Join us in-person this July for the first-ever Antisyphon Summer Camp! Register Here

Workshop: Rapid Endpoint Investigations with Patterson Cake

Workshop: Rapid Endpoint Investigations with Patterson Cake

Overview

  • Course Length: 4 hours
  • Support from expert instructors
  • Includes a certificate of completion
Instructor:
Patterson Cake

In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps. 

You’ve received a “true positive” security alert for a Windows or Linux endpoint. This is not a drill! Your environment is under attack! This is war and you need to take rapid, decisive steps to determine: 

  • has the endpoint been compromised?
  • have other systems been impacted?
  • what actions should come next?

Together, through hands-on labs and demonstrations, we’ll walk through gathering artifacts from Windows and Linux endpoints using Velociraptor offline collectors, parsing and analyzing artifacts using PowerShell and KAPE, consolidating output, and rapidly identifying indicators of compromise!

Syllabus:

Rapid Endpoint Investigations

Section 1: Introduction and Context

  1. Class overview and schedule (lecture)
  2. Investigative workflow context (lecture)

Section 2: Workflow Methodology

  1. Artifact Selection (lecture)
  2. Artifact Acquisition (lecture)
  3. Analysis Workflow (lecture)

Section 3: Tools & Techniques

  1. Endpoint investigation tools (lecture/demo)
  2. Building an artifact “collector” (lab)
  3. Parsing triage data (lab)

Section 4: Case Studies

  1. Windows case study (lecture/demo)
  2. Windows triage-data analysis (lab)
  3. Linux case study (lecture/demo)
  4. Linux triage-data analysis (lab)

Section 5: Conclusion

  1. Workflow and tool review (lecture)
  2. References and resources (lecture)
  3. Q&A

Virtual (June 6th, 2025)

  • June 6th – 11 AM EST – 4 PM EST

System Requirements:

Attendees have two options for completing workshop labs: download and run a virtual machine locally (option 1) or use a cloud virtual machine via web browser (option 2). 

Option 1: Requirements – download and run VM locally

  • CPU: x64 Intel/AMD architecture (min. x2 “logical” processors available for Virtual Machine)
  • RAM: 4 GB available for Virtual Machine
  • HDD: 50 GB available disk space (approx. 15 GB for OVA download; approx. 25 GB for Virtual Machine; approx. 2 GB for other course content)

Option 2: Requirements – access cloud VM via web browser

  • You will need a web browser, to register via MetaCTF, and to pay a small fee for Virtual Machine resource utilization (approx. $5 for a four-hour workshop).

Who Should Attend:

  • This workshop is intended for security analysts who review and respond to security alerts and perform endpoint investigations.

Audience Skill Level:

  • Beginner/Intermediate

There are no scheduled live dates for this course at this time.

Similar Courses

Pay Forward What You Can Active Defense and Cyber Deception with John Strand course badgeActive Defense and Cyber Deception with John Strand course badge
John Strand
Live
OD
Active Defense and Cyber Deception with John Strand

Jun 16th

– Jun 19th

Foundational Application Security Training with Bill McCauley course badgeFoundational Application Security Training with Bill McCauley course badge
Bill McCauley
Live
Foundational Application Security Training with Bill McCauley
Pay Forward What You Can Getting Started in Packet Decoding with Chris Brenton course badgeGetting Started in Packet Decoding with Chris Brenton course badge
Chris Brenton
Live
OD
Getting Started in Packet Decoding with Chris Brenton

Jun 23rd

– Jun 26th

Pay Forward What You Can Getting Started in Security with BHIS and MITRE ATT&CK with John Strand course badgeGetting Started in Security with BHIS and MITRE ATT&CK with John Strand course badge
John Strand
Live
OD
Getting Started in Security with BHIS and MITRE ATT&CK with John Strand

Aug 18th

– Aug 21st

Course Categories:

Pay Forward What You Can, Workshop

Shopping Cart

No products in the cart.