Published 12/2022MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHzLanguage: English | Size: 2.92 GB | Duration: 2h 51m
Practical Strats for Security Incident Response What you'll learn Learn how to triage Windows systems for evidence of compromise quickly Learn about key artifacts used for targeted persistence analysis Learn Splunk logic for fast triage Learn by doing - practical exercises - basic python with some powershell Learn by doing - practical exercises - convert EVTX files to CSV with open-source tools Requirements Understanding of basic Windows security forensics Understanding of the concept of a SIEM Understanding of security incident response process goals Basic understanding of CMD commands powershell commands python Windows test system Description Research conducted on malicious campaigns found the successful establishment of a persistence mechanism(s) necessary for the attacker to achieve their goals. Installing persistence is a choke point in the attack method and provides an opportunity for detection through the analysis of affected system artifacts.The identification of a compromised system is a high priority. Discovering the compromise early during an investigation improves scoping, containment, mitigation, and remediation efforts. If persistence is not detected, it may reduce the perceived risk of the system. Either finding is valuable for making resource assignment decisions.This class teaches you how to utilize readily available artifacts to uncover persistence mechanisms quickly. Each module breaks down the artifact from a DFIR point of view, identifying key elements and analysis strategy guidelines along the way. Just about any forensic platform or security appliance may be used once you understand how to approach the artifact. Splunk is used to provide SIEM logic examples. Open-source tools, with a little python scripting, is used for the practical exercises. The completed python scripts are provided as well.The main artifact categories covers evidence that appears in investigations repeatedly:Windows event logs for servicesWindows event logs for scheduled tasks Windows registry autoruns and registry modification events. Overview Section 1: Introduction Lecture 1 Intro & About Fast Triage Lecture 2 About the Series Lecture 3 About the Modules Section 2: Triage concepts Lecture 4 About malware patterns Lecture 5 About frequency analysis Lecture 6 About behavioral indicators Section 3: Persistence Triage Lecture 7 Overview Lecture 8 Triage questions Section 4: New Service Installations (7045 | 4697) Lecture 9 About New Service Installations Lecture 10 Key Event Elements Lecture 11 Triage Guidelines Lecture 12 Triage Example: New Service Names by Frequency Lecture 13 Triage Example: New Service Names with Details Lecture 14 Triage Example: New Service Names by Service Account Lecture 15 Triage Example: New Service Names by Start Types Lecture 16 Triage Example: New Service Names by Service Types Lecture 17 Practical: Setup Lecture 18 Practical: Converting EVTX to CSV Lecture 19 Practical: Scoping results Lecture 20 Practical: Python script for 7045 & 4697 events Lecture 21 Practical: Python script results Section 5: Service Failed to Start (7009) Lecture 22 About Failed to Start events Lecture 23 Triage Example Section 6: Service Started (7035) or Stopped (7036) Lecture 24 About service Start and Stop events Lecture 25 Triage Example Lecture 26 Practical: Setup Lecture 27 Practical: Converting EVTX to CSV Lecture 28 Practical: Scoping results Lecture 29 Practical: Python script for 7036 events Lecture 30 Practical: Python script results Section 7: Service Start Type Changed (7040) Lecture 31 About Start Type Change Events Lecture 32 Triage Example Section 8: Service Crashed (7034) Lecture 33 About Service Crash Events Lecture 34 Triage Example Section 9: Service Event line Lecture 35 Service Event line & Quiz Section 10: New Scheduled Tasks (4698) Lecture 36 About New Scheduled Tasks Lecture 37 Key Event Elements Lecture 38 Triage Guidelines Lecture 39 Triage Example Lecture 40 Practical: Setup Lecture 41 Practical: Converting EVTX to CSV Lecture 42 Practical: Scoping results Lecture 43 Practical: Python script for 4698 events Lecture 44 Practical: Python script results Section 11: Scheduled Task Enabled (4700) | Updated (4702) Lecture 45 About Scheduled Task Enabled and Updated Events Lecture 46 Key Event Elements Lecture 47 Triage Guidelines Lecture 48 Triage Example Section 12: Scheduled Task Disabled (4701) | Deleted (4699) Lecture 49 About Scheduled Task Disabled and Deleted Events Lecture 50 Key Event Elements Lecture 51 Triage Guidelines Lecture 52 Triage Example Section 13: Registry Background for Triage Lecture 53 Introduction Lecture 54 About the registry Lecture 55 Registry entry breakdown Lecture 56 Run and RunOnce Lecture 57 Boot execute Lecture 58 Run services Lecture 59 Startup items Lecture 60 Policy settings Lecture 61 WinLogon Section 14: Registry modifications (4657) Lecture 62 About registry modification events Lecture 63 Key event elements Lecture 64 Triage guidelines Lecture 65 Triage example Section 15: Conclusion Lecture 66 Conclusion New security incident response analysts,New SOC analysts,New threat hunters,Students,DFIR professionals HomePage:
TO MAC USERS: If RAR password doesn't work, use this archive program:
RAR Expander 0.8.5 Beta 4 and extract password protected files without error.
TO WIN USERS: If RAR password doesn't work, use this archive program:
Latest Winrar and extract password protected files without error.
Themelli |
