You are The Ocean
لا تنسي الصلاة علي رسول الله
ECTHP
As a first step towards delving deeper into threat hunting, I would recommend studying this course. It's a good course because it covers important topics. Although the lab and explanation method might not be great, we can still benefit from the topics covered in the course. In the "how to study" part, I can discuss with you how to get the most out of this course or any other topic
Mitre Attack
Mitre is a great source for both blue and red team members, especially after you take a technique name from ECTHP.
You can refer to MITRE for further information on this topic. If you find it confusing, you can also check any SANS book. Start by understanding the main concept that the attacker is trying to exploit. Then, search for the concept itself and learn how the attacker can use it. You can also search for modern attack methods on Google. As a blue team member, develop your own rules and methods to detect such attacks or techniques. Additionally, you can refer to the detection methods of Red Canary, Splunk, and Elastic for further insights
Sans sec 555
For those interested in becoming a detection engineer, this course is the first step , will learn how to Use log data to establish security control effectiveness, Quickly detect and respond to the adversary, Simplify the handling and filtering of the large amount of data generated by both servers and workstations ,Develop baselines of network activity based on users and devices, Develop baselines of Windows systems with the ability to detect changes from the baseline , Apply multiple forms of analysis such as long tail analysis to find abnormalities .
OSEP
Don't panic. As a blue teamer, the more you learn about red teaming, the better you become. This course covers various topics such as AV/EDR evasion, Linux post-exploitation, bypassing app whitelisting, advanced AD exploitation, kiosk breakouts, and more. To become a better blue teamer, it's essential to understand the other side. Creating a detection against something you don't understand is pointless.
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries.
In sections two, three, four and five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed include :
Leveraging MITRE ATT&CK as a "common language" in the organization
Building your own Cuckoo sandbox solution to analyze payloads
Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
Stopping 0-day exploits using ExploitGuard and application whitelisting
Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
Detecting and preventing malware persistence
Leveraging the Elastic stack as a central log analysis solution
Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
Blocking and detecting command and control through network traffic analysis
Leveraging threat intelligence to improve your security posture
Last updated