O
0
Published 12/2022
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 2.92 GB | Duration: 2h 51m
Practical Strategies for Security Incident Response
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 2.92 GB | Duration: 2h 51m
Practical Strategies for Security Incident Response
What you'll learn
Learn how to triage Windows systems for evidence of compromise quickly
Learn about key artifacts used for targeted persistence analysis
Learn Splunk logic for fast triage
Learn by doing - practical exercises - basic python with some powershell
Learn by doing - practical exercises - convert EVTX files to CSV with open-source tools
Requirements
Understanding of basic Windows security\ forensics
Understanding of the concept of a SIEM
Understanding of security incident response process\ goals
Basic understanding of CMD commands\ powershell commands\ python
Windows test system
Description
Research conducted on malicious campaigns found the successful establishment of a persistence mechanism(s) necessary for the attacker to achieve their goals. Installing persistence is a choke point in the attack method and provides an opportunity for detection through the analysis of affected system artifacts.The identification of a compromised system is a high priority. Discovering the compromise early during an investigation improves scoping, containment, mitigation, and remediation efforts. If persistence is not detected, it may reduce the perceived risk of the system. Either finding is valuable for making resource assignment decisions.This class teaches you how to utilize readily available artifacts to uncover persistence mechanisms quickly. Each module breaks down the artifact from a DFIR point of view, identifying key elements and analysis strategy guidelines along the way. Just about any forensic platform or security appliance may be used once you understand how to approach the artifact. Splunk is used to provide SIEM logic examples. Open-source tools, with a little python scripting, is used for the practical exercises. The completed python scripts are provided as well.The main artifact categories covers evidence that appears in investigations repeatedly:Windows event logs for servicesWindows event logs for scheduled tasks Windows registry autoruns and registry modification events.
Overview
Section 1: Introduction
Lecture 1 Intro & About Fast Triage
Lecture 2 About the Series
Lecture 3 About the Modules
Section 2: Triage concepts
Lecture 4 About malware patterns
Lecture 5 About frequency analysis
Lecture 6 About behavioral indicators
Section 3: Persistence Triage
Lecture 7 Overview
Lecture 8 Triage questions
Section 4: New Service Installations (7045 | 4697)
Lecture 9 About New Service Installations
Lecture 10 Key Event Elements
Lecture 11 Triage Guidelines
Lecture 12 Triage Example: New Service Names by Frequency
Lecture 13 Triage Example: New Service Names with Details
Lecture 14 Triage Example: New Service Names by Service Account
Lecture 15 Triage Example: New Service Names by Start Types
Lecture 16 Triage Example: New Service Names by Service Types
Lecture 17 Practical: Setup
Lecture 18 Practical: Converting EVTX to CSV
Lecture 19 Practical: Scoping results
Lecture 20 Practical: Python script for 7045 & 4697 events
Lecture 21 Practical: Python script results
Section 5: Service Failed to Start (7009)
Lecture 22 About Failed to Start events
Lecture 23 Triage Example
Section 6: Service Started (7035) or Stopped (7036)
Lecture 24 About service Start and Stop events
Lecture 25 Triage Example
Lecture 26 Practical: Setup
Lecture 27 Practical: Converting EVTX to CSV
Lecture 28 Practical: Scoping results
Lecture 29 Practical: Python script for 7036 events
Lecture 30 Practical: Python script results
Section 7: Service Start Type Changed (7040)
Lecture 31 About Start Type Change Events
Lecture 32 Triage Example
Section 8: Service Crashed (7034)
Lecture 33 About Service Crash Events
Lecture 34 Triage Example
Section 9: Service Event Timeline
Lecture 35 Service Event Timeline & Quiz
Section 10: New Scheduled Tasks (4698)
Lecture 36 About New Scheduled Tasks
Lecture 37 Key Event Elements
Lecture 38 Triage Guidelines
Lecture 39 Triage Example
Lecture 40 Practical: Setup
Lecture 41 Practical: Converting EVTX to CSV
Lecture 42 Practical: Scoping results
Lecture 43 Practical: Python script for 4698 events
Lecture 44 Practical: Python script results
Section 11: Scheduled Task Enabled (4700) | Updated (4702)
Lecture 45 About Scheduled Task Enabled and Updated Events
Lecture 46 Key Event Elements
Lecture 47 Triage Guidelines
Lecture 48 Triage Example
Section 12: Scheduled Task Disabled (4701) | Deleted (4699)
Lecture 49 About Scheduled Task Disabled and Deleted Events
Lecture 50 Key Event Elements
Lecture 51 Triage Guidelines
Lecture 52 Triage Example
Section 13: Registry Background for Triage
Lecture 53 Introduction
Lecture 54 About the registry
Lecture 55 Registry entry breakdown
Lecture 56 Run and RunOnce
Lecture 57 Boot execute
Lecture 58 Run services
Lecture 59 Startup items
Lecture 60 Policy settings
Lecture 61 WinLogon
Section 14: Registry modifications (4657)
Lecture 62 About registry modification events
Lecture 63 Key event elements
Lecture 64 Triage guidelines
Lecture 65 Triage example
Section 15: Conclusion
Lecture 66 Conclusion
New security incident response analysts,New SOC analysts,New threat hunters,Students,DFIR professionals
Download link
rapidgator.net:
You must reply in thread to view hidden text.
uploadgig.com:
You must reply in thread to view hidden text.
nitroflare.com:
You must reply in thread to view hidden text.
1dl.net:
You must reply in thread to view hidden text.
