Course Introduction

What this course is

This is a practical purple-teaming training course built for blue-team practitioners who want to validate the detections they rely on. Across fourteen modules, you walk every ATT&CK technique that matters in modern enterprise environments — sixty-one techniques in total — and you do it the only way that produces evidence: by firing the actual attack against your own lab and watching what fires.

The pedagogy is direct. Walk the kill, then catch it. You read what the technique is, run the commands an attacker would run, watch the telemetry land in your SIEM, write or tune the Sigma rule that catches it, and log the result. Then you move to the next technique. Sixty-one times across four target environments — Windows endpoint, Active Directory, Microsoft 365, and Linux — and three SIEMs in parallel: Microsoft Sentinel, Defender XDR Advanced Hunting, and your choice of Splunk Free or Elastic. By the end, you don't claim coverage. You evidence it.

The course is the answer to the conversation that should make every detection-engineering team uncomfortable: when leadership asks whether you'd catch a given attack, the only honest answer is the one backed by a recent test result. Not the rule deployed three years ago. Not the dashboard showing green. The evidence that says I ran this technique on Tuesday and the rule fired in 4 seconds. This course gives you the rhythm, the lab, and the artefacts to make that statement and mean it.

What this course teaches

Fourteen modules across three phases.

Phase 1 — Foundations and Lab Build (PT0, PT1). You are here now. PT0 establishes the course shape, the purple-team mindset, and a complete worked technique end-to-end as a free preview. PT1 walks you through building the four-environment, three-SIEM lab from scratch.

Phase 2 — Walking the ATT&CK Kill Chain (PT2–PT13). Twelve modules aligned to the twelve ATT&CK enterprise tactics in standard kill-chain order: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Each module covers between three and eight techniques depending on the tactic — Credential Access has eight because credential dumping has many distinct attacker variants; Exfiltration has three because the realistic attacker repertoire is narrower. Every technique is walked end-to-end with attack commands, raw telemetry, Sigma rules, and platform conversions for all three SIEMs.

Phase 3 — Capstone (PT14). A complete purple-team exercise on CHAIN-HARVEST — a multi-stage AiTM credential-phishing chain that reuses techniques from Phases 1 and 2 in a realistic attacker sequence. The deliverable is a full purple-team report covering techniques tested, detection results across all three SIEMs, coverage gaps, tuning recommendations, and a prioritised remediation backlog. The kind of artefact you can present to leadership, take into an interview, or use as a template for your team's first real purple-team programme.

You can study the course linearly (PT0 → PT14) or in a modified order once Phase 1 is complete. Most learners go linearly because the modules build on each other — Persistence techniques become richer once you understand Privilege Escalation; Credential Access becomes deeper after you understand Defense Evasion. If a specific tactic is what brought you to the course, you can jump directly to that module after Phase 1.

Who this course is for

Anyone who wants to learn how to validate detection coverage. The course is built for self-directed learners, and how much of it applies to your work depends on where you sit now and where you want to go.

The course will be especially useful if you recognize yourself in one of these profiles.

Detection engineer wanting to validate your own work. You write or maintain rules. You ship them to production. You don't always know if they fire against the actual technique because nobody has run the attack against them. You suspect there are gaps but you can't quantify them. This course closes the loop — every rule in every sub is tested in your own lab against the actual attack commands before the rule is committed.

SOC analyst moving into detection responsibilities. You triage alerts and you've started to wonder which rules behind those alerts are actually working. You want to author rules of your own and prove they work. The course teaches you the rhythm — walk the attack, watch the telemetry, write the rule, tune it — that turns rule authoring from craft into discipline.

SOC lead building a continuous purple-team rhythm. Annual exercises aren't enough and you know it. You want a programme that runs week to week, with concrete metrics that survive the question "how do we know we're getting better." The course teaches the daily, weekly, monthly, and quarterly cadence that keeps coverage current — and produces the metrics that make the programme defensible to leadership.

IR practitioner who wants to understand attacker telemetry from the source. Most IR work runs backwards from the breach report. This course works forwards from the keystroke that produces the Sysmon Event 10. Reading raw telemetry is a skill that improves every IR engagement, and the course's bias toward annotated events builds the muscle.

