SDF: Persistence Fast Triage
Practical Strategies for Security Incident Response
What you will learn
Learn how to triage Windows systems for evidence of compromise quickly
Learn about key artifacts used for targeted persistence analysis
Learn Splunk logic for fast triage
Learn by doing - practical exercises - basic python with some powershell
Learn by doing - practical exercises - convert EVTX files to CSV with open-source tools
Why take this course?
Research conducted on malicious campaigns found the successful establishment of a persistence mechanism(s) necessary for the attacker to achieve their goals. Installing persistence is a choke point in the attack method and provides an opportunity for detection through the analysis of affected system artifacts.
The identification of a compromised system is a high priority. Discovering the compromise early during an investigation improves scoping, containment, mitigation, and remediation efforts. If persistence is not detected, it may reduce the perceived risk of the system. Either finding is valuable for making resource assignment decisions.
This class teaches you how to utilize readily available artifacts to uncover persistence mechanisms quickly. Each module breaks down the artifact from a DFIR point of view, identifying key elements and analysis strategy guidelines along the way. Just about any forensic platform or security appliance may be used once you understand how to approach the artifact. Splunk is used to provide SIEM logic examples. Open-source tools, with a little python scripting, is used for the practical exercises. The completed python scripts are provided as well.
The main artifact categories covers evidence that appears in investigations repeatedly:
Windows event logs for services
Windows event logs for scheduled tasks
Windows registry autoruns and registry modification events.
Screenshots
Charts
Price
Rating
Enrollment distribution
