SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SEC560: Enterprise Penetration Testing
SEC560Offensive Operations
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Jon Gorenflo & Jeff McJunkin
Course created by:Jon Gorenflo & Jeff McJunkin
- GIAC Penetration Tester (GPEN)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 30 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Master enterprise-scale penetration testing; learn to identify, exploit, and assess real business risks across on-prem, Azure, and Entra ID environments through hands-on labs and an intensive CTF.
Featured Quote
Thank you for an amazing week of training in SEC560! My favorite parts were lateral movement, password cracking, and web exploits!
Course Overview
This comprehensive enterprise penetration testing course goes beyond individual systems to teach real-world methodologies for assessing organization-wide risk across on-premises infrastructure, Azure cloud, and Entra ID. Learn proven techniques to identify and exploit vulnerabilities at scale, demonstrating concrete business impact. This course is perfect for red teamers, blue teamers, auditors, and incident responders seeking to understand both offensive and defensive perspectives in enterprise security testing.
What You’ll Learn
- Conduct end-to-end penetration tests, from reconnaissance to reporting
- Learn hacker strategies, privilege escalation, and vulnerability fixes
- Secure the entire attack surface of complex organizations
- Exploit systems, assess risks across networks, Active Directory, and Azure
- Execute lateral movement and Kerberos attacks to uncover deeper risks
- Use C2 frameworks for remote management of compromised systems
- Simulate real-world attacks with password cracking and phishing
Business Takeaways
- Comprehensive risk assessment of modern enterprise environments
- Enhanced security posture by mitigating vulnerabilities across systems
- Scalable testing methodology for enterprise-scale assessments
- Improved incident response through an attacker-focused mindset
- Actionable reporting to effectively communicate risks and solutions
- Hands-on expertise gained through labs and real-world simulations
- Proactive risk mitigation to address emerging threats
Meet Your Authors
- Slide 1 of 2
Jon Gorenflo
Principal InstructorJon Gorenflo has strengthened cybersecurity through leadership in pen testing, incident response, and security engineering. His dedication to mentoring and knowledge-sharing has empowered professionals and enhanced defenses industry-wide.
Read more about Jon Gorenflo - Slide 2 of 2
Jeff McJunkin
Principal InstructorJeff McJunkin, Rogue Valley InfoSec founder, has led Fortune 100 pen tests and shaped Core NetWars. His key role in SANS Holiday Hack Challenge and hands-on security innovations continue to elevate the industry, advancing defenses worldwide.
Read more about Jeff McJunkin
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC560: Enterprise Penetration Testing.
Section 1Comprehensive Penetrations Test Planning, Scoping, Recon, and Scanning
This first course section covers building a penetration testing infrastructure, defining scope, and performing reconnaissance. Through hands-on labs, you'll map attack surfaces, identify vulnerabilities, and refine scanning techniques for accurate and efficient assessments.
Topics covered
- Penetration test overview and key concepts
- Professional pen tester mindset and approach
- Building a world-class pen test infrastructure
- Reconnaissance: Infrastructure and employee data
- Scanning tips: Masscan, Nmap, EyeWitness for web
Labs
- Credential stuffing to exploit breaches
- Reconnaissance and OSINT techniques
- Using Masscan for efficient scanning
- Advanced Nmap: -O, -sV, and integrations
- EyeWitness, Netcat, and NSE for testing
Section 2Initial Access, Payloads, and Situational Awareness
This section covers password guessing, exploitation, and post-exploitation, focusing on Metasploit and Meterpreter. You'll explore gaining access, escalating privileges, and pivoting. The "Assumed Breach" methodology and the use of C2 frameworks like Sliver and Empire are discussed, as well as situational awareness on Windows and Linux systems.
Topics covered
- Gaining access: Password guessing and spraying
- Exploiting network services with Meterpreter
- Command and Control frameworks (Sliver, Empire)
- Post-exploitation and assumed breach testing
- Situational awareness on Linux and Windows
Labs
- Password guessing and spraying with Hydra
- Exploitation with Metasploit and Meterpreter
- Command and Control via Sliver and Empire
- Payload development in multiple C2 frameworks
- Situational awareness with GhostPack Seatbelt
Section 3Privilege Escalation, Persistence, and Password Attacks
Here we dive into the world of privilege escalation, where gaining elevated access on compromised hosts unlocks new opportunities for deeper exploitation. Learn how to use tools like Mimikatz for password dumping, cracking, and maintaining persistence. Map attack paths with BloodHound to target high-value assets, and utilize Responder for relaying attacks.
