Specter Bash 2025 Event & Trainings

Specter Bash 2025 is a family-friendly week of Adversary Tactics training courses, a community-focused day of activities, and a Halloween party all rolled into one!

(And food's included!)

About Specter Bash

Specter Bash is an annual, community-focused training event with a Halloween twist hosted by SpecterOps

This year we're offering the following Adversary Tactics courses at Specter Bash (see below sections for more course details):

• Adversary Tactics: Red Team Operations
• Adversary Tactics: Identity-driven Offensive Tradecraft
• Adversary Tactics: Detection
• Adversary Tactics: Tradecraft Analysis

The trainings will run Monday (Oct 6) to Thursday (Oct 9) with further activities, workshops, and the like happening on Friday (Oct 10) 

We hope you'll join us, it'll be scary-fun!

In-person Attendee Benefits

By attending in person you'll receive the following exclusive benefits:

• (Spooky) Evening events to connect with industry peers
• Food! (Breakfast & Lunch provided throughout the event; Dinner provided Monday - Thursday)
• Exclusive event-themed swag
• Halloween party and costume contest (see below)

Evening Events

Details coming soon!

Venue

Specter Bash will take place at The Inverness in Denver, CO (200 Inverness Dr W, Englewood, CO 80112, USA)

Venue Amenities:

• Located on an 18-hole golf course
• Adjoining Breckenridge Brewery
• Luxury spa on-site
• 30 minutes from Denver International Airport

Specter Bash Trainings

Upgrade your skills by taking one of our four different courses

• Free Specter Bash admission included
• In-depth four-day-long courses
• Engage with our Frontline Practitioners
• Hands-on Labs throughout the courses
• Note: Only in-person training tickets are considered part of the Specter Bash event; virtual tickets do not include the in-person benefits of the event

Adversary Tactics: Red Team Operations

Upgrade your Red Team engagements with bleeding-edge Tactics, Techniques, and Procedures (TTPs) used by attackers in real-world breaches. This course will teach participants how to infiltrate networks, gather intelligence, and covertly persist in a network like an advanced adversary. Participants will use the skillsets taught in Adversary Tactics: Red Team Operations to go up against live incident responders in an enterprise lab environment designed to mimic a mature real-world network. Participants will learn to adapt and overcome Blue Team response through collaborative feedback as the course progresses.

Topics covered include:

• Design and deploy sophisticated, resilient covert attack infrastructure
• Utilize advanced Active Directory attack techniques to execute domain enumeration, escalation, and persistence
• Perform sophisticated post-exploitation actions, including sophisticated data mining, going beyond just achieving “Domain Admin”
• Use cutting-edge lateral movement methods to move through the enterprise
• Practice “offense-in-depth” by utilizing a variety of tools and techniques in response to defender actions and technical defenses
• Effectively train network defenders to better protect themselves against advanced, persistent adversaries

Full course details here.

Adversary Tactics: Identity-driven Offensive Tradecraft

As modern architecture increasingly shifts services and data from on-premises infrastructure to the cloud, Identity becomes the thread that ties everything together.

Our Adversary Tactics: Identity-driven Offensive Tradecraft course is a follow-on to our Adversary Tactics: Red Team Operations course and offers an in-depth look at identity-driven attacks, targeting both on-premises and hybrid identities. Participants will learn how to abuse the intricacies of different authentication and authorization mechanisms to traverse on-premises and cloud environments, gain access to integrated systems, and even cross tenants. Participants will also be equipped with a practical approach to identifying known attack paths and forging new ones within complex operational environments and across people, processes, and technology.

Full course details here.

Adversary Tactics: Detection

You bought all the latest detection tools, but somehow still can't seem to detect mimikatz. IT is screaming about the resource consumption from the multitude of security tools on the endpoints, analysts are barely staying afloat in the oceans of data your toolsets have created, and the latest red team report detailed how response actions were ineffective again. If this sounds familiar for your organization, this is the course for you. We'll walk you through starting with a detection engineering strategy first and then focusing on methodologies to build robust alerting, with the end result of improving detection and response capabilities throughout security operations. This course will provide you the understanding and ability to build robust detections, starting with the why and going all the way to the technical implementation of detecting threat actor activity. You will learn how to apply the methodologies and technical approaches practiced, regardless of the security toolsets deployed in your organization.

Adversary Tactics: Detection builds on standard network defense and incident response (which often focuses on alerting for known malware signatures) by focusing on abnormal behaviors and the use of adversary Tactics, Techniques, and Procedures (TTPs). We will teach you how to engineer detections based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will learn use utilize free and/or open source data collection and analysis tools (such as Sysmon, Windows Event Logs, and ELK) to analyze large amounts of host information and build detections for malicious activity. You will use the techniques and toolsets you learn to create threat hunting hypotheses and build robust detections in a simulated enterprise network undergoing active compromise from various types of threat actors.

Full course details here.

Adversary Tactics: Tradecraft Analysis

Your organization has just implemented the leading detection and response products. Are they configured with default configuration? How much faith should you have in your ability to detect sophisticated attacks? How would you simulate attacks to ensure robust detections are in place? This course will teach the importance of understanding the inner workings of attack techniques and telemetry availability and provide a workflow for developing robust detection analytics or data driven evasion decisions. Focusing on various Windows components and attacker TTPs, you will dive deep into how software abstracts underlying capabilities and how attackers can interact with deeper layers to bypass superficial detection capabilities.

In Adversary Tactics: Tradecraft Analysis, we will present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We will discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we will identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course will culminate with participants creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage.

Whether you are a red team operator or detection engineer, you will have a comprehensive understanding of several attack chains. Red team operators will learn an approach to analyzing their own tools, a better understanding of which techniques to select to evade detection, and how to better describe to defenders why an evasion was successful. Detection engineers will understand how to craft a strategy to create robust detections and better detect families of attacks.

Full course details here.

Virtual Trainings

If traveling to Denver, CO isn’t feasible, you can opt to take the course virtually online through Zoom. You will receive the same training portal access and watch the live instruction. However, the virtual training is not part of Specter Bash – remote attendees will NOT receive any of the exclusive benefits that come with in-person attendance.

Remote attendees will receive logistics emails and credentials the week before the trainings.

Specter Bash is the in-person only event that complements the trainings; virtual tickets are not part of Specter Bash.

Questions?

Reach out to training@specterops.io and a Specter will be in touch soon!

Special Tickets

Are you a member of the U.S. Government? Email socon@specterops.io for a registration code to receive 50% off an in-person ticket for the conference days.

FAQs

How can I contact the organizer with any questions?

Please email training@specterops.io with any questions.  

What's the refund policy?

Full refunds will be provided up to 7 days before the course start date.

What are the hardware requirements for attending the course?

Courses are based in the SpecterOps training portal and accessible via an internet connection; no VMs are required for labs. The following are recommended hardware requirements:

• Internet Connection
• 8GBs of RAM
• Modern Web Browser capable of rendering HTML5

Photography & Video Notice
By attending this event, you acknowledge that photography and video recording may take place. By entering the event premises, you consent to being photographed, filmed, and/or otherwise recorded for promotional, marketing, and archival purposes.