Sign up for our free Threat Hunting Summit June 17 Register Here

LOLBINS vs. LOLBINS: Endpoint Threat Hunting

Course Authored by .

LOLBINS vs. LOLBINS: Endpoint Threat Hunting

In this class, Patterson Cake uses hands-on labs and demonstrations to teach you how to use native OS tools to hunt for “unauthorized normal” on Windows and Linux endpoints.

Course Length: 8 Hours

Includes a Certificate of Completion



Description

Most modern threats leverage LOLBINS (living-off-the-land binaries) to appear “normal” and evade your AV/EDR. To find “unauthorized normal” in the midst of “authorized normal,” you’ll need a different lens!

In this class, Patterson Cake uses hands-on labs and demonstrations to teach you how to use native OS tools to hunt for “unauthorized normal” on Windows and Linux endpoints. You’ll learn about the most-critical endpoint artifacts, methodologies for artifact acquisition at scale, and strategies for how to hunt for indications of compromise.

  • Labs
    • All labs will be completed through cloud VM via web browser.
    • You will need to register via SkillBit (MetaCTF), to pay a small fee for Virtual Machine resource utilization (about $10 for an 8-hour class), and a modern web browser to access the workshop Cloud VM.

Syllabus

Syllabus:

Section 1: Introduction and Context

  • Class overview and schedule (lecture)

  • Investigative workflow context (lecture)

Section 2: Workflow Methodology

  • Endpoint Artifact Prioritization (lecture)

  • Windows LOLBINS Overview (lecture)

  • Linux LOLBINS Overview (lecture)

Section 3: Tools & Techniques

  • LOLBINS in Action (lecture/demo)

  • Acquiring Artifacts – Windows (lab)

  • Acquiring Artifacts – Linux (lab)

  • Analyzing collected data (lecture/lab)

Section 4: Analysis Methodology

  • Windows EVTX at Scale (lecture/demo)

  • Linux SSH at Scale (lecture/lab)

  • Windows Baseline Comparisons (lecture/demo)

  • Looking for Outliers (lecture/demo)

Section 5: Conclusion

  • Workflow and tool review (lecture)

  • References and resources (lecture)

  • Q&A

FAQ

What You’ll Learn:

  • Practice deciding which Windows and Linux endpoint artifacts are important and understanding when LOLBINS are being abused.

  • Hands-on instruction for how to capture endpoint artifacts and how to analyze the data.

  • Learn endpoint analysis methodology including baseline comparisons and identifying outliers.

Who should attend:

This workshop is intended for security analysts who review and respond to security alerts, perform endpoint investigations, and/or conduct endpoint threat hunting.

Audience skill level:

Intermediate/Advanced

Key Takeaways:

  • Selecting the most useful investigative artifacts for Windows/Linux endpoints

  • Acquiring artifacts from one-to-many endpoints

  • Understanding and analyzing key investigative artifacts

  • Performing baseline comparison and least-frequency-of-occurrence analysis

  • Using SOF-ELK and Hayabusa for EVTX analysis at scale

Why take this class?

  • Sometimes AV and EDR fail to detect or prevent “evil,” which is why you need a LOLBINS “Plan B!” LOLBINS are built into your endpoints, provide deep visibility into OS activity, and can provide perspective that AV and EDR miss.

  • There are far too many potential indicators on an endpoint to rapidly analyze them all! You need a prioritized list of the most critical indicators and a way to quickly acquire and analyze them!

About the Instructor

Pixel splash background
Bio

Patterson Cake has worked in cybersecurity for more than two decades, specializing in the development of incident-response teams, programs, and processes. He is currently the Director of Incident Response for Black Hills Information Security, holds more than twenty-five industry certifications, is a former SANS instructor, teaches for Antisyphon, and has trained law enforcement, military, and national cybersecurity organizations on four continents. Patterson is the creator of the “Incident Response Capabilities Matrix Model,” developed “Rapid Triage Workflow” for IR investigations, is a prolific speaker, and is actively involved in the cybersecurity community.

Related products

Shopping Cart

No products in the cart.