This is a review for a course I took back in 2018 so the materials may have changed since I took the class. The course is good for individuals that are involved in incident response and threat hunting within Windows environments. I have found many of the topics of discussion useful for those that regularly use EDR and/or memory analysis (ie volatility) in their daily roles. The course was centered around intrusions into Windows infrastructure. Those that are desire to learn more about Linux / Mac forensics would learn the fundamentals but many of the exercises won't apply.
The course structure starts by going into topics that are most useful and applicable then going into events that are rarer and more indicative of an advanced adversary such as timestomping, kernel device drivers, and attacks on the mbr.
Topics covered by FOR508
- Windows event IDs
- Volatility events
- Malware characteristics
- Majority of malware is unsigned
- Suspicious Processes
- legit svchost is launched by service
- system32 directory should be signed by microsoft
- Programs making unusual connections
No comments:
Post a Comment