Constructing Defense
- Buy now
- Learn more
Welcome to Constructing Defense!

Welcome & Introduction
Changelog
Lab Overview

Lab Overview
General Lab Build Approach
Lab Construction

ISO Downloads - Windows Server 2019
ISO Downloads - Windows 11
ISO Downloads - Ubuntu
ISO Downloads - PCAP
Lab Construction - AWS Version

Terraform Setup
Domain Controller
Windows 11 A & V
Certer
Linux A & Linux V
[Splunk] - Lab Construction & Provisioning - Ludus Version

[Splunk] - Ludus Overview
[Splunk] - Ludus Deploy
[Splunk] - Ludus Post Deploy Setup
Lab Construction & Provisioning - Ludus Version

Ludus Overview
Ludus Setup
Ludus Post Deploy Setup
Lab Provisioning

Domain Controller
Windows 11 A & V
Certer
Linux A & Linux V
PCAP
PCAP - New Malcolm Version
Cloud Accounts - Azure
Cloud Accounts - Amazon Web Services (AWS)
Kubernetes Setup
Sysmon Setup
Telemetry Setup & Miscellaneous Lab Configuration

Section Intro
Windows Auditing and GPO Setup
Disabling Defender
Certificate Enrollment
Linux Auditd + Laurel
Sumo Logic SIEM Account
[Sumo Logic] - Windows Event Collection
[Sumo Logic] - Linux Event Collection
[Legacy] - Kubernetes Monitoring
[Sumo Logic] - Kubernetes Monitoring
[Sumo Logic] - Cloud Collection - AWS
[Sumo Logic] - Cloud Collection - Azure
[Splunk] - Splunk Setup
[Splunk] - Forwarder Setup (Windows)
[Splunk] - Forwarder Setup (Linux)
[Splunk] - Kubernetes Monitoring
[Splunk] - Cloud Collection - AWS
[Splunk] - Cloud Collection - Azure/Entra
Lab Executions

Section Intro
Getting to Know Ourselves
Our First Shell
First Shell - Detection 1
First Shell - Detection 2
Our Second Shell - Exploring the Network Layer
Second Shell - Bonus Round
Credential Access on Windows Hosts - LSASS
Credential Access on Windows Hosts - File Shares
Credential Access on Windows Hosts - Kerberoasting
Credential Access on Windows Hosts - DCSync
Lateral Movement in Windows Environments - WMIExec
Lateral Movement in Windows Environments - PSExec
Discovery/Recon Detection on Windows Hosts
Profiling Rundll32 Executions on Windows Hosts
LOLBAS / LOLBINs
Active Directory Certificate Services
Authentication Anomalies on Windows Hosts - The Classic Brute Force
Authentication Anomalies on Windows Hosts - The Kerberos Approach
Credential Access on Linux Hosts - The Shadow File
Credential Access on Linux Hosts - Through a C2 Framework
Lateral Movement on Linux Hosts - Interactive Bash Prompts
Web Shell Detections on Linux Hosts
Kubernetes Threat Detection - Dipping our Toes
Kubernetes Threat Detection - The Host Layer
Kubernetes Threat Detection - The Host Layer - Enumeration
Kubernetes Threat Detection - Tunneling & Exposed Services
Kubernetes Goat 🐐
Kubernetes Threat Detection - Poisoned Pod
Azure - Password Sprays
Azure - MFA Madness
Azure - Wrangling Applications
[Legacy] - Azure - Bad to the Bone
[Updated] - Azure - Bad to the Bone
Azure - AzureHound
Azure/Entra Session Hijacking via Browser Cookie Theft 🍪
Azure Session Hijack via HAR File
AWS - Account Set Up and CLI Access
AWS - CloudTrail - IAM User Creation
AWS - CloudTrail - IAM User Enumeration
AWS - CloudTrail - Pacu - IAM Brute Force
AWS - CloudTrail - Pacu - S3 Bucket Exfil
Adding a bit of Purple
Endpoint Analysis with Hayabusa and Langchain
Kerberos Attacks & Defenses - Pass the Ticket
Kerberos Attacks & Defenses - Golden Ticket
Web Sockets & .NET Assemblies
DPAPI at the Host and Network Layer
Purple Teaming Memory Forensics with MemProcFS
Lab Executions - Splunk

[Splunk] - Getting to Know Ourselves
[Splunk] - Our First Shell
[Splunk] First Shell - Detection 1
[Splunk] - First Shell - Detection 2
[Splunk] - Our Second Shell - Exploring the Network Layer
[Splunk] - Second Shell - Bonus Round
[Splunk] - Credential Access on Windows Hosts - LSASS
[Splunk] - Credential Access on Windows Hosts - File Shares
[Splunk] - Credential Access on Windows Hosts - Kerberoasting
[Splunk] - Credential Access on Windows Hosts - DCSync
[Splunk] - Lateral Movement in Windows Environments - WMIExec
[Splunk] - Lateral Movement in Windows Environments - PSExec
[Splunk] - Discovery/Recon Detection on Windows Hosts
[Splunk] - Profiling Rundll32 Executions on Windows Hosts
[Splunk] - LOLBAS / LOLBINs
[Splunk] - Active Directory Certificate Services
[Splunk] - Authentication Anomalies on Windows Hosts - The Classic Brute Force
[Splunk] - Authentication Anomalies on Windows Hosts - The Kerberos Approach
[Splunk] - Credential Access on Linux Hosts - The Shadow File
[Splunk] - Credential Access on Linux Hosts - Through a C2 Framework
[Splunk] - Lateral Movement on Linux Hosts - Interactive Bash Prompts
[Splunk] - Web Shell Detections on Linux Hosts
[Splunk] - Kubernetes Threat Detection - Dipping our Toes
[Splunk] - Kubernetes Threat Detection - The Host Layer
[Splunk] - Kubernetes Threat Detection - The Host Layer - Enumeration
[Splunk] - Kubernetes Threat Detection - Tunneling & Exposed Services
[Splunk] - Kubernetes Goat 🐐
[Splunk] - Kubernetes Threat Detection - Poisoned Pod
[Splunk] - Azure - Password Sprays
[Splunk] - Azure - MFA Madness
[Splunk] - Azure - Wrangling Applications
[Legacy] - Azure - Bad to the Bone
[Updated] - Azure - Bad to the Bone
[Splunk] - Azure - AzureHound
[Splunk] - Azure/Entra Session Hijacking via Browser Cookie Theft 🍪
[Splunk] - Azure Session Hijack via HAR File
[Splunk] - AWS - Account Set Up and CLI Access
[Splunk] - AWS - CloudTrail - IAM User Creation
[Splunk] - AWS - CloudTrail - IAM User Enumeration
[Splunk] - AWS - CloudTrail - Pacu - IAM Brute Force
[Splunk] - AWS - CloudTrail - Pacu - S3 Bucket Exfil
[Splunk] - Adding a bit of Purple
[Splunk] - Endpoint Analysis with Hayabusa and Langchain
[Splunk] - Kerberos Attacks & Defenses - Pass the Ticket
[Splunk] - Kerberos Attacks & Defenses - Golden Ticket
[Splunk] - Web Sockets & .NET Assemblies
[Splunk] - Purple Teaming Memory Forensics with MemProcFS
Saying Goodbye 👋

Outro

Kubernetes Goat 🐐

Lesson unavailable

Please login to your account or buy the course.