Topics covered
- Privilege escalation on Windows and Linux
- Mapping attack paths with BloodHound
- Persistence and maintaining access
- Password cracking techniques
- Extracting hashes with Mimikatz and Hashcat
Labs
- Privilege escalation on Windows
- Domain mapping with BloodHound
- Practical persistence techniques
- Credential harvesting with Mimikatz
- Password cracking with Hashcat
Section 4Lateral Movement and Reporting
Explore lateral movement techniques used by attackers and pen testers to navigate networks. Learn manual methods and automate with Impacket to exploit network protocols. Perform pass-the-hash attacks, bypass application controls, and pivot through networks using C2 frameworks. Finish with strategies for effectively reporting and communicating findings.
Topics covered
- Lateral movement and remote command execution
- Abusing network protocols with Impacket
- Anti-virus evasion and application control bypass
- Port forwarding and pivoting via SSH
- Effective reporting and business communication
Labs
- Lateral movement with Windows and Linux
- Automating lateral movement with Impacket
- Pass-the-hash and C2 pivoting techniques
- Bypassing application control with MSBuild
- Reporting and communication best practices
Section 5Domain Domination and Azure Annihilation
Delve into Active Directory lateral movement, focusing on Kerberos attacks like Kerberoasting, Golden Tickets, and Silver Tickets. Learn how to extract domain hashes from a compromised Domain Controller and escalate privileges using AD Certificate Services (AD CS). Explore cloud-based attacks, focusing on Azure and Entra ID integration with on-prem domains.
Topics covered
- Kerberos authentication and attacks
- Escalating privileges with AD CS
- Extracting hashes from NTDS.dit
- Azure password spraying techniques
- Lateral movement and execution in Azure
Labs
- Kerberoasting for privilege escalation
- Extract domain hashes from a DC
- Golden and Silver Ticket persistence
- Attacking AD Certificate Services
- Azure reconnaissance and password spray
Section 6Penetration Test and Capture-the-Flag Exercise
The final hands-on exercise applies penetration testing skills in a simulated environment. Testers work within the defined scope and rules of engagement to assess security risks. The goal is to identify vulnerabilities, exploit them, and provide recommendations to mitigate the risks discovered, using real-world penetration testing practices.
Topics covered
- Penetration testing from start to finish
- Scanning for vulnerabilities and entry points
- Exploiting and controlling target systems
- Post-exploitation risk assessment
- Pivoting and analyzing findings for fixes
Labs
- Comprehensive penetration testing lab
- Simulating a full-scale pen test
Things You Need To Know
Relevant Job Roles
Vulnerability Assessment Analyst (DCWF 541)
DoD 8140: CybersecurityAssesses systems and networks to ensure compliance with policies and identify vulnerabilities in support of secure and resilient operations.
Explore learning pathSecurity Control Assessment (OPM 612)
NICE: Oversight and GovernanceResponsible for conducting independent comprehensive assessments of management, operational, and technical security controls and control enhancements employed within or inherited by a system to determine their overall effectiveness.
Explore learning pathVulnerability Analysis (OPM 541)
NICE: Protection and DefenseResponsible for assessing systems and networks to identify deviations from acceptable configurations, enclave policy, or local policy. Measure effectiveness of defense-in-depth architecture against known vulnerabilities.
Explore learning pathExploitation Analyst (DCWF 121)
DoD 8140: Cyber EffectsCollaborates to identify access and collection gaps using cyber resources and techniques to penetrate target networks and support mission operations.
Explore learning pathApplication Pen Tester
Offensive OperationsApplication penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.
Explore learning pathCyber Operations Planner (DCWF 332)
DoD 8140: Cyber EffectsCoordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.
Explore learning pathTarget Digital Network Analyst (DCWF 132)
DoD 8140: Cyber EffectsPerforms advanced analysis of collection and open-source data to track target activity, profile cyber behavior, and support cyberspace operations.
Explore learning pathRed Teamer
Offensive OperationsIn this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
Explore learning pathSystems Testing and Evaluation (OPM 671)
NICE: Design and DevelopmentResponsible for planning, preparing, and executing system tests; evaluating test results against specifications and requirements; and reporting test results and findings.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Jeff McJunkinDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Canberra, ACT, AU & Virtual (live)
Instructed by Jeff McJunkinDate & TimeFetching schedule..View event detailsCourse priceA$13,350 AUD*Prices exclude applicable local taxes - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Christian VillapandoDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Jon GorenfloDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Greg BaileyDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
San Antonio, TX, US & Virtual (live)
Instructed by Jon GorenfloDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Instructed by Christopher ElgeeDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Instructed by Christopher ElgeeDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options
Showing 8 of 26
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3I think if you genuinely want to learn how exploitation techniques work and how to properly think like a hacker, it would be silly not to attend SEC560.
- Slide 2 of 3SEC560 introduces the whole process of penetration testing from the start of engagement to the end.
- Slide 3 of 3Thank you for an amazing week of training in SEC560! My favorite parts were lateral movement, password cracking, and web exploits!
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources