Attack Detection Fundamentals 2021

Join us for our second series of workshops, focusing on the basics of detection across technologies including Windows, macOS, AWS, and Azure.

Our consultants will provide hands-on demonstrations and lab walkthroughs that you can start using straight away. These sessions will improve how you use detection techniques in your existing enterprise stack and give you a broader understanding of attacker techniques against the various technologies.

These sessions are for anyone with a technical interest in attack detection; be that a SOC analyst, or a penetration tester looking to get more familiar with detection opportunities across multiple technologies.

#1 Windows

In the first of our 2021 Attack Detection Fundamentals workshops, Alfie and Riccardo will deep-dive into advanced defense evasion and credential access techniques targeting Windows endpoints. Such tradecraft is used by sophisticated threat actors and red teams alike, and this session will look at the detection opportunities for:

  • Removal of user-land API hooks
  • Installation of API hooks for credential theft
  • Theft of browser cookies for session hijacking

You can find the workshop guides over on the F-Secure Labs website:

#2 MacOS

During this workshop, Calum and Luke will discuss well documented macOS tactics, techniques, and procedures (TTPs) that have been uncovered in the wild and will analyze the telemetry that reveals such attacks. From identifying initial access attempts, to uncovering post-exploitation techniques, this workshop will provide attendees with the necessary means to detect offensive tradecraft including:

  • Initial code execution through Microsoft Office macros and malicious installer packages
  • Common persistence techniques such as login items and launch agents
  • Transparency, Consent, and Control (TCC) bypass techniques

You can find the workshop guides over on the F-Secure Labs website:

#3 AWS

During this workshop, Alfie and Nick will demonstrate and discuss common attacker tactics, techniques, and procedures (TTPs) used in AWS environments. Starting from the perspective of compromised AWS access keys, it will provide attendees with the necessary means to detect offensive tradecraft including:

  • Initial enumeration and reconnaissance using stolen access keys
  • Common persistence techniques, such as deploying an IAM user as a backdoor into the account
  • Data exfiltration from S3 buckets

You can find the workshop guides over on the F-Secure Labs website:

#4 Azure

During this workshop, Masande Mtintsilana and Alfie Champion will walk through how an Azure environment can be compromised using attack techniques learnt from the cloud security community and first-hand experience in offensive cloud engagements. This workshop will help attendees understand:

  • How an adversary can persist, escalate privileges, and move laterally in an Azure environment
  • What log events are generated from different offensive techniques
  • What detection opportunities exist and how they can be implemented

You can find the workshop guides over on the F-Secure Labs website:

About the consultants

Alfie Champion


Alfie Champion

Alfie has a background in software development and DevOps and now leads the global delivery of attack detection services. He has a keen interest in adversary simulation and offensive tradecraft, developing tooling to emulate attacker activity and ultimately aid clients in testing and developing their detective capability.


Calum Hall

Calum is a consultant in the offensive security team at F-Secure Consulting. His attention over recent years has been towards perimeter-based security, with his latest research focused on macOS security and understanding how common setups can be abused during offensive engagements.

Luke Roberts


Luke Roberts

Luke specializes in performing attack simulations. His recent research has focused on the impact of macOS adoption on organizations' security postures.


Masande Mtintsilana

Masande’s work in cyber security began in web and mobile security, where he developed an interest in reverse engineering and vulnerability research. Over the years, he has shifted his focus to cloud security. His current research interests involve understanding the attack techniques that target cloud environments.


Nick Jones

Nick leads F-Secure's cloud security team in addition to developing and delivering attack detection services. His background as a software engineer drives his focus on building tools and automation to assess, exploit, and defend cloud and cloud-adjacent infrastructure.


Riccardo Ancarani

Riccardo is a security consultant at F-Secure Consulting. He is the service lead for the Active Directory Security Review practice. His recent research has focused on defense evasion techniques for adversary simulation exercises.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs