Governance Unit – Legal & Cybersecurity (4 days)

Understand the different phases of an intrusion test. Know how to accompany and supervise a technical profile involved in the test. Centralise the information collected and the communication methods. Carry out a detailed analysis of the situation and be able to present a report in a non-technical manner to a management committee

Day 1 morning 

❏ Section 1 – Current context 

❏ Recent statistics 

❏ Terminology 

❏ Principles of information security 

❏ The different phases of an attack 

❏ Definition of a penetration test 

❏ Legal and regulatory aspects of penetration testing 

testing 

❏ Methods and framework for a penetration test 

❏ Section 2 – Framing and objectives 

❏ Identification of objectives 

❏ Definition of the scope 

❏ Tutorials/ ESD Academy pentest framework 

 ❏ Practical Work 1/ Pre-engagement questionnaire 

Day 1 aftermoon 

❏ Resource management and allocation 

❏ Monitoring of test objectives 

❏ Rules of engagement (RoE) 

❏ Practical Work 2/ Drafting of a pre-commitment 

contract 

❏ Section 3 : Preparing your penetration test 

❏ Setting a machine for penetration testing

Automation and scripting 

❏ Known hardware tools

❏ Tutorials/ Rubber Ducky 

❏ Templating de documents 

❏ Tutorials/ Intrusion test monitoring 

❏ Section 4 – Information gathering 

 ❏ Engineering of public sources (OSINT) 

❏Passive and active collection of information on 

the target organisation 

                          ❏ Tutorials/ Présentation des outils d’OSINT 

 ❏ Practical Work 3/ Statement of information &. 

Recognition

Day 2 morning 

❏ Section 5 – Enumeration of infrastructure 

❏ Enumeration of scope 

❏ Escape on secure infrastructure 

❏ Enumeration of protocols 

                       ❏ Tutorials/ Presentation of enumeration tools 

                            ❏ Practical Work 4/ Enumeration of infrastructure 

❏ Section 6 – Vulnerability analysis 

❏ Vulnerability scanning 

❏ Presentation of the different tools

❏ Tutorials/ Presentation OpenVAS 

❏ Known vulnerabilities 

❏ Practical Work 5/ Identification of vulnerabilities 

❏ Section 7 – Exploitation 

❏ Search for Exploits 

Day 2 morning

❏ Presentation of attack tools/frameworks  

❏ Tutorials/ Presentation metasploit 

❏ Deployment and execution of loads 

❏ Practical Work 6/ Exploitation of vulnerabilities 

❏ Passive and active listening of infrastructures 

❏ Bruteforcing 

 

❏ Section 8 – Post-Exploitation 

           ❏ Deactivation of traceability elements 

❏ Elevation of privileges (Methods, tools,

linux vulnerabilities, …)

❏ Study of persistence (ADS, registry, 

task scheduler, services) 

❏ Lateral movements and pivoting