SANS SEC504 Course Resources

Instructor Contact Information

Anurag Khanna
Director, Incident Response and Consulting @CrowdStrike

• SANS Instructor Profile
• Twitter: @khannaanurag
• LinkedIn

(Let’s connect! Please mention you’re in class)

Course Schedule

• DAY 1 - 09:00 to no later than 19:15 (includes Linux Olympics Bootcamp)
• DAY 2-5 - 09:00 to 17:00-17:30ish
• DAY 6 - 09:00 to no later than 15:00 (probably earlier)
• Breaks - 10:30-10:50, 12:15-13:00 (lunch), 15:00-15:20

Courseware

• Books labeled 504.1-504.6 (one book per day)
• ISO image: 504.22.X.iso
• MP3 recordings available via SANS Portal
• Video recordings of each lab on ISO image

Laptop Requirements

SANS SEC504 Laptop Requirements
(Important laptop requirements can be found here. Ask if you have questions…)

Event Information

• Event Details
• XXX Evening Talk
• SANS Talks (check out bonus session topics here)

Social Media

• @SANSInstitute
• @SANSAPAC
• @khannaanurag

Key Resources

SEC504 Resources

• SEC504 Public Resources
• Do You Remember Q
• Do You Remember QA

Online Learning Resources

Linux Learning

• Linux Journey
• ExplainShell

Understanding Attacks

• Hacksplaining Lessons

Windows Event Logs

• Ultimate Windows Security

Information Security News

News Sources

• Internet Storm Center
• Security News Aggregator
• The Hacker News
• The Register Security
• Threatpost
• Krebs on Security
• Dark Reading

Intelligence & Resources

Intelligence Resources

• APT Groups Spreadsheet
• MITRE ATT&CK Framework
• MITRE ATT&CK Groups
• SANS Security Posters
• SecLists on GitHub

Threat Intelligence & OSINT

• OpenCTI - Open source threat intelligence platform
• MISP - Malware Information Sharing Platform
• ThreatFox - IOC database by abuse.ch
• Hybrid Analysis - Free malware analysis service
• VirusTotal - File/URL analysis service

Vulnerability Management

• NIST NVD - National Vulnerability Database
• CVE Details - CVE vulnerability database
• Exploit Database - Exploit archive
• VulnDB - Vulnerability intelligence

Security Blogs

• CrowdStrike Blog
• Mandiant Resources
• Microsoft Security Blog
• Unit42 Palo Alto
• SpecterOps
• The DFIR Report

Podcasts

• CrowdStrike Adversary Universe
• Adventures of Alice & Bob
• The Defender’s Advantage - Mandiant
• Microsoft Threat Intelligence
• Beers with Talos Cisco

Practice Labs

Lab Building Resources

• Building Your Own Lab - Jeff McJunkin
• NSM Lab Video - Chris Sanders
• Building Virtual Machine Labs Book
• Microsoft Evaluation Center
• Microsoft Developer VMs
• TurnKey Linux

Practice Platforms

• SecGen - Vulnerable VMs
• Practice Links Mind Map
• Arizona Cyber Warfare
• VulnHub
• Metasploitable3
• Nmap Practice
• OWASP WebGoat
• Ninite for Lab Setup
• Azure AD Lab
• Detection Lab

Additional Training & Certifications

• CyberDefenders - Blue team challenges
• LetsDefend - SOC analyst training
• TryHackMe - Cybersecurity training platform
• HackTheBox - Penetration testing labs

Entertainment

• Sneakers (1992)
• WarGames (1983)
• The Matrix (1999)
• Zero Days - Stuxnet Documentary

Microsoft Resources

Microsoft Ninja Hub

• Microsoft IR Ninja Hub

Threat Campaigns - Recommended Reading

The DFIR Report

• 2022 Year in Review
• 2021 Year in Review

StellarParticle/NOBELIUM/UNC2452/SUNBURST

• CrowdStrike StellarParticle Analysis
• Microsoft NOBELIUM Analysis
• FoggyWeb Analysis
• Mandiant SolarWinds Analysis

Lockbit

• CISA Advisory

LightBasin

• CrowdStrike Analysis
• Cybereason DeadRinger
• Unit42 Telecom Networks

FIN13

• Mandiant Analysis

Nation-State Threat Actors - The Big Four

🇷🇺 Russia

Void Blizzard (aka LAUNDRY BEAR)

• Microsoft Analysis

🇨🇳 China (PANDA)

• CISA China Threat Overview
• USCC Testimony
• Chinese Espionage Tactics
• Barracuda ESG Exploitation
• Volt Typhoon Analysis
• Unit42 Telecom Infiltration

🇰🇵 North Korea

• CISA North Korea Overview
• Podcast Episode 1
• Podcast Episode 2

🇮🇷 Iran (🐈 Kitten)

• Threat Actor Podcast

DPRK Deep Dive

Famous Chollima (aka Jasper Sleet)

• Chollima Hacking Exposed Video
• Microsoft Jasper Sleet Analysis
• Microsoft CYBERWARCON Intelligence
• Google Cloud DPRK IT Workers
• Google Cloud Mitigation

Silent Chollima

• CISA Global Espionage Campaign

eCrime Actors

SCATTERED SPIDER (UNC3944/Octo Tempest/Muddled Libra)

Research Reports

• Palo Alto Muddled Libra
• Google Cloud UNC3944 SMS Phishing
• Google Cloud Hardening Recommendations
• Google Cloud SaaS Targeting

