The Hacktivists
Hacking Forensic Security
SYLLABUS
ATHP
ADVANCED THREAT
HUNTING PROFESSIONAL
VERSION 1
A must-have for any blue or red teamer’s skill arsenal
IT Security Professionals have chosen "THE HACKTIVISTS" as their best cybersecurity training provider.
We have trained professionals who are working in Fortune 500 companies and Best organization
across 100+ countries around the globe.
�INTRODUCTION
202 1
COURSE DESCRIPTION
Regardless of which side you are on, blue or red, a good understanding
of Threat Hunting and Threat Intelligence is vital if you want to be a
complete infosecurity professional. You cannot be an experienced
defender without good knowledge of attacking techniques. The
same goes for penetration testers.
The Advanced Threat Hunting Professional (ATHP) course was
designed to provide infosecurity professionals with the skills necessary
not only to proactively hunt for threats but also to become stealthier
penetration tester.
PRE-REQUISITES
ATHP is advanced training that requires the following pre-requisites:
Basic knowledge of Network Protocols: TCP, UDP, ARP, ICMP, etc.
Basic knowledge of x86 and x64 bit assembly programming
languages.
Intermediate to advanced understanding of penetration testing
tools and methods.
One year in an information security role or equivalent experience
is recommended.
The Hacktivists ATHP training provides most of the above
pre-requisites.
WHO SHOULD TAKE THIS COURSE?
The Advanced Threat Hunting Professional (ATHP) training is
beneficial for:
Malware Analysts
Incident Responders
Penetration Testers
Digital Forensic Examiners
Information security consultants and IT auditors
Security Operations Center analysts and engineers
Anyone who is interested in threat hunting & threat intelligence
1
�INTRODUCTION
202 1
WILL I GET A CERTIFICATE ?
Once you satisfy the requirements of the final
practical certification test, you will be awarded an
“Advanced Threat Hunting Professional”
certificate and will hold the ATHP certification.
DETAILED COURSE CONTENT
The Advanced Threat Hunting Professional (ATHP) course was
designed to provide infosecurity professionals with the skills neces-
sary to hunt for threats and become stealthier penetration tester pro-
actively. The ATHP course is a practice-based curriculum containing
hands-on labs exercises.
ATHP course covers the fundamentals of threat hunting, how to build
out a hunt program in your own environment, and how to identify,
define, and execute a hunt mission. The course introduces essential
concepts for network and endpoint hunting and then allows learners to
apply techniques to hunt for anomalous patterns.
Hands-on activities follow real-world use cases to identify attacker
techniques. Learners will leave the course with concrete use cases
that they can leverage to hunt in their own environment.
Module 1 : Introduction to Threat Hunting
Module 2 : Threat Hunting Methodologies
Module 3 : Incident Response and Digital Forensics
Module 4 : Threat Intelligence - Know The Threats That Matter
Module 5 : Threat Intelligence and Risk Assessments
Module 6 : IOCs (Indicators of Compromise)
Module 7 : Threat Hunting Terminology
2
�INTRODUCTION
202 1
Module 8 : Threat Hunting Process
Module 9 : Hunting for Network-Based Threats - Part One
Module 10 : Hunting for Network-Based Threats - Part Two
Module 11 : Hunting for Network-Based Threats - Part Three
Module 12 : Hunting for Host-based Threats - Part One
Module 13 : Hunting for Host-based Threats - Part Two
Module 14 : Hunting for Host-based Threats - Part Three
Module 15 : Leveraging Events and Endpoint Logs for Security -
Part One
Module 16 : Leveraging Events and Endpoint Logs for Security -
Part Two
3
�MODULES
202 1
MODULE 1 Introduction to Threat Hunting
What is threat hunting?
The need for threat hunting?
