Masterclass: Red Team – Blue Team Operations

This is a deep dive course on Red Team – Blue Team Operations: the cyber kill chain – reconnaissance, attack planning and delivery, system exploitation, privilege escalation and lateral movement, anomalies detection, discovery of industry attacks and threats, understanding how compromised system or solution looks like, defining the indicators of the attack, and incident handling.

Yksityiskurssin tiedustelu

  • Tämä kurssi järjestetään yksilöidysti vain pyynnöstä, haluttuna ajankohtana. Ota yhteys yritysmyyntiin soittamalla 042 42 2121 tai oheisen lomakkeen avulla:

Masterclass: Red Team – Blue Team Operations

Deep dive on Red Team – Blue Team Operations

This is a deep dive course on Red Team – Blue Team Operations: the cyber kill chain – reconnaissance, attack planning and delivery, system exploitation, privilege escalation and lateral movement, anomalies detection, discovery of industry attacks and threats, understanding how compromised system or solution looks like, defining the indicators of the attack, and incident handling.


On completion of this course you will be able to:
1. Analyze emerging trends in attacks
2. Identify areas of vulnerability within your organization
3. Prepare a risk assessment for your organization
4. Report and recommend countermeasures
5. Develop a threat management plan for your organization
6. Organize Red Team – Blue Team exercises



To attend this training, you should have a good understanding of basic security concepts, as well as, good hands-on experience in working with Windows and Linux infrastructure (as administrator or developer). At least 5 years in the field is recommended.

Target audience

Red team and blue team members, enterprise administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.


Author’s unique tools, presentation slides with notes.


Module 1: Identifying Areas of Vulnerability

This part introduces the new cybersecurity challenges and trends, emphasizing on data security and integration through and into the cloud and the challenges of the coordination of the cloud and on-premise security solutions. Security is a business enabler, and it is only when it is viewed from a business perspective that we can truly make the right decisions. You will learn how to define values of your company which needs to be protected or restricted. You will know how to find obvious and not so obvious sensitive information which can be monetized by adversaries. Having that scope defined and knowing your resources you will know where the biggest gaps in your security posture are.

1. Defining the assets which your company needs to protect
2. Defining the other sensitive information that needs to be protected

Module 2: Modern Attack Techniques
In this world where most of the things happen online, hacking provides wider opportunities for the hackers to gain unauthorized access to the unclassified information like credit card details, email account details, and other personal information. So, every red teamer and blue teamer should know the modern hacking techniques that are commonly used to get your personal information in an unauthorized way.

1. OS platform threats and attacks
2. Web based threats and attacks
3. E-mail threats and attacks
4. Physical access threats and attacks
5. Social threats and attacks
6. Wireless threats and attacks

Module 3: Reconnaissance
The term Cyber Kill Chain defines the steps used by cyber attackers in today’s cyber based attacks. The reconnaissance is the first phase, during which the attacker gathers information on the target before the actual attack starts. The data gathering is essential skill of every red teamer. From blue teamer perspective, it is crucial to understand what kind of information is publicly available and to learn how to protect that information.

1. Open Source Intelligence (OSINT)
2. Google hacking
3. Social Media presence
4. DNS
5. Shodan
6. Physical reconnaissance
7. Port scanning
8. Service discovery
10. Intrusion Prevention Systems

Module 4: Weaponization
After successful data gathering, advanced attacker will prepare dedicated tools and attacks scenarios to increase chances of successful attack. For example, known vulnerability in identified product could be exploited in order to execute remote code or spawn remote shell into internal network.

1. Generating malicious payload
2. Hiding malicious content in Office Suite documents
3. Reverse shells
4. Metasploit
5. Empire
6. AV evasion techniques

Module 5: Delivery
Without remote code execution vulnerability even the most sophisticated payload needs to be delivered to the victim. There are plenty of ways to achieve that so blue team needs to ensure that payloads are detected and blocked at early stage.

1. Building phishing campaign
2. Planting malicious device
3. Attacks on 3rd parties
4. Enabling phishing protection
5. O365 / Safe links
6. Smart Screen
7. Secure proxy
8. Sinkholing
9. APT campaigns

Module 6: Exploitation and Installation
After successful delivery, malicious code exploits a vulnerability to execute code on victim’s system. There are many mechanisms that, if properly configured, significantly reduce attack scope.