Threat hunter extending into proactive validation. Hunting finds the unknown. Purple teaming proves what's known is actually working. The two skills feed each other. The course gives you the validation half.

If none of those profiles match yours, the course is still open to you. Read the prerequisites below and decide how much preparation you want to do before starting.

Prerequisites

Three specific prerequisites. Read each and self-assess honestly.

Detection rule literacy. You should be able to read at least one detection language — Sigma, KQL, SPL, or Lucene. The course teaches Sigma directly and shows platform conversions, but the conversions go faster when you can already read at least one language. If detection languages are entirely new, work through Microsoft Learn's free "Write your first query with KQL" primer before starting Phase 2 — two to three hours and you'll have what you need.

Endpoint telemetry basics. You should be familiar with Sysmon and Windows Event Log to the point where Event 1 (process creation), Event 7 (image loaded), Event 10 (process access), and Event 11 (file create) ring bells. You don't need to be a forensic examiner — the course teaches what each field means in context. You do need to recognise what Sysmon is and what it produces. If Sysmon is new, the SwiftOnSecurity GitHub repository's documentation is a good two-hour primer.

MITRE ATT&CK navigation. You should be comfortable with technique IDs (T1003.001, T1078.004), tactic names (Credential Access, Lateral Movement), and the structure of the ATT&CK matrix. PT0.3 (How a sub works) covers ATT&CK orientation in depth, but if the framework is entirely new, spend an evening on the attack.mitre.org website before Phase 2.

Nothing else is required. You do not need a background in computer science, malware development, or red-team operations. Specific depth in those areas makes some modules easier, but none is prerequisite. The course's first paid module (PT2 Initial Access) starts at a level any working blue teamer can engage with — the depth grows as the modules progress.

Home lab setup

You can follow along with the course on a modest home lab. Most components are free; one piece — Microsoft Sentinel in your own Azure subscription — has a small recurring cost that's covered in detail below. The full walkthrough — step-by-step installation, configuration, and validation of every component — is in PT1. This section is the minimum-viable setup you need to plan around before starting.

Workstation

Hardware (recommendations, not gates). A workstation that can run one or two virtual machines at a time. The course's lab uses one VM at a time per technique sub — you bring up the relevant target, run the attack, watch the telemetry, shut it down. You're not running the whole lab simultaneously.

• 16 GB RAM is comfortable. 8 GB works if you run one VM at a time and shut down apps you're not using. 32 GB is luxurious — you can keep multiple VMs warm and switch between them quickly.
• Storage: each VM uses 20–40 GB depending on what's installed. Enough free space for two or three VMs at a time is recommended; if storage is tight, the lab still works — you can decommission VMs you're not using and rebuild them later.
• CPU: anything from the last decade with hardware virtualisation (Intel VT-x or AMD-V). Most laptops and desktops qualify. ARM Macs work via UTM or Parallels — slower than x86 but workable.
• SSD strongly preferred over spinning disk for VM responsiveness.

If your kit doesn't match the recommendations, you have options: run a lighter VM footprint (one at a time, decommission between sessions), use a desktop or homelab box if you have one, or rent cloud VMs for the duration of the course. None of these are blockers.

Foundation toolkit (install for Phase 1 onward)

Module 1 walks the install. Everything except the Azure subscription is free.

Hypervisor. VirtualBox (free, cross-platform), Hyper-V (free with Windows Pro), or VMware Workstation Player (free for personal use). Pick one in PT1.1.

Operating system VMs. Windows 10/11 Evaluation (free, renewable), Windows Server 2022 Evaluation (free, 180-day trial), Ubuntu Server (free, perpetual). Built in PT1.2 through PT1.5.

Endpoint telemetry. Sysmon (Microsoft Sysinternals) with the SwiftOnSecurity baseline configuration on Windows. Auditd with the Neo23x0 ruleset on Linux. Configured in PT1.3 (Windows) and PT1.6 (Linux).

Telemetry forwarders. Azure Monitor Agent for Windows-to-Sentinel forwarding. Splunk Universal Forwarder or Elastic Agent (Winlogbeat/Filebeat) depending on your secondary SIEM choice. Rsyslog or Fluentd for Linux log forwarding. Configured in PT1.8 through PT1.11.

