In-Depth Digital Threat Hunting & Purple Teaming

A live hands-on training focused on threat hunting and in-depth investigations. You will learn how real APT attacks work, analyze digital artifacts, perform live forensics, and automate this process across the enterprise.

Custom Engagement

Reserve your seat now and cancel for any reason for a 100% refund.*


November 2nd - 5th 11:00 AM – 06:00 PM GMT Timezone (4 days - total 24 hours).



Day 1

  • Introduction to APT Attacks & MITRE ATT&CK
    • What is an APT Attack?
    • ​What are the Attack Stages? And what's MITRE ATTACK?
    • APT attack lifecycle
    • ​Examples of real-world APT attacks
    • Red Team Tools & Frameworks (PowerSploit, Powershell EMPIRE, Cobalt Strike, Metasploit, Kali Linux)
  • Intro to Incident Response & Threat Hunting
    • The Incident Response Lifecycle
    • how attacks are being discovered (SOC, 3rd party & threat hunting)
    • Security Controls and types of logs in an organization
    • ​What's Threat hunting & why threat hunting?
    • ​Types of Threat hunting
    • ​The threat hunting process step by step
    • ​Intelligence-based Threat hunting
  • Building Your Threat Detection Lab
    • Intro to Log Analysis
    • Build Your honeypot Domain in the Cloud (AWS & Terraform)
    • Installing & Configuring ELK and Winlogbeat
    • Installing & Configuring Sysmon
    • Installing & Configuring OpenEDR
    • Hardening Your Windows machines
  • Initial Access & Log Analysis
    • Spearphishing Attacks with a malicious attachment
    • Spearphishing attacks with links
    • Spearphishing attacks using social media
    • Credential pharming
    • Detecting Spearphishing using EDR Logs
    • Advanced execution techniques
    • ​Analyze attacks using sysmon & Splunk
    • ​Analyze logs using sysmon & Elasticsearch

Day 2

  • Packet Analysis & Malware Exfiltration
    • Hunting the evil in packets
    • ​Detecting Malware Exfiltration methods
    • Detecting Downloaders, malicious documents, exploits, and others
    • Detecting IP Flux, DNS Flux, DNS over HTTPS
    • ​Malicious bits transfer, malware communicating through legitimate websites
    • ​Detecting peer-to-peer communication, Remote COM Objects, and unknown RDP Communications
    • Hands-on analysis using Wireshark & Microsoft Network Monitor
    • ​Hunting the evil in Zeek logs
    • ​Hands-on analysis using Zeek logs & Elasticsearch
  • Malware In-Depth & Malware Functionalities
    • Types of Malware
    • Malware Functionalities in-depth (APIs, Code Functionalities & Detection Techniques)
    • Malware Encryption & Obfuscation (packing, strings encryption, API encryption .. etc)
    • ​Strings and API Encryption & Obfuscation
    • Network communication Encryption & Obfuscation
    • Virtual machine & Malware analysis tools bypass techniques
    • Write your own YARA rule
  • In-Depth Investigation & Forensics
    • Why in-depth investigation?
    • Detecting malware persistence: Autoruns registry keys and options
    • Detecting malware persistence: Scheduled tasks and jobs
    • Detecting malware persistence: BITs jobs
    • ​Detecting malware persistence: Image File Execution Options & File Association
    • ​Detecting Malware & Malicious Documents Execution (Prefetch, MRU, Shims, Outlook Attachments)
    • $MFT structure and cavity searching
    • ​How to perform Live Forensics (Hands-on)

Day 3

  • Malware Defence Evasion Techniques
    • Process Injection (DLL & Shellcode Injection)
    • Advanced Process Injection (APC Queue Injection)
    • Advanced Injections: Using NTFS NxF Feature
    • Detecting Process injection using Sysmon logs
    • Detecting Process injection using Live Forensics
    • ​Use of legitimate applications for Applocker bypass
    • Disguise malware using COM Objects
    • Detecting & preventing the abuse of the legitimate applications
    • ​Sysmon & ​EDR Bypass Techniques
    • ​Detecting EDR bypass techniques with Live forensics
  • Memory Forensics
    • Intro to Memory Forensics & Volatility
    • ​Capture a full memory dump
    • Extract suspicious & hidden processes
    • Detecting memory injection, process hollowing & API hooking
    • ​Detect injected threads using call stack backtracing
    • ​Detect suspicious network communication & extract network packets
    • ​Detect malware persistence Functionalities using registry hives
    • ​Detect the initial access using Prefetch files & MFT extraction
    • ​Extract windows event logs from memory
    • ​Automate memory processing using python

