top of page

TRAININGS

Our training offer is addressed not only to IT specialists, but also to management staff and every employee of the organization who, due to their professional duties, has contact with the ICT infrastructure or part of it. After completing each training, participants receive certificates confirming the acquisition of competences in its subject area. The training is conducted by our stafflecturers WithSTM Academy.

​

​

You are interested in the offer?

Write to us!

[email protected]

BASIC TRAINING
 

SECURITY ESSENTIALS

training duration - 8 days

​

People say that the best defense is an attack - this is also the assumption of cybersecurity experts. Our lecturers during the training will show what safety looks like from the "red" side. Participants will have the opportunity to familiarize themselves with the basic Hacker's workshop, learn the basics of communication, and the Linux operating system, and understand the goals of attackers. Finally, they will have the opportunity to access the holy grail of all hackers - executing commands on the server with escalation of privileges. Participants will also learn how to conduct a penetration test step by step and look for vulnerabilities, both in... manual and automatic. There will also be verification of the scope of the test and preparation of a report in which students can boast about their findings.

 

1. BASIC SKILLS:

- Command line basics​
- Bash basics​
- Client-Server model​
- Data transfer techniques​
- Reverse shells​
- Bind shells​
- Interactive shells

​

2. INTRODUCTION TO PENTESTS:

- Network scanning​
- HTTP basics​
- Remote command execution​
- Automatic privilege escalation​
- Network pivoting​
- Backdoor detection​
- Reporting

​

3. SECURITY OF INTERNET APPLICATIONS:

- Enumeration​
- Password security​
- Command injection​
- Client-side security​
- File upload security​
- SQL Injection​
- Template Injection​
- XML external entity injection​
- Cross-site scripting​
- Cross-Site Request Forgery​
- Local file inclusion​
- Remote file inclusion

​

4. ESCALATION OF POWERS:

- File permissions
- sudo permissions
- Cron jobs misconfiguration
- Privileged containers
- Local services
- OS exploits

​

5. LOCAL OPERATION:

- SUID and capabilities
- Hardcoded data
- Buffer overflows
- Environment variables
- Side channel attacks
- Handling signals
- Symlinks
- Inherited file descriptors

TRAINING
ADVANCED

WEB APPLICATION SECURITY

training duration - 8 days

 

Digitization has allowed us to transfer many aspects of our lives to the Internet, but it has brought with it several new threats. One small programmer error can expose users to harm and generate multi-million losses for the company. During our training, participants will learn in an accessible way the processes invisible to the human eye that happen when, for example, we order a transfer, log in to an office, or look for a recipe on a forum, and the risks associated with them. Additionally, practical exercises prepared by our specialists will allow you to thoroughly consolidate the acquired knowledge.

 

 

  1. Basics of the HTTP protocol

  2. Enumeration and reconnaissance of web applications

  3. Authentication, authorization, and session management

  4. HTML Injection and Cross-Site Scripting (XSS)

  5. Cross-Site Request Forgery (CSRF)

  6. Path Traversal and Local/Remote File Inclusion 

  7. SQL Injection and NoSQL Injection

  8. Command Injection (Command Injection) 

  9. Server-side Includes and Server-Side Template Injection (SSTI)

  10. XML (XXE) vulnerabilities

  11. Server-Side Request Forgery (SSRF)

  12. Vulnerabilities related to the file upload mechanism (File Upload)

MOBILE APPLICATION SECURITY

training duration - 5 days

 

Nowadays, an increasing part of users' lives is focused on a mobile device - the Phone. Our training takes this important aspect under the microscope. During the classes, participants will become familiar with the two most popular platforms (Android and iOS) from the inside. We will also discuss issues related to not only the mistakes programmers make in their applications, but also how the structure of the functioning of mobile operating systems allows them to attack the user without the need for direct interaction with their banking, SMS, etc. applications.

 

The scope of training includes:

​

1. Introduction:

- General presentation of the concept of mobile applications (Division into native/hybrid/web application)

- Overview of the most popular platforms (Android / iOS)

- Basic problems related to mobile applications

- Available tools used in application security verification processes

 

2. Android:

 

- Android ecosystem overview

- Preparing the test device - Android

- What is APK, how is it built?

