Join us in-person this July for the first-ever Antisyphon Summer Camp! Register Here

Workshop: Rapid Endpoint Investigations with Patterson Cake

Course Authored by .

Workshop: Rapid Endpoint Investigations with Patterson Cake

In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps.

Course is currently unavailable.

Course Length: 4 Hours

Includes a Certificate of Completion



Enroll Now

Next scheduled date: Content is loading, please wait.

Description

In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps.

You’ve received a “true positive” security alert for a Windows or Linux endpoint. This is not a drill! Your environment is under attack! This is war and you need to take rapid, decisive steps to determine:

  • has the endpoint been compromised?
  • have other systems been impacted?
  • what actions should come next?

Together, through hands-on labs and demonstrations, we’ll walk through gathering artifacts from Windows and Linux endpoints using Velociraptor offline collectors, parsing and analyzing artifacts using PowerShell and KAPE, consolidating output, and rapidly identifying indicators of compromise!

Syllabus

Rapid Endpoint Investigations

Section 1: Introduction and Context

    1. Class overview and schedule (lecture)

    1. Investigative workflow context (lecture)

Section 2: Workflow Methodology

    1. Artifact Selection (lecture)

    1. Artifact Acquisition (lecture)

    1. Analysis Workflow (lecture)

Section 3: Tools & Techniques

    1. Endpoint investigation tools (lecture/demo)

    1. Building an artifact “collector” (lab)

    1. Parsing triage data (lab)

Section 4: Case Studies

    1. Windows case study (lecture/demo)

    1. Windows triage-data analysis (lab)

    1. Linux case study (lecture/demo)

    1. Linux triage-data analysis (lab)

Section 5: Conclusion

    1. Workflow and tool review (lecture)

    1. References and resources (lecture)

    1. Q&A

FAQ

Lab Information:
Attendees have two options for completing workshop labs: download and run a virtual machine locally (option 1) or use a cloud virtual machine via web browser (option 2). 

Option 1: Requirements – download and run VM locally
CPU: x64 Intel/AMD architecture (min. x2 “logical” processors available for Virtual Machine)
RAM: 4 GB available for Virtual Machine
HDD: 50 GB available disk space (approx. 15 GB for OVA download; approx. 25 GB for Virtual Machine; approx. 2 GB for other course content)

Option 2: Requirements – access cloud VM via web browser
You will need a web browser, to register via MetaCTF, and to pay a small fee for Virtual Machine resource utilization (approx. $5 for a four-hour workshop).
Who Should Attend:
This workshop is intended for security analysts who review and respond to security alerts and perform endpoint investigations.
Audience Skill Level:
Beginner/Intermediate

About the Instructor

Pixel splash background
Patterson Cake
Bio

Patterson Cake joined the Black Hills Information Security (BHIS) pirate ship in June of 2023 as a Security Analyst focusing primarily on detection engineering and digital forensics and incident response. He chose BHIS because, to paraphrase, “doing cool stuff with cool people” and “making the world a better/safer place” is exactly how he wants to spend his professional time and energy. It also helps that he has a bit of history with a couple of awesome folks that have been with BHIS for many moons. Prior to joining the team, Patterson helped build and lead a DFIR practice for an MSSP, worked as a senior security engineer for AWS Managed Services, and spent several years in enterprise cybersecurity, often healthcare related, focusing on intermingling offensive security and incident response in technical and leadership roles. Outside of work, he enjoys spending time with his family, which often involves motorcycles, outdoor sports, movies, and music.

Similar Courses

Shopping Cart

No products in the cart.