Advanced Windows Enterprise Incident Response

This five-day course teaches advanced investigative techniques to incident responders to help identify and scope intrusions by government, financial, and political threat groups. The course includes a series of hands-on exercises which will allow the student to explore the foundations of what they have learned and expand on them, directly applying techniques to real world scenarios. 

Students can learn how to identify, detect, and hunt for advanced techniques, defeat malware obfuscation, and apply hunting techniques at scale across both traditional endpoint and cloud based infrastructure. The course covers historic and live attacker scenarios and techniques that the defender can use during an active incident to mitigate potential losses for the organization.

Prerequisites: Students should possess an excellent knowledge of computer and operating system fundamentals. Computer programming fundamentals and Windows Internals experience is highly recommended. Completion of Mandiant’s Windows Enterprise Incident Response and/or Linux Enterprise Incident Response courses is also recommended.

• Use ATT&CK framework to guide strategic security decisions for the organization
• Summarize the steps of the incident response process
• Determine how to effectively communicate incident information to leadership and others
• Demonstrate understanding on advanced techniques used by threat actors
• Discuss non-conventional implant deployment techniques which we come across when facing advanced APT threat actors but are rarely seen leveraged by less sophisticated groups
• Recognize when obfuscation is in use
• Summarize what YARA is and how to develop a YARA rule
• Discover the layout of common memory structure and common memory attack methods
• Explain the pros and cons of different analysis tools
• Provide an overview of the available evidence sources, how to collect evidence, common investigative scenarios and available tools for data analysis and investigation
• Highlight the difference in tempo required when dealing with live attackers and the implications to the organization and coordination of the IR team

This is a fast-paced technical course that is designed to provide hands-on experience investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace are intended for students with some background in security operations, incident response, forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT/incident response teams, or in roles that require oversight of forensic analysis and other investigative tasks.

In-person instructor-led training

5 days (in-person delivery)

A computer with internet connection and a modern browser (such as Google Chrome). 

MITRE ATT&CK 

• MITRE ATT&CK Framework 
• ATT&CK Navigator 

Incident Response Process 

• Defining Incident Response 
• Introduction to NIST Incident Response Process 
• Preparation 
• Detection and Analysis 
• Containment, Eradication, and Recovery 
• Post-Incident Activities 

Communications and Advanced Incident Handling 

• Preparation 
• During the Incident 
• Post-Incident Activity 
• Tips and Tricks 

Advanced Techniques 

• DLL Hijacking 
• Application Shimming 
• COM Hijacking 
• Extension Handler Hijacking 
• Windows Management Instrumentation (WMI) 
• Windows Event Log Manipulation 

Advanced Implants 

• Internet Information Services (IIS) Modules 
• Exchange Transport Agents 
• Remote Access Tools 

Obfuscation 

• Introduction to Obfuscation 
• Script Based Obfuscation 
• Encoding Obfuscation 
• Defeating Obfuscation 
• Early Detection 

Hunting with YARA 

• YARA Overview 
• Running YARA 
• YARA Syntax 
• YARA Syntax Conditions 
• Crafting a Rule 
• Modules and Additional Concepts 
• Considerations 

Memory Analysis 

• Why Memory 
• Acquiring Memory 
• Introduction to Memory Structures 
• Attacking Memory 
• Analyzing Memory with Volatility 

Scalability and Stacking 

• Background 
• What is Stacking 
• Stacking to Find Evil 

Introduction to Cloud IR 

• Introduction to Cloud Computing 
• AWS 
• Azure 
• Google Cloud 
• Cloud IR Methodology 

Live Attacker 

• Investigation Tempo 
• Containment, Eradication, and Survival 
• Credentials 
• Active Defense