Workshop: Rapid Endpoint Investigations with Patterson Cake
Overview
- Course Length: 4 hours
- Support from expert instructors
- Includes a certificate of completion
What You
Can
In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps.
You’ve received a “true positive” security alert for a Windows or Linux endpoint. This is not a drill! Your environment is under attack! This is war and you need to take rapid, decisive steps to determine:
- has the endpoint been compromised?
- have other systems been impacted?
- what actions should come next?
Together, through hands-on labs and demonstrations, we’ll walk through gathering artifacts from Windows and Linux endpoints using Velociraptor offline collectors, parsing and analyzing artifacts using PowerShell and KAPE, consolidating output, and rapidly identifying indicators of compromise!
Syllabus:
Rapid Endpoint Investigations
Section 1: Introduction and Context
- Class overview and schedule (lecture)
- Investigative workflow context (lecture)
Section 2: Workflow Methodology
- Artifact Selection (lecture)
- Artifact Acquisition (lecture)
- Analysis Workflow (lecture)
Section 3: Tools & Techniques
- Endpoint investigation tools (lecture/demo)
- Building an artifact “collector” (lab)
- Parsing triage data (lab)
Section 4: Case Studies
- Windows case study (lecture/demo)
- Windows triage-data analysis (lab)
- Linux case study (lecture/demo)
- Linux triage-data analysis (lab)
Section 5: Conclusion
- Workflow and tool review (lecture)
- References and resources (lecture)
- Q&A
Virtual (June 6th, 2025)
- June 6th – 11 AM EST – 4 PM EST
System Requirements:
Attendees have two options for completing workshop labs: download and run a virtual machine locally (option 1) or use a cloud virtual machine via web browser (option 2).
Option 1: Requirements – download and run VM locally
- CPU: x64 Intel/AMD architecture (min. x2 “logical” processors available for Virtual Machine)
- RAM: 4 GB available for Virtual Machine
- HDD: 50 GB available disk space (approx. 15 GB for OVA download; approx. 25 GB for Virtual Machine; approx. 2 GB for other course content)
Option 2: Requirements – access cloud VM via web browser
- You will need a web browser, to register via MetaCTF, and to pay a small fee for Virtual Machine resource utilization (approx. $5 for a four-hour workshop).
Who Should Attend:
- This workshop is intended for security analysts who review and respond to security alerts and perform endpoint investigations.
Audience Skill Level:
- Beginner/Intermediate
Live Training
- Pay What You Can
- Collaborative interaction with Instructor and fellow students through the Antisyphon Discord class channel
- Access to course slides for future reference
- Tips, tools, and techniques that can be applied immediately upon returning to work
- Strengthen your skills by solving challenges within the Antisyphon Cyber Range
- Become part of a community driven to educate and share knowledge
