Sign Up for our Free One-Day SOC Summit Event March 25, 2026 Register Here

Enterprise DFIR Investigations: Ransomware and APT Attacks

Course Authored by .

Enterprise DFIR Investigations: Ransomware and APT Attacks

In this 16-hour enterprise digital forensics and incident response (DFIR) training course, you will learn how to investigate real enterprise attacks end to end, using the same processes, tools, and reasoning applied in active incident response engagements.

Course Length: 16 Hours

Includes a Certificate of Completion



Enroll Now

WWHF Deadwood 2026 - Link at bottom.

Description

In this 16-hour enterprise digital forensics and incident response (DFIR) training course, you will learn how to investigate real enterprise attacks end to end, using the same processes, tools, and reasoning applied in active incident response engagements.

By taking this course, you will learn how to:

  • Investigate a full ransomware incident from initial access to impact
    • Analyze network traffic, host artifacts, and log data across multiple systems
    • Reconstruct attacker activity throughout the incident lifecycle
    • Understand how modern ransomware campaigns unfold in real enterprise environments
  • Perform hands-on DFIR analysis using industry-standard tools
    • Correlate evidence across network, endpoint, and log sources
    • Validate findings through evidence rather than relying on tool output alone
    • Work through realistic DFIR workflows used by professional responders
  • Analyze advanced post-exploitation activity in APT-style intrusions
    • Identify attacker tradecraft used after initial compromise
    • Recognize and investigate TTPs associated with groups like APT41, APT28, FIN7, LockBit, and ALPHV
    • Understand how mature threat actors operate inside enterprise networks
  • Develop strong investigative reasoning and analyst confidence
    • Learn how to ask the right questions of the data
    • Practice evidence-driven decision-making during complex incidents
    • Gain experience most defenders rarely get outside real-world cases

All learning is delivered through hands-on labs designed to mirror real DFIR investigations, not simplified demos or theoretical walkthroughs.

By the end of the course, you will be able to confidently investigate enterprise-scale ransomware and APT intrusions, understand attacker behavior in depth, and apply high-fidelity DFIR techniques directly to your own incident response work.

  • System / VM / Lab Requirements
    • Online lab environments are provided. No local setup of tools or VM installation is required.
    • A second monitor is recommended but optional

Syllabus

Day 1

  • Threat Landscape: Ransomware and APT Actors

  • Enterprise DFIR Processes and Techniques

  • Ransomware Investigation Scenario

    • Network Traffic Analysis

    • Log Analysis with Splunk

    • Remote Triage with Velociraptor

    • Forensic disk and memory analysis

    • Timeline Analysis

    • Scenario debrief and reveal

Day 2

  • APT TTPs Overview

  • APT Investigation Scenarios

    • SSH reverse tunneling and RDP

    • In-memory execution with reflective loaders and .NET

    • Credential theft with Kerberoasting and lateral movement

    • Impair Defenses with BYOVD attack

  • Lessons Learned & Detection Opportunities

FAQ

Who Should Take this Workshop

This workshop is designed for security professionals who want hands-on experience investigating commonly observed incident response scenarios. Participants will strengthen their analytical skills while gaining a deeper understanding of real-world threat actor tactics and techniques encountered during modern enterprise intrusions.

The skills developed in this workshop can be applied immediately to improve incident response, forensic investigations, detection engineering, and threat hunting efforts. Whether you are a seasoned security professional or looking to further mature your incident response capabilities, this workshop provides practical insight and realistic, hands-on investigation experience.

Audience Skill Level

Intermediate

This workshop requires prior basic analysis and forensic experience. Participants should have working knowledge of:

  • Windows forensic artifacts

  • Log analysis and SIEM workflows

  • Core DFIR concepts and investigative methodology

This is not an introductory or fundamentals-level course.

Key Takeaways

  • Conduct end-to-end DFIR investigations across ransomware and APT-style incidents

  • Perform hands-on analysis of host, network, and log evidence using industry-standard tools

  • Investigate real-world attacker TTPs including credential abuse, lateral movement, and persistence

  • Correlate evidence across multiple data sources to validate attacker activity and scope impact

  • Improve investigative judgment, pivoting, and decision-making during complex incidents

About the Instructor

Pixel splash background
"I run a blue team training company"
Bio

Markus Schober is the founder of a blue team training and consulting company named Blue Cape Security. Prior to that, he served as a manger and Principal Security Consultant at IBM X-Force Incident Response. Over the past decade he has led numerous cyber security breach investigations for major organizations, where he specialized in Incident Response, Digital Forensics and Crisis Management.

This class is being taught at Wild West Hackin’ Fest – Deadwood 2026.

For more information about our conferences, visit Wild West Hackin’ Fest!

REGISTER HERE

Clicking on the button above will take you to our registration page

Related products

Shopping Cart

No products in the cart.