SDF: Persistence Fast Triage
Learn how to quickly triage Windows systems for evidence of compromise and uncover persistence mechanisms using key artifacts and Splunk logic.
What you’ll learn
- Learn how to triage Windows systems for evidence of compromise quickly
- Learn about key artifacts used for targeted persistence analysis
- Learn Splunk logic for fast triage
- Learn by doing – practical exercises – basic python with some powershell
- Learn by doing – practical exercises – convert EVTX files to CSV with open-source tools
Research conducted on malicious campaigns found the successful establishment of a persistence mechanism(s) necessary for the attacker to achieve their goals. Installing persistence is a choke point in the attack method and provides an opportunity for detection through the analysis of affected system artifacts.
The identification of a compromised system is a high priority. Discovering the compromise early during an investigation improves scoping, containment, mitigation, and remediation efforts. If persistence is not detected, it may reduce the perceived risk of the system. Either finding is valuable for making resource assignment decisions.
This class teaches you how to utilize readily available artifacts to uncover persistence mechanisms quickly. Each module breaks down the artifact from a DFIR point of view, identifying key elements and analysis strategy guidelines along the way. Just about any forensic platform or security appliance may be used once you understand how to approach the artifact. Splunk is used to provide SIEM logic examples. Open-source tools, with a little python scripting, is used for the practical exercises. The completed python scripts are provided as well.
The main artifact categories covers evidence that appears in investigations repeatedly:
Windows event logs for services
Windows event logs for scheduled tasks
Windows registry autoruns and registry modification events.
Who this course is for:
- New security incident response analysts
- New SOC analysts
- New threat hunters
- Students
- DFIR professionals
User Reviews
Be the first to review “SDF: Persistence Fast Triage”
You must be logged in to post a review.
There are no reviews yet.