Published 12/2022MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHzLanguage: English | Size: 2.92 GB | Duration: 2h 51m

 

Practical Strats for Security Incident Response

What you'll learn

Learn how to triage Windows systems for evidence of compromise quickly

Learn about key artifacts used for targeted persistence analysis

Learn Splunk logic for fast triage

Learn by doing - practical exercises - basic python with some powershell

Learn by doing - practical exercises - convert EVTX files to CSV with open-source tools

Requirements

Understanding of basic Windows security forensics

Understanding of the concept of a SIEM

Understanding of security incident response process goals

Basic understanding of CMD commands powershell commands python

Windows test system

Description

Research conducted on malicious campaigns found the successful establishment of a persistence mechanism(s) necessary for the attacker to achieve their goals. Installing persistence is a choke point in the attack method and provides an opportunity for detection through the analysis of affected system artifacts.The identification of a compromised system is a high priority. Discovering the compromise early during an investigation improves scoping, containment, mitigation, and remediation efforts. If persistence is not detected, it may reduce the perceived risk of the system. Either finding is valuable for making resource assignment decisions.This class teaches you how to utilize readily available artifacts to uncover persistence mechanisms quickly. Each module breaks down the artifact from a DFIR point of view, identifying key elements and analysis strategy guidelines along the way. Just about any forensic platform or security appliance may be used once you understand how to approach the artifact. Splunk is used to provide SIEM logic examples. Open-source tools, with a little python scripting, is used for the practical exercises. The completed python scripts are provided as well.The main artifact categories covers evidence that appears in investigations repeatedly:Windows event logs for servicesWindows event logs for scheduled tasks Windows registry autoruns and registry modification events.

Overview

Section 1: Introduction

Lecture 1 Intro & About Fast Triage

Lecture 2 About the Series

Lecture 3 About the Modules

Section 2: Triage concepts

Lecture 4 About malware patterns

Lecture 5 About frequency analysis

Lecture 6 About behavioral indicators

Section 3: Persistence Triage

Lecture 7 Overview

Lecture 8 Triage questions

Section 4: New Service Installations (7045 | 4697)

Lecture 9 About New Service Installations

Lecture 10 Key Event Elements

Lecture 11 Triage Guidelines

Lecture 12 Triage Example: New Service Names by Frequency

Lecture 13 Triage Example: New Service Names with Details

Lecture 14 Triage Example: New Service Names by Service Account

Lecture 15 Triage Example: New Service Names by Start Types

Lecture 16 Triage Example: New Service Names by Service Types

Lecture 17 Practical: Setup

Lecture 18 Practical: Converting EVTX to CSV

Lecture 19 Practical: Scoping results

Lecture 20 Practical: Python script for 7045 & 4697 events

Lecture 21 Practical: Python script results

Section 5: Service Failed to Start (7009)

Lecture 22 About Failed to Start events

Lecture 23 Triage Example

Section 6: Service Started (7035) or Stopped (7036)

Lecture 24 About service Start and Stop events

Lecture 25 Triage Example

Lecture 26 Practical: Setup

Lecture 27 Practical: Converting EVTX to CSV

Lecture 28 Practical: Scoping results

Lecture 29 Practical: Python script for 7036 events

Lecture 30 Practical: Python script results

Section 7: Service Start Type Changed (7040)

Lecture 31 About Start Type Change Events

Lecture 32 Triage Example

Section 8: Service Crashed (7034)

Lecture 33 About Service Crash Events

Lecture 34 Triage Example

Section 9: Service Event line

Lecture 35 Service Event line & Quiz

Section 10: New Scheduled Tasks (4698)

Lecture 36 About New Scheduled Tasks

Lecture 37 Key Event Elements

Lecture 38 Triage Guidelines

Lecture 39 Triage Example

Lecture 40 Practical: Setup

Lecture 41 Practical: Converting EVTX to CSV

Lecture 42 Practical: Scoping results

Lecture 43 Practical: Python script for 4698 events

Lecture 44 Practical: Python script results

Section 11: Scheduled Task Enabled (4700) | Updated (4702)

Lecture 45 About Scheduled Task Enabled and Updated Events

Lecture 46 Key Event Elements

Lecture 47 Triage Guidelines

Lecture 48 Triage Example

Section 12: Scheduled Task Disabled (4701) | Deleted (4699)

Lecture 49 About Scheduled Task Disabled and Deleted Events

Lecture 50 Key Event Elements

Lecture 51 Triage Guidelines

Lecture 52 Triage Example

Section 13: Registry Background for Triage

Lecture 53 Introduction

Lecture 54 About the registry

Lecture 55 Registry entry breakdown

Lecture 56 Run and RunOnce

Lecture 57 Boot execute

Lecture 58 Run services

Lecture 59 Startup items

Lecture 60 Policy settings

Lecture 61 WinLogon

Section 14: Registry modifications (4657)

Lecture 62 About registry modification events

Lecture 63 Key event elements

Lecture 64 Triage guidelines

Lecture 65 Triage example

Section 15: Conclusion

Lecture 66 Conclusion

New security incident response analysts,New SOC analysts,New threat hunters,Students,DFIR professionals

HomePage: