FalconForce - Detection Engineering for Windows

September 21th to 24th

Course Abstract

Building good analytics and automated detection capabilities require a detailed understanding of attackers and their known or expected behavior. By understanding the different tools and techniques used by attackers and what indicators can be extracted, better detection capabilities can be developed. This process is called Detection Engineering and it is a crucial aspect to be truly effective at discovering attackers in your network.

This instructor-led training focuses on the entire detection engineering cycle. Guiding participants in defining a scope, researching the relevant (sub-)techniques, building the detection analytic, investigating which logs can be utilized, and validating the resilience of the analytic against evasion.

The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations. The student is free to decide whether to perform the hands-on exercises using either Splunk or Azure Sentinel. While hands-on exercises focus predominantly on the endpoint, the methodology can be applied to any part of on infrastructure.


  • Introduction
  • MITRE Caveats
  • Detection engineering principles & theory
  • Information resources and using threat information
  • Understanding your data
  • Developing hypothesis
  • Researching technology and techniques
  • Detection techniques
  • Creating analytics
  • (Open source) tooling
  • Resilient detections
  • Detection improvement and validation

Who Should Attend

Aspiring detection engineers, SOC Analysts, Threat Hunters, Red Teamers. The methodology will enable anyone with a hands on role in security to learn more to improve the security posture of a company.

What You Need

Students should be familiar with Windows and have basic PowerShell experience.

Furthermore, at least some experience with Splunk or Azure Sentinel and their respective query languages is required. To be able to connect to our lab environment, students should be able to use Microsoft RDP (Remote Desktop Protocol) via the Internet on port 3389 TCP.

What is available in the lab

  • Loads of Windows applications
  • PowerShell scripts
  • Splunk / Sentinel
  • Windows 10 Virtual Machine
  • Sysmon


Olaf Hartong Co-Founder & Defensive Specialist, FalconForce

Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects.

Olaf has presented at many industry conferences including Black Hat, DEF CON, DerbyCon, Splunk .conf, FIRST, MITRE ATT&CKcon, and various other conferences. Olaf is the author of various tools including ThreatHunting for Splunk, ATTACKdatamap and Sysmon-modular.

Gijs Hollestelle Co-Founder & Security Specialist, FalconForce

Gijs Hollestelle is specialized in advanced offensive and defensive capabilities. Gijs spent the last 15 years working in various technical security related roles related to ethical hacking, red teaming, cryptography, blue teaming and secure coding. Apart from solving technical challenges in the cyber security area he also enjoys teaching others to do the same. He is also an avid CTF player, competing at the highest level with multiple CTF teams including Eindbazen and Hack.ERS.

Henri Hambartsumyan Co-Founder & Red Teamer, FalconForce

Henri Hambartsumyan is an experienced technical security professional, with 10 years of technical security experience. Henri started his career as pentester and moved to the more advanced pentesting projects. Later he started executing "covert operations", which the industry later dubbed to "red teaming". In the recent years, Henri has performed countless red team operations amongst which 4 TIBER exercises. Next to projects, Henri spent most off-time in developing AV bypasses for future ops. The last year, Henri has taken an interest in blue teaming, especially in detecting more advanced tradecraft in a realistic way. Due to his in-depth understanding of the tradecraft, he currently develops detection rules for advanced attacks as part of blog series FalconFriday and for clients. Next to this, he is still active in performing red teams.

Return to training sessions