MalwareLab<p>Yesterday I attended <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a> <a href="https://infosec.exchange/tags/DetectionEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DetectionEngineering</span></a> Crash Course with Hayden Covington by <span class="h-card" translate="no"><a href="https://infosec.exchange/@Antisy_Training" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Antisy_Training</span></a></span> </p><p><a href="https://www.antisyphontraining.com/product/workshop-soc-detection-engineering-crash-course-with-hayden-covington/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">antisyphontraining.com/product</span><span class="invisible">/workshop-soc-detection-engineering-crash-course-with-hayden-covington/</span></a></p><p>5 hours workshop (1 hour lab setup with instructor available on Zoom and 4 hours of workshop itself). Pay what you can with pricing starting from $0. Course materials such as setup guide and excellent lab instructions delivered in advance, two days before workshop.</p><p>All you need for the workshop is just the web browser - we use <a href="https://infosec.exchange/tags/MetaCTF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MetaCTF</span></a> Cloud Windows VM (credits provided by the instructor) and Elastic Security (free trial available for 14 days). <br>Fun fact: I test <a href="https://infosec.exchange/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeBSD</span></a> as my host OS and was able to do all of the labs in FreeBSD without any issues</p><p>The content was useful, really Crash course. We started with Windows VM with Sysmon and empty Elastic. After the course, we had Elastic Agent on VM, logs in Elastic, detection rule for <span class="h-card" translate="no"><a href="https://infosec.exchange/@mitreattack" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>mitreattack</span></a></span> Account Discovery: Local Account (T1087.001), suppression of the alerts for particular user. We also tested the detection with Atomic Red Team test.</p><p>In overall, it was very good workshop and I am happy for opportunity to attend it. The usage of "free" cloud infrastructure is inspiring, I will consider it during my next trainings for larger group of students (instead of hosting all of the VMs in our cloud infrastructure) - this way, lot of things can students do again after the training for better understanding of the topic.</p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/education" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>education</span></a> <a href="https://infosec.exchange/tags/training" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>training</span></a> <a href="https://infosec.exchange/tags/antisyphon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>antisyphon</span></a> <a href="https://infosec.exchange/tags/soc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>soc</span></a> <a href="https://infosec.exchange/tags/siem" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>siem</span></a> <a href="https://infosec.exchange/tags/detections" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>detections</span></a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blueteam</span></a></p>