- Dalvik, ART, JVM - how much Java there really is in this Java

- Android security:

- Application construction

- IPC and Deeplinks communication

- Secure data storage

- Android Apps - Threat Model

 

3. iOS:

 

- Apple ecosystem overview

- Preparing the test device - iOS

- What is IPA, and how is it constructed?

- Introduction to About ObjC and Swift

- iOS Security (Permissions, Storage & Data Protection, 3rd-party Keyboards, Code Signing, Secure Enclave Processor)

- IPC and Universal Links communication

- App Extensions

- iOS Keychain

- iOS Apps - Threat Model

 

4. Attacker's perspective:

 

- Static application analysis

- Dynamic application analysis

- How found bugs are used:

- Modification of an existing application

- Interaction from malware

​​

NETWORK AND INFRASTRUCTURE SECURITY 

training duration - 5 days

​

Many companies implement firewalls, separate DMZ networks, or introduce many other network separation methods. What if the attacker is already in our network? No matter how strong the wall is, it will not protect us from threats from within. During the training, participants will learn the methods used by attackers who are already in our network. During the training, you will be able to learn about methods of bypassing device authorization, "hopping" between networks, impersonating existing devices, and finally finding a lucrative target and taking full control over it.

 

  1. ARP Spoofing attacks

  2. Attacking the DHCP protocol, Spoofing

  3. ICMP security, ICMP Redirect attacks

  4. NAC bypass techniques, MAC Filtering

  5. Switch security, VLAN Hopping attacks

  6. IPv6 security

  7. Replay Attacks on the example of SMB

  8. Attacking WiFi networks

  9. Scan the network for hosts

  10. Machine enumeration, scanning for services

  11. Exploitation of found vulnerabilities

  12. Privilege escalation in Windows and Linux

SPECIALIZED TREININGS

INTRODUCTION TO MALWARE ANALYSIS

training duration - 1 Day

​

Nowadays, attackers use even more sophisticated and advanced techniques to infect or take control of our devices than when we first started using computers. Analysts must constantly update their knowledge to keep up with the evolving malware industry. During the training, participants will prepare a test environment, learn the principles of hygiene when working with malware, and become familiar with the most popular methods used to analyze actions performed by software in controlled conditions.

​

Scope of malware analysis training (based on training malware):

1.  Preparing the environment for static and dynamic analysis of malware,

2. Basic static analysis (PE file analysis, review of imports, resources, etc.),

3. Basic dynamic analysis (monitoring changes made to the file system, registry, network traffic (fakenet / inetsim)),

4. Defining Indicators of Compromise,

5. Advanced dynamic analysis - instrumentalization and tracking of code execution, including deciphering secured network traffic,

6. Advanced static analysis - software reverse engineering using IDA or Ghidra,

7. Advanced network traffic analysis - disabling certificate-pinning, and configuring a transparent proxy server.

INTRODUCTION TO RED TEAMING

attacks using physical devices, social engineering, and malware 

training duration - 1 Day

​

Nowadays, when technology has developed to such an extent that severe mistakes must be made by programmers almost on purpose, humans remain the weakest link in any security system. You can conduct training and workshops, but we never know how our employees will behave in a real situation. With Red Team training, your security team will be ready always to be one step ahead of attackers. Our experts will show you what tools and methods criminals use, how phishing emails are created, how anti-virus protection is bypassed, and how easy it is to impersonate existing infrastructure.

