What you'll learn

Learn how to triage Windows systems for evidence of compromise quickly
Learn about key artifacts used for targeted persistence analysis
Learn Splunk logic for fast triage
Learn by doing - practical exercises - basic python with some powershell
Learn by doing - practical exercises - convert EVTX files to CSV with open-source tools

Course content

15 sections • 66 lectures • 2h 50m total length

Intro & About Fast Triage4:24
Welcome to the Persistence Fast Triage course for Windows! This module outlines the forensic value of the fast triage methodology.
About the Series1:48
Persistence fast triage is one of several classes part of the fast triage training series. Use the courses individually or as a whole to build up your own response program. Each module provides artifact details along with the triage approach.
About the Modules4:44
The class does not promote any one specific tool. Tools are necessary to process the event log data for analysis. Many SIEMS include this capability along with open-source options such as Elk-Stack (SOF-ELK) and Chainsaw. Splunk is used for demonstration purposes only.

About New Service Installations1:36
An overview of new service installations.
Key Event Elements2:44
The elements within the event logs useful for triage.
Triage Guidelines8:36
The primary triage strategies to detect compromise.
Triage Example: New Service Names by Frequency3:34
Examples of the triage strategies.
Triage Example: New Service Names with Details4:04
Examples of the triage strategies.
Triage Example: New Service Names by Service Account2:35
Examples of the triage strategies.
Triage Example: New Service Names by Start Types2:08
Examples of the triage strategies.
Triage Example: New Service Names by Service Types2:42
Examples of the triage strategies.
Practical: Setup0:36
Getting started with the practical.
Practical: Converting EVTX to CSV1:30
Converting windows EVTX event logs to CSV format.
Practical: Scoping results2:51
Managing the EVTX to CSV results for necessary python information.
Practical: Python script for 7045 & 4697 events5:09
A walk-through of the python script for familiarization for any future editing.
Practical: Python script results2:28
Reviewing the results of the python script.
New service event quiz

About service Start and Stop events3:35
Overview of the event along with triage guidelines.
Triage Example1:36
An example of a triage search.
Practical: Setup0:37
Getting started with the practical.
Practical: Converting EVTX to CSV0:37
Converting windows EVTX event logs to CSV format.
Practical: Scoping results3:19
Managing the EVTX to CSV results for necessary python information.
Practical: Python script for 7036 events4:04
A walk-through of the python script for familiarization for any future editing.
Practical: Python script results1:59
Reviewing the results of the python script.
Service start stop quiz

About New Scheduled Tasks2:19
Overview of the event 4698.
Key Event Elements4:10
Triage Guidelines6:09
Triage guidelines for 4698.
Triage Example2:34
Triage example of 4698.
Practical: Setup1:08
Practical: Converting EVTX to CSV1:20
Converting windows EVTX event logs to CSV format.
Practical: Scoping results4:18
Managing the EVTX to CSV results for necessary python information.
Practical: Python script for 4698 events7:38
A walk-through of the python script for familiarization for any future editing.
Practical: Python script results2:17
Reviewing the results of the python script.
New scheduled tasks quiz

Requirements

Understanding of basic Windows security\ forensics
Understanding of the concept of a SIEM
Understanding of security incident response process\ goals
Basic understanding of CMD commands\ powershell commands\ python
Windows test system

Description

Research conducted on malicious campaigns found the successful establishment of a persistence mechanism(s) necessary for the attacker to achieve their goals. Installing persistence is a choke point in the attack method and provides an opportunity for detection through the analysis of affected system artifacts.

The identification of a compromised system is a high priority. Discovering the compromise early during an investigation improves scoping, containment, mitigation, and remediation efforts. If persistence is not detected, it may reduce the perceived risk of the system. Either finding is valuable for making resource assignment decisions.

This class teaches you how to utilize readily available artifacts to uncover persistence mechanisms quickly. Each module breaks down the artifact from a DFIR point of view, identifying key elements and analysis strategy guidelines along the way. Just about any forensic platform or security appliance may be used once you understand how to approach the artifact. Splunk is used to provide SIEM logic examples. Open-source tools, with a little python scripting, is used for the practical exercises. The completed python scripts are provided as well.

The main artifact categories covers evidence that appears in investigations repeatedly:

Windows event logs for services
Windows event logs for scheduled tasks
Windows registry autoruns and registry modification events.

Who this course is for:

New security incident response analysts
New SOC analysts
New threat hunters
Students
DFIR professionals

What you'll learn

Explore related topics

Course content

Introduction3 lectures • 11min

Triage concepts3 lectures • 8min

Persistence Triage2 lectures • 4min

New Service Installations (7045 | 4697)13 lectures • 41min

Service Failed to Start (7009)2 lectures • 5min

Service Started (7035) or Stopped (7036)7 lectures • 16min

Service Start Type Changed (7040)2 lectures • 4min

Service Crashed (7034)2 lectures • 3min

Service Event Timeline1 lecture • 5min

New Scheduled Tasks (4698)9 lectures • 32min

Requirements

Description

Who this course is for: