Sign up for our free Threat Hunting Summit June 17 Register Here

Workshop: Rapid Endpoint Investigations

Course Authored by .

Workshop: Rapid Endpoint Investigations with Patterson Cake

In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps.

Course Length: 4 Hours

Includes a Certificate of Completion



Description

In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps.

You’ve received a “true positive” security alert for a Windows or Linux endpoint. This is not a drill! Your environment is under attack! This is war and you need to take rapid, decisive steps to determine:

  • has the endpoint been compromised?
  • have other systems been impacted?
  • what actions should come next?

Together, through hands-on labs and demonstrations, we’ll walk through gathering artifacts from Windows and Linux endpoints using Velociraptor offline collectors, parsing and analyzing artifacts using PowerShell and KAPE, consolidating output, and rapidly identifying indicators of compromise!

Syllabus

Rapid Endpoint Investigations

Section 1: Introduction and Context

    1. Class overview and schedule (lecture)

    1. Investigative workflow context (lecture)

Section 2: Workflow Methodology

    1. Artifact Selection (lecture)

    1. Artifact Acquisition (lecture)

    1. Analysis Workflow (lecture)

Section 3: Tools & Techniques

    1. Endpoint investigation tools (lecture/demo)

    1. Building an artifact “collector” (lab)

    1. Parsing triage data (lab)

Section 4: Case Studies

    1. Windows case study (lecture/demo)

    1. Windows triage-data analysis (lab)

    1. Linux case study (lecture/demo)

    1. Linux triage-data analysis (lab)

Section 5: Conclusion

    1. Workflow and tool review (lecture)

    1. References and resources (lecture)

    1. Q&A

FAQ

Lab Information:

Attendees have two options for completing workshop labs: download and run a virtual machine locally (option 1) or use a cloud virtual machine via web browser (option 2).

Option 1: Requirements – download and run VM locally
CPU: x64 Intel/AMD architecture (min. x2 “logical” processors available for Virtual Machine)
RAM: 4 GB available for Virtual Machine
HDD: 50 GB available disk space (approx. 15 GB for OVA download; approx. 25 GB for Virtual Machine; approx. 2 GB for other course content)

Option 2: Requirements – access cloud VM via web browser
You will need a web browser, to register via MetaCTF, and to pay a small fee for Virtual Machine resource utilization (approx. $5 for a four-hour workshop).

Who Should Attend:

This workshop is intended for security analysts who review and respond to security alerts and perform endpoint investigations.

Audience Skill Level:

Beginner/Intermediate

About the Instructor

Pixel splash background
Bio

Patterson Cake has worked in cybersecurity for more than two decades, specializing in the development of incident-response teams, programs, and processes. He is currently the Director of Incident Response for Black Hills Information Security, holds more than twenty-five industry certifications, is a former SANS instructor, teaches for Antisyphon, and has trained law enforcement, military, and national cybersecurity organizations on four continents. Patterson is the creator of the “Incident Response Capabilities Matrix Model,” developed “Rapid Triage Workflow” for IR investigations, is a prolific speaker, and is actively involved in the cybersecurity community.

Related products

Shopping Cart

No products in the cart.