
Advanced Windows Enterprise Incident Response
Instructor-led training course
Please contact us if you have any questions.
Course Description
This five-day course teaches advanced investigative techniques to incident responders on the frontline to help identify and scope intrusions by government, financial, and political threat groups. The course includes a series of hands-on exercises which will allow the student to explore the foundations of what they have learned and expand on them, directly applying techniques to real world scenarios.
Students will learn how to identify, detect, and hunt for advanced techniques, defeating malware obfuscation and applying hunting techniques at scale across both traditional endpoint and cloud based infrastructure. The course covers historic and live attacker scenarios and techniques that the defender can use during an active firefight to mitigate potential losses for the company.
Learning Objectives
- Use ATT&CK framework to guide strategic security decisions for the organization
- Summarize the steps of the Incident Response Process
- Determine how to effectively communicate incident information to leadership and others within your organization
- Demonstrate understanding on advanced techniques used by threat actors
- Discuss non-conventional implant deployment techniques which we come across when facing advanced APT threat actors but are rarely seen leveraged by less sophisticated groups
- Recognize when obfuscation is in use
- Summarize what YARA is and how to develop a YARA rule
- Discover the layout of common memory structure and common memory attack methods
- Explain the pros and cons of different analysis tools
- Provide an overview of the available evidence sources, how to collect evidence, common investigative scenarios and available tools for data analysis and investigation
- Highlight the difference in tempo required when dealing with Live Attackers and the implications to the organization and coordination of the IR team
Who Should Attend
This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace are intended for students with some background in conducting security operations, incident response, forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams, or in roles that require oversight of forensic analysis and other investigative tasks.
Prerequisites
Students should possess an excellent knowledge of computer and operating system fundamentals. Computer programming fundamentals and Windows Internals experience is highly recommended as well. Completion of Mandiant’s Windows Enterprise Incident Response and/or Linux Enterprise Incident Response is highly recommended.
Delivery method
In-person instructor-led training
Duration
- 5 days (in-person delivery)
What to Bring
A computer with internet connection and a modern browser (such as Google Chrome).
Course Outline
The course is comprised of the following modules with labs included throughout the instruction.
MITRE ATT&CK
MITRE ATT&CK Framework
ATT&CK Navigator
Incident Response Process
Defining Incident Response
Introduction to NIST Incident Response Process
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activities
Communications and Advanced Incident Handling
Preparation
During the Incident
Post-Incident Activity
Tips and Tricks
Advanced Techniques
DLL Hijacking
Application Shimming
COM Hijacking
Extension Handler Hijacking
Windows Management Instrumentation (WMI)
Windows Event Log Manipulation
Advanced Implants
Internet Information Services (IIS) Modules
Exchange Transport Agents
Remote Access Tools
Obfuscation
Introduction to Obfuscation
Script Based Obfuscation
Encoding Obfuscation
Defeating Obfuscation
Early Detection
Hunting with YARA
YARA Overview
Running YARA
YARA Syntax
YARA Syntax Conditions
Crafting a Rule
Modules and Additional Concepts
Considerations
Memory Analysis
Why Memory
Acquiring Memory
Introduction to Memory Structures
Attacking Memory
Analyzing Memory with Volatility
Scalability and Stacking
Background
What is Stacking
Stacking to Find Evil
Introduction to Cloud IR
Introduction to Cloud Computing
AWS
Azure
GCP
Cloud IR Methodology
Live Attacker
Investigation Tempo
Containment, Eradication, and Survival
Credentials
Active Defense