
In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps.
Course Length: 4 Hours
Includes a Certificate of Completion
					Next scheduled date:
								
												
						 
					
							
			Description
In this 4-hour hands-on incident response workshop, we’ll outline rapid endpoint triage workflow, from methodology to technical steps.
You’ve received a “true positive” security alert for a Windows or Linux endpoint. This is not a drill! Your environment is under attack! This is war and you need to take rapid, decisive steps to determine:
- has the endpoint been compromised?
- have other systems been impacted?
- what actions should come next?
Together, through hands-on labs and demonstrations, we’ll walk through gathering artifacts from Windows and Linux endpoints using Velociraptor offline collectors, parsing and analyzing artifacts using PowerShell and KAPE, consolidating output, and rapidly identifying indicators of compromise!
Syllabus
Rapid Endpoint Investigations
Section 1: Introduction and Context
- 
- Class overview and schedule (lecture)
 
- 
- Investigative workflow context (lecture)
 
Section 2: Workflow Methodology
- 
- Artifact Selection (lecture)
 
- 
- Artifact Acquisition (lecture)
 
- 
- Analysis Workflow (lecture)
 
Section 3: Tools & Techniques
- 
- Endpoint investigation tools (lecture/demo)
 
- 
- Building an artifact “collector” (lab)
 
- 
- Parsing triage data (lab)
 
Section 4: Case Studies
- 
- Windows case study (lecture/demo)
 
- 
- Windows triage-data analysis (lab)
 
- 
- Linux case study (lecture/demo)
 
- 
- Linux triage-data analysis (lab)
 
Section 5: Conclusion
- 
- Workflow and tool review (lecture)
 
- 
- References and resources (lecture)
 
- 
- Q&A
 
FAQ
Option 1: Requirements – download and run VM locally
CPU: x64 Intel/AMD architecture (min. x2 “logical” processors available for Virtual Machine)
RAM: 4 GB available for Virtual Machine
HDD: 50 GB available disk space (approx. 15 GB for OVA download; approx. 25 GB for Virtual Machine; approx. 2 GB for other course content)
Option 2: Requirements – access cloud VM via web browser
You will need a web browser, to register via MetaCTF, and to pay a small fee for Virtual Machine resource utilization (approx. $5 for a four-hour workshop).
About the Instructor
 
							Patterson Cake
Bio
Patterson Cake joined the Black Hills Information Security (BHIS) pirate ship in June of 2023 as a Security Analyst focusing primarily on detection engineering and digital forensics and incident response. He chose BHIS because, to paraphrase, “doing cool stuff with cool people” and “making the world a better/safer place” is exactly how he wants to spend his professional time and energy. It also helps that he has a bit of history with a couple of awesome folks that have been with BHIS for many moons. Prior to joining the team, Patterson helped build and lead a DFIR practice for an MSSP, worked as a senior security engineer for AWS Managed Services, and spent several years in enterprise cybersecurity, often healthcare related, focusing on intermingling offensive security and incident response in technical and leadership roles. Outside of work, he enjoys spending time with his family, which often involves motorcycles, outdoor sports, movies, and music.
Related products
- 
	Multiple InstructorsLiveWorkshop: AI Foundation: Cyber Security Workflow Optimization using AI Technology with Joff Thyer and Derek BanksView Course This product has multiple variants. The options may be chosen on the product page
- 
	Multiple InstructorsLiveWorkshop: Foundational Application Security Training with Bill McCauleyView Course This product has multiple variants. The options may be chosen on the product page
- 
	Multiple InstructorsLiveWorkshop: Offensive Tooling Foundations with Chris TraynorView Course
- 
	Multiple InstructorsLiveWorkshop: Intro to Virtualization with Daniel LowrieView Course This product has multiple variants. The options may be chosen on the product page