CrowdStrike Analysis

• Telecom and BPO Campaign
• Escalating Attacks
• BYOVD Tactics

Microsoft Analysis

• Octo Tempest Boundaries
• Hybrid Identity Compromise Recovery

Additional Resources

• Podcast Episode
• Trellix Modus Operandi
• Video Analysis
• SANS Defense Blog
• EclecticIQ Cloud Ransomware

LAPSUS$

• CISA LAPSUS$ Report

VMware Targeting

• Sygnia Fire Ant Analysis
• Google Cloud vSphere AD Risks
• Google Cloud vSphere Defense

War Stories & Case Studies

Ransomware Studies

• Microsoft DART Case Study

Breach Reports

• Breach Report Collection
• Talos Cyber Attack Analysis
• Exchange to Ransomware
• HSE Conti Ransomware Report
• Singapore Health Services Report
• RSA Hack Analysis
• The DFIR Report
• Public Penetration Testing Reports
• Mimecast SolarWinds Incident
• APT27 Analysis

MITRE Case Studies

• Technical Deep Dive - Anatomy of Cyber Intrusion
• Advanced Cyber Threats Impact
• Infiltrating Defenses - VMware Abuse

Hardening & Defense Guidelines

Protection Strategies

• Ransomware Protection and Containment Strategies (in Sec504-Share)
• Proactive Preparation and Hardening to Protect Against Destructive Attacks (in Sec504-Share)
• Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks (in Sec504-Share)
• Defending Against Identity Attack Techniques

Playbooks & Recovery Guidance

Microsoft Resources

• Microsoft DART Octo Tempest Playbook
• Microsoft Incident Response Ninja Hub
• Microsoft Learn - IR Playbooks

Specific Playbooks

• Phishing Playbook
• Password Spraying Playbook
• App Consent Playbook

Day-Specific Resources

Day 1 - Memory Forensics

• Volatility Documentation
• Art of Memory Forensics Book
• Malware Analysis Resources
• Malicious Software Analysis

Digital Forensics & Incident Response Tools

• SANS DFIR Tools - SIFT Workstation
• Remnux - Linux toolkit for malware analysis
• Eric Zimmerman Tools - Windows forensics tools
• Kroll Artifact Parser - KAPE
• Autopsy - Digital forensics platform

Ransomware & Malware Analysis

• ID Ransomware - Ransomware identification
• No More Ransom - Decryption tools
• MalwareBazaar - Malware sample sharing
• ANY.RUN - Interactive malware analysis

Cloud Investigation

• Azure Security Controls
• AWS IR Guide
• Office 365 Security IR

Cloud Security

• Cloud Security Alliance - CSA resources
• ScoutSuite - Multi-cloud security auditing
• Prowler - AWS/Azure/GCP security assessment
• Pacu - AWS exploitation framework

Day 2 - Reconnaissance

• DigiNinja Zone Transfer
• DNS Dumpster
• NOBELIUM Supply Chain
• CrowdStrike LightBasin
• APT10 Supplier Hopping
• Mandiant SUNBURST
• Google Hacking Database
• Tesla Social Engineering
• USB Attack Case Study

Recommended Books

• TCP/IP Illustrated
• Network Intrusion Detection

Day 3 - Password Attacks

• SprayingToolkit
• NIST Password Guidelines
• Crowbar Tool
• MailSniper
• Burp Suite Brute Force
• Medusa

Password Resources

• CMD5
• CrackStation
• AD Database Dumping
• Impacket secretsdump.py
• SkullSecurity Passwords

Windows Security

• AD Security Best Practices
• Hashcat Mask Exploitation
• GPU vs CPU Cracking
• Microsoft LAPS
• PAW Deployment
• RED Forest Design
• AD Security Ultimate Resource
• LM Hash Protection
• Windows Hardening Baseline

Cloud Enumeration

• Insecure S3 Buckets
• Cloud Enum Tool

Day 4 - Web Application Attacks

• OceanLotus Watering Hole
• Colonial Pipeline Hearing
• APT41 State Governments
• Cloud Security Videos
• Additional Security Video
• Cloud Metadata Abuse
• OWASP ZAP
• Mac Zero-Day
• Turla Epic Operation
• Microsoft Disables Macros

Day 5 - Post-Exploitation

Endpoint Security Bypass

• LOLBAS Project
• AppLocker Default Rules
• Driver Signing

Pivoting & Lateral Movement

• KringleCon SSH Pivoting
• Mandiant RDP Tunneling
• StellarParticle SSH
• UNC1945 LightBasin
• UNC3524 Email Spying

Tunneling Tools

• Ligolo
• Plink SSH Tunneling

Persistence

• AD Backdoor Hunting

Evidence Destruction

• Iranian MuddyWater

C2 Channels

• C2 Matrix

Network Analysis

• RITA

Network Security & Monitoring

• Security Onion - Network security monitoring platform
• Zeek - Network security monitor
• Suricata - Network threat detection engine
• Wireshark - Network protocol analyzer

Threat Hunting

• HELK - Threat hunting platform
• Sigma Rules - Generic detection rules
• Atomic Red Team - Adversary emulation
• CALDERA - Cyber adversary emulation platform

Government & Industry Resources

• CISA Known Exploited Vulnerabilities
• FBI IC3 - Internet Crime Complaint Center
• ENISA - European cybersecurity agency
• FIRST - Forum of Incident Response and Security Teams