Threat hunting and its importance
The concept of active defense techniques
What skills are needed for threat hunting
The benefits and challenges of threat hunting
MODULE 2 Threat Hunting Methodologies
Assumption of breach
The Crown Jewel Analysis (CJA)
Cyber threat patterns and signatures
Role of threat hunting in organizational security program
Threat hunting hypotheses: intelligence-driven, awareness-driven
MODULE 3 Incident Response and Digital Forensics
Incident Response and Digital Forensics Overview
Incident Handling Process – Detection and Analysis
Incident Handling Process – Containment, Eradication & Recovery
Incident Handling Process – Threat Analysis and Threat Hunting
Threat Hunter Mindset: Digital Forensics
Using Digital Forensics to Hunt Threats
4
�MODULES
202 1
MODULE 4 Threat Intelligence - Know the Threats That Matter
Threat Reports - Research and Analysis
Threat Intelligence Sharing and Exchanges
Government-sponsored Threat Sharing
Threatconnect - Risk-threat-response
Alien Vault Otx (Open Threat Exchange)
Crits (Collaborative Research Into Threats)
Misp (Malware Information Sharing Platform)
Us-cert (Us Computer Emergency Readiness Team)
Isacs (Information Sharing and Analysis Centers)
Dhs/ciscp (Department of Homeland Security / Cyber Information
Sharing and Collaboration Program)
MODULE 5 Threat Intelligence and Risk Assessments
What Are Risk Assessments?
Threat Intelligence Overviews
Advanced Threat Hunting Overviews
Threat Hunting Mindset: Threat Intelligence
Using Threat Intelligence to Hunt Threats
Threat Hunting and Intelligence Simulation
MODULE 6 Iocs (Indicators of Compromise)
Ioc Editor
Openioc
Cybox (Cyber Observable Expression)
Taxii (Trusted Automated Exchange of Indicator
Stix (Structured Threat Information Expression)
5
�MODULES
202 1
MODULE 7 Threat Hunting Terminology
Apt (Advanced Persistent Threat)
Ttp (Tools, Tactics, and Procedures)
Pyramid of Pain
The Cyber Kill Chain Model
The Diamond Model
MODULE 8 Threat Hunting Process
Preparing for the Hunt: the Hunter, the Data, the Tools
Creating a Context-based Hypothesis
Starting the Hunt (Confirming the Hypothesis)
Responding to the Attack
Lessons Learned
MODULE 9 Hunting for Network-based Threats - Part One
Network Hunting Overview: Networking Concepts
Network Hunting Overview: Devices and Communications
Network Hunting Overview: Hunting Tools
Network Hunting: Network Technology Review
Network Hunting: Tunneling Techniques
Network Hunting: Data Acquisition Techniques
MODULE 10 Hunting for Network-based Threats - Part Two
Suspicious Traffic Hunting: Arp Protocol
Suspicious Traffic Hunting: Icmp Protocol
Suspicious Traffic Hunting: Tcp Protocol
Suspicious Traffic Hunting: Dhcp Protocol
Suspicious Traffic Hunting: Dns Protocol
Suspicious Traffic Hunting: Http/https Protocol
Suspicious Traffic Hunting: Unknown Traffic
Suspicious Traffic Hunting: Hunting Web Shells
Suspicious Traffic Hunting: Dos and Ddos Activity
6
� MODULES
INTRODUCTION
202
20201
WILL I GET
MODULE A CERTIFICATE
11 Hunting ?
for Network-based Threats - Part Three
Hunting for Irregular
Once you Traffic: Misused
satisfy the Protocols
requirements of the final
practical
Hunting for Irregular certification
Traffic: test, youMismatches
Port Application will be awarded an
“Advanced
Hunting for Irregular Web
Traffic: Web Service
ShellsAttacks
and Other And Exploitation
Threats
E x p e r t ” c e r t i f i c a t e a n d w i l l h o l d t h e AWA E
Hunting for Suspicious Domains, Urls and Html Responses
certification.
Hunting for Suspicious Dns Requests and Geographic Abnormalities
DETAILED
MODULE COURSE
12 Hunting for CONTENT
Host-based Threats - Part One
AWAEEndpoint
trainingHunting: Overviewcandidates to the concept of discovering
is to introduce
vulnerabilities in modernised
Endpoint Hunting: Endpointweb services and web applications. We
Baselines
demonstrate advanced
Endpoint Hunting: exploitation
Endpoint techniques using real-world sce-
Analysis
narios - all challenges and practicals showed on live secure and unse-
Endpoint Hunting: Windows Processes
cured web applications.
