SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SEC699: Advanced Purple Teaming - Adversary Emulation & Detection Engineering
SEC699Offensive Operations
- 5 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Erik Van Buggenhout & Jean-François Maes
Course created by:Erik Van Buggenhout & Jean-François Maes
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 29 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Advanced purple team training empowers security professionals to simulate sophisticated threat actor techniques through comprehensive adversary emulation across complex enterprise environments.
Featured Quote
Overall SEC699 was the best course I've followed as an Incident Responder and SOC analyst. It simulates the real-world attacks and defending possibilities using numerous kinds of techniques. It provided me with a structure and focus on how to mature our current SOC capabilities.
Course Overview
SEC699 delivers cutting-edge purple team training that immerses IT security professionals in advanced adversary emulation techniques. Participants will explore real-world threat actor strategies across dynamic enterprise settings, focusing on detection and emulation methodologies. With 60% hands-on lab time, students will develop skills in automation, tooling, planning, and executing complex adversary scenarios using tools like Covenant and Caldera. The course progressively builds expertise from foundational concepts to intricate purple team techniques, culminating in comprehensive threat actor emulation plans.
What You’ll Learn
- Build advanced adversary emulation infrastructure
- Develop sophisticated purple team strategies
- Execute complex initial access techniques
- Perform lateral movement and escalation tactics
- Create comprehensive threat actor emulation plans
Business Takeaways
- Build realistic adversary emulation plans to better protect your organization
- Deliver advanced attacks, including application whitelisting bypasses, cross-forest attacks (abusing delegation), and stealth persistence strategies
- Building SIGMA rules to detect advanced adversary techniques
Meet Your Authors
- Slide 1 of 2
Erik Van Buggenhout
Senior InstructorNVISO co-founder and SANS Senior Instructor, leading cybersecurity education in advanced adversary tactics. Experienced in offensive security with extensive background in penetration testing and ethical hacking across Europe.
Read more about Erik Van Buggenhout - Slide 2 of 2
Jean-François Maes
Certified InstructorEuropean director of advanced assessment at Neuvik, specializing in penetration testing, red teaming, and adversary emulation. Passionate open-source contributor with extensive experience in offensive security technologies.
Read more about Jean-François Maes
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC699: Advanced Purple Teaming - Adversary Emulation & Detection Engineering.
Section 1Introduction & Key Tools
Foundations for advanced purple team techniques, focusing on lab infrastructure deployment, purple team processes, detection engineering, and adversary emulation. Students will explore automation, tooling, and detection strategies through comprehensive hands-on exercises.
Topics covered
- Course objectives
- Lab environment architecture
- Detection stack fundamentals
- Telemetry analysis
- Automated emulation strategies
Labs
- VECTR Introduction
- Elastic and SIGMA Stack Preparation
- Adversary Emulation Stack Setup
- Prelude Operator Configuration
Section 2Initial Intrusion Strategies Emulation & Detection
Comprehensive exploration of current attack strategies and endpoint defense mechanisms. Students will investigate Microsoft's built-in security features, understand bypass techniques for AMSI, AppLocker, and Attack Surface Reduction, and examine advanced Endpoint Detection & Response (EDR) evasion strategies.
Topics covered
- Adversarial technique emulation
- Anti-Malware Scanning Interface
- Application execution control
- Endpoint security evasion
- Process manipulation strategies
Labs
- VBA Stomping and AMSI Bypasses
- AppLocker Configuration and Bypass
- Attack Surface Reduction Circumvention
- Process Spoofing Techniques
- Advanced Process Manipulation
Section 3Privilege Escalation & Lateral Movement Emulation & Detection
Deep dive into Active Directory reconnaissance, credential theft, and advanced lateral movement techniques. Students will explore comprehensive methods for enumerating AD resources, stealing credentials, and executing sophisticated attack strategies across network environments.
Topics covered
- Active Directory enumeration
- Credential dumping techniques
- Kerberos attack strategies
- Delegation vulnerability exploration
- Advanced authentication bypass methods
Labs
- BloodHound Attack Chain Analysis
- Credential Stealing Techniques
- NTLMv1 Downgrade Exploration
- Delegation Attack Scenarios
- Active Directory Certificate Services Abuse
Section 4Persistence Emulation & Detection
Examination of persistence strategies within Active Directory environments, focusing on advanced techniques for maintaining unauthorized access. Students will investigate complex methods like COM object hijacking, WMI persistence, and stealthy AD infiltration techniques.
Topics covered
- Cross-domain infiltration
- Persistence technique development
- Advanced system manipulation
- Stealthy access maintenance strategies
Labs
- Domain and Forest Pivoting
- COM Object Hijacking
- WMI Persistence Mechanisms
- Netsh Helper DLL Implementation
- Office Persistence Techniques
Section 5Emulation Plans (Extended Access to CTF Range)
Comprehensive threat actor emulation, developing and executing plans for sophisticated threat groups. Students will create detailed scenarios for APT-33, EvilCorp, APT-28, APT-34, and Turla, using advanced tools like Caldera, Covenant, and Prelude Operator.
Topics covered
- Threat actor-specific emulation
- Advanced execution frameworks
- Post-course Capture The Flag challenge
Labs
- Emulation Plan Development for Five Threat Actors
- Tool-Specific Execution Strategies
Things You Need To Know
Relevant Job Roles
Purple Teamer
Offensive OperationsIn this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.
Explore learning pathRed Teamer
Offensive OperationsIn this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
OnDemand Bundle
When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.
SANS Skills Quest by NetWars Core Edition
Add 6 months of hands-on skills practice. Add to your cart when purchasing your course.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Erik Van BuggenhoutDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Bryce GalbraithDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Bryce GalbraithDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Jean-Francois MaesDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Canberra, ACT, AU & Virtual (live)
Instructed by Bryce GalbraithDate & TimeFetching schedule..View event detailsCourse priceA$13,350 AUD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Orlando, FL, US & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 6 of 6
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources