SpecterOps - Adversary Tactics: Detection (on-site & remote)

May 12, 13, 14 and 15 2024

Course Overview

Adversary Tactics: Detection builds on standard network defense and incident response (which often focuses on alerting for known malware signatures) by focusing on abnormal behaviors and the use of adversary Tactics, Techniques, and Procedures (TTPs). We will teach you how to engineer detections based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will learn to use free or open-source data collection and analysis tools, such as Sysmon, Windows Event Logs, and ELK, to analyze large amounts of host information and build detections for malicious activity. You will use the techniques and toolsets you learn to create threat hunting hypotheses and build robust detections in a simulated enterprise network undergoing active compromise from various types of threat actors.


Day 1:

  • Threat Hunting Introduction
  • MITRE ATT&CK and Adversary TTPs
  • Interpreting Threat Intelligence
  • Data Source Identification
  • Configure Test Environment
  • Implement Attacker Technique

Day 2:

  • Data Modeling
  • Data Quality Assessment
  • Detection Engineering Methodology
  • Threat Hunting Campaign Types

Day 3:

  • Develop Detections
  • Alerting & Detection Strategies
  • Hypothesis Generation (based on Threat Intel Report)

Day 4:

  • Threat Hunting Engagement
  • Detection Development
  • Detection Presentation & Peer Review

Who Should Take This Course

This class is intended for security analysts and blue teamers wanting to learn how to effectively hunt in enterprise networks. This course offers benefits to participants of most levels of security operations experience, from SOC analysts to experienced security defenders. Those with a strong technical background will have opportunity for a deep dive into key concepts and labs. Participants in less technically focused positions will be exposed to a robust threat hunting concepts that provide the building blocks to create highly effective detection strategies.

Participants Requirements

Participants should have previous network defense/incident response experience and/or knowledge of offensive tools and techniques, primarily post-exploitation techniques. Additionally, familiarity with using a SIEM, such as ELK or Splunk, will be helpful.

What Participants Should Bring

Participants will need a laptop with a modern web browser. All labs are completed through a training portal that contains a range with simulated enterprise networks under attack and defensive workstations from which participants will operate.

There are no local virtual machines or special software required to fully participate in the course or labs.

Participants Receive

During the course, participants will be provided access to a comprehensive range to perform course labs and goals.

Upon completion of the course, participants are provided with a copy of course slides and a certificate of completion.


SpecterOps was founded with the belief that only with true knowledge of how adversaries operate, will organizations be able to defend themselves against the devastating effects of modern attacks.

SpecterOps ,

Specific instructors will be determined soon. The SpecterOps team consists of sought-after experts, who bring years of breach assessment (hunt), red team, blue team and purple team experience from both commercial and government sectors.

Return to training sessions