Endpoint Hunting: Linux Processes
Endpoint
Module 1 : Hunting: File Systems
An Introduction to APIs for the Security Testing
Endpoint Hunting: Registry
Endpoint Hunting: Hunting Tools
Module 2 : Rethink Governance in an API-First World
MODULE
Module 3 :13 Lab
Hunting
Setupfor Host-based
of API Security Threats - Part Two
Testing environment
Malware Overview: Introduction
Module 4 : Testing APIs Code Quality and Build Settings
Malware Overview: Malware Classifications
Malware Overview: Malware Delivery Methods
Module 5 : Getting Started with API Security Testing
Malware Activity: Common Activities
Malware Activity: Malware Evasion Techniques
Module 6 : Activity:
Malware MobileDetection
Application
andand WebTools
Analysis Application APIs
Security Testing
Malware Activity: Malware Persistence Techniques
Module 7 : Discovering Leaky APIs and Hidden APIs -
Reconnaissance
27
� MODULES
INTRODUCTION
202
20201
MODULE 14 Hunting for Host-based Threats - Part Three
WILL I GET
Hunting A CERTIFICATE
for Filenames ?
and Hashes
Hunting for Irregularities in Processes
Hunting for Registry
Once you and System
satisfy File the Changes
requirements of the final
Hunting for Swells in Database Read Volume
practical certification test, you will be awarded an
“AdvancedPatching
Hunting for Unexpected Web Service Attacks And Exploitation
of Systems
E x p e r t ”Account
Hunting for Abnormal c e r t i f i cActivity:
a t e a nBrute-force
d w i l l h o l Attacks
d t h e AWA E
certification.
Hunting for Abnormal Account Activity: Privileged Accounts
MODULE 15 Leveraging Events and Endpoint Logs for Security - Part One
DETAILED COURSE CONTENT
Endpoint Logs Analysis: Logging on Windows
Endpoint Logs Analysis: Logging on Linux
AWAE training is to introduce candidates to the concept of discovering
Endpoint Logs Analysis: Windows Event Logs
vulnerabilities in modernised web services and web applications. We
Endpoint Logs
demonstrate Analysis:
advanced Windows Event
exploitation Forwarding
techniques using real-world sce-
Endpoint
narios Logs Analysis:
- all challenges Log Rotation
and practicals & Logon
showed Clearing
live secure and unse-
cured web applications.
Endpoint Logs Analysis: Powershell Logging
Endpoint Logs Analysis: Hunting With Powershell
Module 1 : An Introduction to APIs for the Security Testing
Endpoint Logs Analysis: Siems (Splunk and the Elk)
Module
MODULE 2 :16 Rethink Governance
Leveraging Events andinEndpoint
an API-First
LogsWorld
for Security - Part One
Endpoint
Module 3 : Logs
LabAnalysis:
Setup ofWindows EventTesting
API Security Ids environment
Windows Event Ids: Suspicious Account Usage
Windows
Module 4 : Event Ids: Suspicious Account Creation
Testing APIs Code Quality and Build Settings
Windows Event Ids: Passwords
Windows Event Ids: Hashes (Pth)
Module 5 : Getting Started with API Security Testing
Windows Event Ids: Forged Kerberos Tickets
Windows Event Ids: Rdp
Module 6 : Mobile Application and Web Application APIs
Windows Event Ids: Psexec
Security Testing
Windows Event Ids: Wmix
Module 7 : Discovering Leaky APIs and Hidden APIs -
Windows Event Ids: Scheduled Tasks
Reconnaissance
Windows Event Ids: Service Creation
Windows Event Ids: Admin Shares
28
� 202 1
ABOUT US
Our Company The Hacktivists™ ( Leading IT Security Services & Training
Providing Company) offers a wide range of courses & training in Information
Cyber Security. We are a Fast-growing online information security training
company based out of India.
We have a large number of professional instructors who are specialized and
experienced in various Information/Cyber Security domains. Our Instructors
holds a wide range of accreditation like OSCP, OSEE, OSCE, eCXD, eMAPT,
eWPTX, eWDP, CEH, CHFI, CISSP, CISM, CISA.
The Hacktivists™ is one of the most trusted and reliable training providers in
information/cybersecurity, providing exceptional unmatched Hands-on
practical training to individuals and corporates worldwide. Our goal is to
train, mentor, and support your career in cybersecurity.
We emphasize more on hands-on practical training which gives our clients
and candidate an edge to grow and advance professionally in their
respective career(s).
Contact details:
www.thehacktivists.in
[email protected]