​

The scope of Red Teaming training includes the following topics:

1. Planting malicious devices in the organization's infrastructure:

 - pendrives

 - HID devices

 - USB cables

 - summary and safety tips

2. Installation of malicious devices in the organization's infrastructure

 - network implants

 - HDMI implants

 - hiding implants inside other devices

 - summary and safety tips

3. Example Phishing Campaign:

- Enumeration of e-mail addresses
- Email security:
   a. SPF
   b.  DKIM
   c.  DMARC
- Remote control over infected computers
- Steal user credentials in three different ways:
   a. Keylogger
   b. DLL Injection
   c.  Fake Authentication
- Bypassing antivirus protection
- Bypassing the firewall

C CODE ANALYSIS AND LOCAL EXPLOITATION ON LINUX 

training duration - 1 Day

​

Currently, the Linux operating system constitutes the majority of the world's server infrastructure. It's there - behind the terminal, many old but proven solutions make sure that users can view our websites, routers can forward packets, and all types of applications can exist. However, even there, many errors can threaten the security of any organization. During the training, our experts will prepare you so that you will be able to find your way around the Linux system, independently locate, learn to use, and ultimately repair both the most common and the most advanced errors that still plague even the largest systems today. During the course, you will learn about buffer and integer overflow, find hard-coded passwords, learn how to escape from isolated environments, detect data leaks, learn how applications and the operating system communicate, and face heap exploitation. Together we will secure the world.

​

Scope of training:

1.  Overview of Linux security,

2. Analysis of the operation of bash shells. Explanation of the mechanism of inheritance (processes).

3. Identification and exploitation of errors such as:

   a.  buffer overflows,

   b.  integer overflows,

   c.  hardcoded passwords,

   d.  relative paths,

   e.  insecure signal handling,

   f.   data leaks,

   g.  heap exploitation.

4. Mitigation of the above errors.

TRAINING FOR LOCAL GOVERNMENT

They say that the best defense is an attack, which is also the assumption of cybersecurity experts.

 

To maintain a high level of safety in the work environment, it is necessary to know the threats we may encounter in everyday life.

 

Sometimes, all it takes to cause serious breaches is one small click made by an employee who is unprepared for the threats common in the everyday world.

 

Training participants will be able to become familiar with the tools and methods used by criminals, learn the basics of the Linux operating system, and find out where an attacker will look for an entry point into an office infrastructure based on Microsoft Windows.

 

After learning all of the material, participants will not only be able to increase their overall level of security, but they will also have the knowledge required to “put out the fire” started by attackers. They will learn techniques that will allow them to effectively train staff to minimize the risks resulting from the omnipresent human factor.

 

All this is under the supervision of world experts in the field of cybersecurity.

PRACTICAL CYBERSECURITY

1. BASIC SKILLS

 

- Most important command line commands

- Bash basics

- Client-Server model

- Most important network protocols

- Data transfer techniques

- Reverse remote shells

- Bind remote shells

- Interactive shells

​

2. WINDOWS SECURITY

​

- File permissions

- User rights

- LOLBAS documentation

- User Account Control mechanism

- "Unquoted Service Path" vulnerability class

- Network services with insecure default configuration

- Privilege escalation using Potato family exploits

- Privilege escalation using Google Project Zero tools

​

 

3. INTRODUCTION TO PENTESTING

 

- Network scanning

- HTTP protocol and proxy servers

- Remote code execution

- Automatic privilege escalation

- "Network pivoting"

- Detection Backdoors

- Vulnerability Reporting

​

 

4. WEB APPLICATION SECURITY

 

- Enumeration​

- Password security​

- Command injection

​- Client-side security

​- File upload security

​- SQL Injection​

- Template Injection

​- XML external entity injection

​- Cross-site scripting

​- Cross-Site Request Forgery

​- Local file inclusion

​- Remote file inclusion

​

 

5. ESCALATION OF POWERS

 

- Incorrectly Set File Permissions

- Incorrectly Configured Sudo

- Incorrectly Configured Cron Tasks

- Incorrectly Configured Local Services

- Privileged Containers

- Outdated Operating Systems

 

 

6. LOCAL EXPLOITATION

 

- Attributes SUID and "capabilities"

- Recovering "hardcoded" data

- Buffer overflows (without assembly)

- Dangerous environment variables

- Side-channel attacks

- Signal manipulation

- Using symlinks

- File descriptor inheritance

 

​

Complete the form and we will contact you within 24 hours.

04 STM Academy Mural previev.jpg

Call

662 141 800

Email 

[email protected]

Follow us

  • Facebook
  • LinkedIn
  • Instagram
bottom of page