Wall of Sheep Hands-on Threat Hunting - Brian Markus, Matt Tiner, Ian Foster, Ernest Linchangco - DCTAC2025

Name of Training: Wall of Sheep Hands-on Threat Hunting
Trainer(s): Brian Markus, Matt Tiner, Ian Foster, Ernest Linchangco
Dates: November 3-4, 2025
Time: 8:00 am to 5:00 pm 
Venue: TBD
Cost: $2,700

Course Description:

This 2-day course will introduce students to the art of threat hunting, focusing on the use of packet analysis to detect and respond to advanced threats. Students will learn how to analyze network traffic, identify file types and metadata, and apply detection techniques using AI.

Course Outline: 

• Internal/outside investigation
• Criminal
• Compliance

• BIN2DEC 
• DEC2HEX 
• BIN2ASCII 

• [What is ASCII?] 
• [What is base64 and how does it work?]
  • Table, decoding (automated/manual) 
  • Decode exercise 

• File types & headers
• File Metadata
  • Hidden GPS data in JPG metadata 
• File identification
  • 7z Download Challenge 

• Parsing Windows Event Logs 
• Active Directory Event Logs 

• Windows Registry - HKCU Run persistent malware identification 
• Recover a deleted file from a NTFS file system 

• TCP/IP Model / OSI-Model
  • OSI Layer Matching 
• What is an IP / Port
  • Port Matching Challenge 
• IPv4
  • Ethernet Headers 
• Subnets 
• Mac Addresses
  • Mac Address Challenge 

• Enumeration 101 
• NMAP Host Enumeration 

• What is Network Traffic Analysis
• Who performs Network Traffic Analysis
• Network Monitoring Technologies
• What is a Network Packet Analyzer?
• Promiscuous mode
• Why should I capture traffic to a file?

• TFTP file name identification 
• FTP User Password 
• SMB File Transfer 
• FTP of a QRCODE with a base64 encoded message inside. 

• [Cryptography] 
• Cracking ZIP (Dictionary & Brute-force) 

• Port Scanning & SYN Floods 
• Man-in-the-middle Attacks (ARP Poisoning) 
• C2 Beaconing 
• Data Exfiltration 
• Database Leaks 

• File identification/manipulation 
• Data enriching & formatting 
• Log analysis 
• Converting network traffic into an AI friendly format 
• Prompt writing for threat hunting 

Difficulty Level:

Low Intermediate to Advanced – A practical, hands-on course.

This class is designed to be an immersive experience, not a traditional lecture-based course. We move quickly from theory into hands-on labs where you will actively hunt for threats in real network traffic. The focus is on doing, not just knowing.

This course is for students who are already comfortable with computer and networking fundamentals. While we spend time reviewing refreshers, please note that we won't be covering basic concepts beyond what's listed in the syllabus. To get the most out of our exercises and keep up with the material, it's essential to come prepared with a solid foundation in the skills we'll be building upon. Your ability to do so will directly impact your learning experience on day one. If you are not comfortable working in a command prompt or terminal, you will find it very difficult to succeed.

Suggested Prerequisites:

To ensure you have a rewarding experience, you should be confident in the following areas before enrolling.

Core Knowledge:

• Networking Fundamentals: You should understand what the following terms mean:
  
  • TCP/IP (the basics of the protocol suite)
    
  • Packets, Frames, and Ports
    
  • IP Addresses (Public vs. Private, Subnetting)
    
  • DNS and DHCP
    
  • HTTP/S traffic basics
    
  • Common services like SSH, RDP, and FTP

Essential Practical Skills:

• Command Line Proficiency (CRITICAL): This is the most important requirement. We will have exercises that will require some knowledge of both Linux and Windows. You must be able to navigate and perform tasks in a command line interface (like Windows Command Prompt, PowerShell, or a Linux terminal) without assistance. You should be able to:
  
  • Navigate file systems (cd, dir/ls)
    
  • Manage files (copy/cp, move/mv, delete/rm)
    
  • Run basic networking utilities (ping, ipconfig/ifconfig, netstat, route)
    
• Operating System Familiarity: You should be comfortable at a basic level using modern Windows and Linux operating systems and understand core concepts like processes, services, and user permissions.

Recommended Experience: Certifications: Holding a certification like CompTIA Security+ or Network+ (or having equivalent knowledge) is a strong indicator that you are ready for this course.

Pre-Work: If you want to test your readiness, try completing a few introductory network analysis exercises online. If you find those challenges manageable, you are likely prepared for this class.

What Students Should Bring:

Laptop with a modern web browser with an OS that users are very familiar with and should be in English or have translations to English so teachers can assist the students. We understand that every student will bring a different system with a different OS. Our focus is on delivering a high-quality educational experience for all participants and Troubleshooting of BYOD (Bring Your Own Device) will not be available during this course.

Trainer(s) Bio:

Brian Markus is the CEO of Aries Security, a company specializing in Cyber Security Training, Assessments, Awareness and Events.

Prior to Aries Security, Brian worked as the CISO for Aerojet Rocketdyne, held technical and leadership roles at Raytheon, as well as Riverside County Office of Education and was Adjunct Professor at DeVry University for many years.  

Brian holds BS in CIS, an MBA and the following certifications: CISSP, PGP, Six Sigma, NSA IAM, ITIL.

Brian is most well-known for creating the infamous Wall of Sheep featured at DEF CON the largest hacker conference in the world, the Capture The Packet Cyber Range and Juice-Jacking as seen on NCIS.

Ian Foster is a Red Team lead and has been on the Red Team of multiple Fortune 500 companies. He specializes in offensive infrastructure and research. On his own time Ian runs dns.coffee a historical DNS database providing DNS data to researchers and threat intelligence groups. Ian also runs a research ISP allowing him to provide specialty infrastructure hosting for security researchers and internet connectivity to non-profits.

Matthew Tiner is a collaborative professional known for his approachable communication style and willingness to engage directly with colleagues and clients. With a preference for real-time problem-solving and hands-on discussion, Matthew brings a practical, no-nonsense approach to his work. His ability to balance professionalism with genuine personality makes him an effective team member who values both results and relationships.

Ernest Linchangco is a veteran IT professional with three decades of experience guiding complex technology initiatives across diverse industries. His expertise includes cybersecurity, infrastructure operations, and systems integration. Known for his strategic mindset and technical versatility, he consistently delivers results in high-stakes environments. In his spare time, Ernest is actively involved in collaborative hacker and maker circles, contributing to events and projects that advance security research and creative engineering.

Registration Terms and Conditions: 

Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after October 2, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.