Attack tooling foundation. Atomic Red Team (Invoke-AtomicTest framework) for technique execution, MITRE Caldera for chain emulation in the capstone. Both free and open source. Installed in PT1.2 (Atomic Red Team) and referenced in PT9 and PT14 (Caldera).

Tracking and visualisation. VECTR (free tier) for tracking detection results per technique. ATT&CK Navigator (browser-based) for coverage visualisation. Configured in PT1.7.

Per-module attack tooling (introduced as needed)

The course doesn't ask you to install everything on day one. Foundation tools land in PT1; the per-technique attack tools — Mimikatz, Impacket, BloodHound, Evilginx, AADInternals, and others — are introduced module-by-module as the techniques that need them come up. You install each piece as the course reaches it, which keeps the lab clean and the focus on one thing at a time.

The complete per-module toolset:

Windows endpoint and credentials (PT6, PT7, and as relevant). Mimikatz, NanoDump, procdump (Sysinternals, signed), PowerShell offensive frameworks introduced as techniques require.

Active Directory (PT7, PT8, PT9 and as relevant). Impacket suite (psexec.py, wmiexec.py, secretsdump.py, GetUserSPNs.py, GetNPUsers.py), BloodHound and SharpHound for AD enumeration and attack-path mapping, Rubeus for Kerberos abuse.

Microsoft 365 cloud (PT2, PT4, PT7, capstone). AADInternals (PowerShell module — token, AD FS, sync abuse), TokenTactics / TokenTacticsV2 (token extraction and replay), GraphRunner (M365 reconnaissance via Graph API), ROADtools (Entra ID enumeration), Evilginx2 (AiTM phishing — used in capstone CHAIN-HARVEST).

Linux (PT3, PT5, PT7 and as relevant). LinPEAS for privilege escalation enumeration, GTFOBins as canonical LOLBins reference (not a tool, a reference), Linux-specific test scripts introduced per technique.

Detection rule conversion (optional). sigma-cli or pySigma for programmatic Sigma → KQL/SPL/Lucene conversion. Uncoder.io as a web-based alternative.

Microsoft 365 environment (built in PT1.7)

M365 Developer Tenant. Free tenant with 25 E5 user licenses for non-production development and learning. Provides a full Entra ID tenant, Exchange Online, SharePoint, Teams, Defender XDR, and Purview audit — everything Phase 2 cloud techniques use. Sign up: developer.microsoft.com/microsoft-365/dev-program. Setup takes about thirty minutes.

Sentinel and the SIEM stack (built in PT1.8 through PT1.11)

Microsoft Sentinel is the course's primary SIEM. Sentinel runs in your own Azure subscription. It charges based on data ingested into the Log Analytics workspace; realistic cost during active course progression is £15–25 per month. Azure offers $200 of free credit on new accounts which covers the first month entirely. After the course, when you're not running attacks every day, ongoing cost typically drops below £10 per month. This is the only recurring expense the course requires.

Defender XDR Advanced Hunting is paired with Sentinel as the Microsoft track. Free with the M365 developer tenant. Different table schemas from Sentinel — every detection sub shows the conversion both ways.

Secondary SIEM (your choice). Splunk Free (500 MB/day ingest cap) or Elastic Stack (free, self-hosted). Both covered in PT1; per-technique conversions show whichever you pick.

What this gets you

By the end of PT1, you have a working four-environment, three-SIEM purple-team lab. Windows endpoint, Active Directory domain controller, Linux, M365 developer tenant. Sentinel, Defender XDR Advanced Hunting, and your secondary SIEM. Atomic Red Team for execution, VECTR for tracking, ATT&CK Navigator for visualisation. The lab is yours to keep regardless of how the rest of the course goes — use it for ongoing programme work, training your team, or validating new detections as your environment evolves.

What you can skip

You don't need to install anything before starting PT0. The introduction subs are content you read, not code you run. Install the foundation toolkit when you reach PT1. Install per-module attack tools when the relevant module asks for them. Do not spend setup time on tools you won't touch for weeks.