1. Types of vulnerabilities
2. Establishing foothold
3. Stage-less and staged payloads / C&C
4. Anti-Virus
5. Firewall
6. Application Whitelisting
8. Living Off the Land Binaries
9. Exploit Guard
10. AMSI

Module 7: Privilege escalation
The successful exploitation attack often results in code execution with limited privileges. Both, red teamers and blue teamers should be familiar with common techniques and misconfigurations allowing for privilege escalation.

1. Privileged accounts
2. System services security
3. Common misconfigurations
4. Security tokens
5. Just Enough Administration
6. Patch maintenance

Module 8: Lateral movement
The next after gaining admin privileges on single host is lateral movement that gives access to additional resources within the company. Before red teamer can reach Domain Controller or other critical servers, blue team can implement numerous protections against that threat.

1. Credential harvesting
2. Mimikatz
3. Network reconnaissance
4. Building network map
5. Responder
6. Pass-the-hash
7. Pass-the-ticket
8. Credential Guard
10. GPO policies
11. Windows ATA
12. Defender ATP

Module 9: Persistency
Even after attack is stopped and contained, the attacker will want to ensure persistency and possibility of returning to compromised host. Blue

1. Sleeping agents
2. Piggybacking on network packets
3. Rootkits
4. Sysinternals
5. Searching for rogue servers
6. Looking for network anomalies

Module 10: Cyber-Competition for Red Team & Blue Team (Capture the Flag!)

Students will be divided in two groups – both will have a mix of Red Team and Blue Team people. Both groups would get their own small set of machines to work with. The machines would serve various purposes – some of them will have services configured, such as WWW, DNS or SMB, some of them will have hidden secrets or be a part of complex system.

Teams will use CTFd platform to get description of the challenges and to upload received flags. Flags will be scored different amount of points, depending on the complexity of the task. Tasks will be related to the knowledge that students acquired during the course, but will not be restricted to that. Hunting for flags is part of a course and students will learn new things while working on the challenges! If teams are stuck on some challenge, they will have an option to use already scored points and buy additional hints. With always up-to-date scoreboard they will have to include that in their strategy to beat the other team!

Tasks will be divided in several categories, such as:

Simple tasks to get started and get familiar with the CTFd platform and rules.


Challenges related with attacks on network services and web pages.

Recovery of secrets, hidden information, analysis of metadata or actions taken by malicious software.

Problems with crypto, incorrect implementations or attacks on acquired secrets.

Wrap-up Discussion
The last hour would be used to summarize what worked and what not – groups would describe what they did to retrieve the flag or what stopped them. Instructor would also answer all the questions and show what was the intended solution to beat some of the challenges.

Deep dive on Red Team – Blue Team Operations is delivered by our partner CQURE:

CQURE Team consists of highly talented Experts, who collectively have over 300 years of experience in the IT security field.

Our passion makes us hard workers and our curiosity push us to solve difficult problems or to keep trying till we do. Basically, we are always tracking current threats. We proudly use our knowledge to make sure your infrastructure stays tight and secure.

CQURE logo

This masterclass is proudly presented together with CQURE.


Avainsanat: ,


Paikkoja jäljellä:
Ei paikkarajoitusta
Pyydä tarjous


Mika Seitsonen

Mika Seitsonen

Mika on kouluttanut ja konsultoinut Microsoft-teknologioita Soveltolla ja maailmalla jo reilun neljännesvuosisadan. Viime vuodet Mika on keskittynyt Microsoftin pilvipalveluiden (Microsoft Azure ja Microsoft 365) sekä identiteetti- ja tietoturvateknologioiden koulutukseen ja konsultointiin.

DI, M.Sc., Microsoft Certified: Azure Fundamentals, Security, Compliance, and Identity Fundamentals, Azure Administrator Associate, Azure Security Engineer Associate, Identity and Access Administrator Associate, Security Operations Analyst Associate, Windows Server Hybrid Administrator Associate, Azure Solutions Architect Expert, Cybersecurity Architect Expert, Microsoft 365 Certified: Fundamentals, MCT, ITIL Foundation 2011.

Älä lennä suojelusenkeliäsi kovempaa!