Day 4

  • Malware Privilege Escalation Techniques
    • UAC bypasses using legitimate apps
    • ​UAC bypasses using COM objects
    • ​UAC bypasses using Shimming
    • ​Abusing Services for privilege escalation
    • ​​DLL Order Hijacking
    • ​Privilege escalation to SYSTEM
    • ​Best practices for detecting & preventing privilege escalation
    • ​Mac OSX & Linux privilege escalation
  • Incident Response In an Enterprise: Powershell Intro
    • Intro to Powershell
    • ​Powershell Remoting
    • Logon Types and Powershell vs. RDP
    • Collect & Analyze Malicious Artifacts using Kansa
    • Collect Minidumps using Powershell
    • ​Detect suspicious processes using Powershell
    • ​Automating Artifacts collection & analysis for threat intelligence
    • ​Convert your threat hunting hypothesis into an alert
    • ​Write your own SIGMA rules
  • Credential Theft Detection & Prevention
    • Detecting & Preventing Lsass Memory dump
    • Detecting & Preventing Token Impersonation
    • Find attack paths & weak links using Bloodhound
  • Credential Theft Detection & Prevention
    • Detecting NTLM Attacks with Windows Event Logs (Pass The Hash)
    • Detecting Kerberos Attacks with Windows Event Logs (Pass the ticket & Overpass the hash)
    • Preventing service accounts abuse & silver Tickets
    • ​Protecting Domain Admins with 3-Tier Model
    • ​Implementing Privileged Access Workstations (PAWs)
    • ​Implementing Credential Guard & Powered Use



With the rise of APT attacks and targeted ransomware attacks, there's a huge need for in-depth investigation & threat hunting skills to detect these attacks early on before the cost of the breach gets doubled every day.

In this training, you will learn how real APT attacks and targeted attacks work, how to perform in-depth investigation through collecting and analyzing digital artifacts, performing live forensics, memory forensics, and how to automate this process across the whole enterprise in Powershell.

You will also learn how to perform threat hunting based on the MITRE ATT&CK framework powered by threat intelligence, The Attackers' IoCs, tactics, techniques, and procedures.


This training is for:

  • Cyber Security Professionals
  • Penetration Testers
  • Purple Teamers & Threat Hunters
  • Incident Handlers
  • ​SOC Analysts

Who want to expand their skills in threat hunting, understand how real-world attacks look like, and better protect their organizations against APT Attacks, Targeted Ransomware attacks, and Fileless attacks.


  • Good IT administration background in Windows mainly (Linux is preferred)
  • Good cybersecurity background
  • Good programming skills in C++

Course Author

Amr is a vulnerability researcher at Tenable and a former malware researcher at Symantec. He is the author of Mastering Malware Analysis, published by Packt Publishing. He had worked on analyzing multiple nation-state-sponsored attacks, including the NSA malware families (Stuxnet & Regin), North Korea (Contopee), and many other highly advanced attacks.

Amr has spoken at top security conferences worldwide, including DEFCON and VB Conference. He was also featured in Christian Science Monitor for his work on Stuxnet.

Training Highlights

Cyberattacks are undoubtedly rising, targeting government, military, public, and private sectors. These cyber-attacks target individuals or organizations to extract valuable information, gain money through a ransom or damage their reputation. 43% of cyber attacks these organizations are facing are Advanced Malware, APT Attacks, or zero-day attacks.

With adversaries getting sophisticated, the best way to test enterprise security operations & defenses against them is through simulating their attacks, leveraging the same tactics, techniques, and procedures (TTP).

This intensive live training will take you on a journey into the attacker mindset. We will be covering how real APT Attacks ransomware attacks attack and bypasses the organization's defenses and detection systems. We will detect, investigate and hunt these attacks through live and digital forensic artifacts. You will as well build a threat hunting process to detect these attacks later on and proactively protect your organization against current threats.

System Requirements

  • Laptop with minimum 8GB RAM and 60GB free hard disk space.
  • ​You can use VirtualBox or other virtualization software. However, the training will be delivered based on VMware Workstation (you can use the trial version). 
  • ​Delegates must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.
  • ​Delegates have Microsoft Visual Studio or GNU C++ Compiler installed on their machine and their preferred Code Editor (Visual Studio or VS Code are preferred)
Note: VMware player is not suitable for this training.

Group Discounts:

  • A discount of $150 per training applies to organizations registering 2-4 seats.
  • A discount of $200 per training applies to organizations registering 5 or more seats.

Cancellation Policy:

Full refunds will be provided up to 14 days before the course start date. Course changes are allowed up to 10 days before the event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.

Note: In the event of a class cancellation CyberDefenders will endeavor to offer transfer to another training at no additional charge.