How the course is structured

Every module from PT2 onward follows the same pattern. Every technique sub contains the same eleven elements in the same order.

Scene. A 100–150 word opening that puts you in a specific situation where the technique matters. Composite scenarios drawn from real patterns; no through-line organisation, no recurring fictional characters. Each sub opens fresh.

Learning Objectives. Two or three bullets stating what you'll be able to do by the end of the sub. Supports continuing professional development logging if your employer asks for it.

The Technique. ATT&CK identifier, parent technique, and one paragraph explaining what the attack does and why attackers use it.

you-already-know. Names the prior knowledge the sub assumes, so you can skim past foundation you have.

Safety and legal notes. Lab boundary, dev tenant boundary, network boundary, data boundary. Standard text per category, appears every sub.

The Attack. The actual commands, why each variant exists, what an attacker would pick. Windows variant first; then AD, M365, Linux as relevant. Where a technique doesn't apply to an environment, the sub says so explicitly.

What Just Fired. Annotated raw telemetry — Sysmon events, M365 audit log entries, auditd records, Sentinel DeviceProcessEvents rows, Defender XDR Advanced Hunting equivalents — with the relevant fields highlighted.

The Detection. The Sigma rule in full YAML. KQL conversion for Sentinel with the full ingestion-path query. KQL conversion for Defender XDR Advanced Hunting (different schema). SPL or Elastic conversion depending on your secondary SIEM choice. Plus an explanation of why the rule matches on those specific fields, what triage the detection enables, and what known evasions defeat it.

The Tuning Loop. False-positive sources and concrete tuning strategies — by user, by hash, by context — with a baseline FP rate expectation. Plus a one-line note on how this rule fits into the continuous purple-team rhythm.

Decision Exercise. A "read, decide, compare" exercise. The sub presents a detection design scenario with three or four plausible options. You pick one before scrolling. The model answer reveals with explicit trade-offs.

Try-it. Step-by-step lab instructions for executing the technique against your own lab, the events you should expect to see, a troubleshooting tree for when things go wrong, and explicit success criteria.

Reference Card. Closing artefact. Attack commands and final tuned detection rules in copy-paste blocks, top three tuning notes, one-line real-world impact note. Save these into your detection library however you organise it.

Module completion pattern

Each module has a module overview sub, the technique subs, a coverage report deliverable, a module summary, and a Check My Knowledge sub with ten scenario-based questions. The summary is a reference for later; the Check My Knowledge is the end-of-module assessment. If you cannot answer the majority of Check My Knowledge questions, re-read the module before moving on.

Time per phase

The course is self-paced. There are no cohorts, no fixed deadlines, no streaks.

Phase 1 (PT0, PT1): one to two evenings for PT0, half a day to a day for PT1 depending on lab setup experience. Phase 2 (PT2–PT13): twelve modules spanning the ATT&CK kill chain. Module sizing varies between three and eight techniques. Plan five to eight hours per module. Phase 3 (PT14): the capstone is the longest module in the course — plan six to ten hours across multiple sessions for a complete walkthrough and the report deliverable.

Full course at six to eight hours per week: ten to fourteen weeks. Slower paces are entirely fine — what matters is consistency, not speed. A learner who does one technique sub a week makes steady progress and produces real artefacts.

Start here

Go to PT0.1 — A Worked Incident: The Tuesday Afternoon Mimikatz Question next. It walks the conversation that should make every blue teamer uncomfortable — the moment leadership asks whether a specific attack would be caught — and shows you the gap between we have a rule for it and I ran the attack and the rule fired in 4 seconds. That gap is the course.

After PT0.1, the remaining PT0 subs cover the purple-team mindset and why most coverage claims fail (PT0.2 The Purple-Team Mindset), the shared vocabulary of detection coverage and continuous purple-team programmes (PT0.3 The Vocabulary of Coverage), the toolkit the course uses and the adjacent skills worth building afterward (PT0.4 The Toolkit and What Comes Next), a concise module recap (PT0.5 Module Summary), and a scenario-based check of what the module taught (PT0.6 Check My Knowledge).

Work through PT0 in order. The mindset PT0.2 establishes is the lens every subsequent module looks through.