenarios

Business Takeaways

  • Faster threat detection and response
  • Stronger red and blue team collaboration
  • Defense based on real attacker behaviors
  • Better use of existing security tools
  • Clear metrics for measuring improvements

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses.

Section 1Introduction and Attack Surface Management

Begin your journey with real-world attack analysis and hands-on experience compromising the SYNCTECHLABS virtual environment. Learn to leverage the Cyber Kill Chain and MITRE ATT&CK framework while understanding purple team methodologies and essential defensive tools.

Topics covered

  • Course objectives and lab environment setup
  • Analysis of current cyber-attack landscapes
  • Extended Kill Chain methodology
  • Purple team concepts and implementation
  • MITRE ATT&CK framework integration

Labs

  • One click is all it takes...Initial compromise simulation
  • Hardening our domain using SCT and STIG
  • Kibana, ATT&CK Navigator
  • Atomic TTP testing using Caldera
  • Attack Surface Mapping with BBOT

Section 2Payload Delivery and Execution

Explore attacker techniques for payload delivery and execution, focusing on prevention and detection methods. Learn to implement controls against malicious executables and scripts, while gaining hands-on experience with YARA for payload description and SIGMA for use-case documentation.

Topics covered

  • Common delivery mechanism analysis
  • Payload delivery prevention strategies
  • Network and removable media controls
  • Mail security and web proxy implementation

Labs

  • Stopping NTLMv2 Sniffing and Relay Attacks in Windows
  • Blocking Typical Phishing Payload Execution
  • Restricting Binary/PowerShell Execution
  • Detection with Sysmon and SIGMA

Section 3Exploitation, Persistence, and Command and Control

Learn to integrate security into the software development lifecycle while implementing effective exploit mitigation techniques. Focus on both compile-time and run-time protections, persistence detection strategies, and command and control channel identification.

Topics covered

  • Software development lifecycle security integration
  • Patch management strategies
  • Exploit mitigation techniques
  • Persistence strategy analysis

Labs

  • Exploit Mitigation Using Compile-Time Controls
  • Exploit Mitigation Using Exploit Guard
  • Catching Persistence Using Autoruns and Osquery
  • Detecting C2 Channels

Section 4Lateral Movement

Focus on defending against lateral movement. Examine credential protection, Windows privilege escalation, and various attack strategies while implementing effective detection and deception techniques.

Topics covered

  • Active Directory and Entra ID security fundamentals
  • Principle of Least Privilege and UAC
  • Privilege escalation prevention
  • Credential theft protection
  • Attack path mapping using BloodHound

Labs

  • Mapping Attack Paths Using BloodHound
  • Implementing LAPS
  • Local Windows Privilege Escalation Techniques
  • Hardening Windows against Credential Compromise
  • Kerberos Attack Strategies

Section 5Action on Objectives, Threat Hunting, and Incident Response

Address final attack stages including domain dominance prevention and data exfiltration detection. Learn to leverage threat intelligence effectively and perform incident response, with hands-on practice using advanced forensics tools.

Topics covered

  • Domain dominance prevention strategies
  • Data exfiltration detection methods
  • Threat intelligence implementation
  • Proactive threat hunting
  • Incident response procedures

Labs

  • Domain Dominance
  • Defending against Ransomware
  • Leveraging Threat Intelligence with MISP and Thor Lite
  • Hunting Your Environment Using Velociraptor
  • Finding Malware Using MemProcFS

Section 6Capture-The-Flag Challenge

Apply your newly acquired skills in a comprehensive, team-based Capture-The-Flag competition. Your environment is under attack and it’s up to you to identify how they got in, and what they’re doing once they obtained access.

Topics covered

  • Practical exercises based on real-world cases
  • Analyze identified malware
  • Perform network analysis to identify intrusions
  • Examine memory captures to identify artefacts
  • Find potential attack paths in your environment

Things You Need To Know

Relevant Job Roles

Cyber Threat Intelligence Specialist

European Cybersecurity Skills Framework

Collect, process, analyse data and information to produce actionable intelligence reports and disseminate them to target stakeholders.

Explore learning path

Threat Management

SCyWF: Protection And Defense

This role collects and analyzes information about threats, searches for undetected threats and provides actionable insights to support cybersecurity decision-making. Find the SANS courses that map to the Threat Management SCyWF Work Role.

Explore learning path

Purple Teamer

Offensive Operations

In this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.

Explore learning path

Cyber Operations Planner (DCWF 332)

DoD 8140: Cyber Effects

Coordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.

Explore learning path

Red Teamer

Offensive Operations

In this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Showing 10 of 15

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources