دوره SANS SEC504

Incident Response

• Common incident response mistakes
• Incident goals and milestones
• Post-incident activities

Live Examination

• How to start, even with minimal information
• Examining a live environment
• Identifying abnormal activity

Digital Evidence

• Understanding what digital evidence is and how to collect it
• The role and elements of a chain of custody
• How to collect digital evidence

Memory Investigations

• How to investigate memory images using the Volatility framework

Malware Investigations

• Basic approaches for investigating malware
• Best practices for working with malware
• Monitoring the environment using snapshot and continuous recording tools

Introducing the MITRE ATT&CK Framework

• Attacker evolution and the network for tool, technique, and practice (TTP) mapping
• Using the MITRE ATT&CK Framework for smarter adversary assessment
• How we integrate SEC504 with the MITRE ATT&CK Framework

Reconnaissance

• What does your network reveal?
• Are you leaking too much information?
• Using certificate transparency for pre-production server identification
• Domain Name System harvesting
• Data gathering from job postings, websites, and government databases
• Identifying publicly compromised accounts
• FOCA for metadata analysis
• Aggregate OSINT data collection with SpiderFoot
• Mastering SHODAN searches for target discovery

Scanning

• Learn the techniques attackers use to enumerate your networks
• Locating and attacking personal and enterprise Wi-Fi
• Identifying and exploiting proprietary wireless systems
• Port scanning: small and large-scale enumeration tasks
• Quick and effective intel collection from web servers
• Characterizing network targets by OS, service, patch level
• Vulnerability scanning and finding prioritization

Defense Spotlight: DeepBlueCLI

• Using PowerShell to enumerate Windows systems
• Fast and effective Windows event log analysis
• Leveraging PowerShell output modifiers for reporting, analysis
• Characterizing common Windows scans and attacks against Windows servers

Password Attacks

• How attackers bypass account lockout policies
• Choosing a target protocol for password guessing attacks
• Techniques for choosing password lists
• How attackers reuse compromise password lists against your organization
• Techniques for password cracking
• Recommendations for password cracking in your organization

Password Cracking Attacks

• John the Ripper: single, wordlist, incremental, and external cracking modes
• Cracking hashes with Hashcat: straight and combinator attacks
• Effective hash computation using mask attacks
• Breaking user password selection weaknesses with Hashcat rules
• Three simple strategies for defeating password cracking

Using Metasploit for System Compromise

• Using the Metasploit framework for specific attack goals
• Matching exploits with reconnaissance data
• Deploying Metasploit Meterpreter Command & Control
• Identifying Metasploit exploit artifacts on the system and network

Web Application Attacks

• Account harvesting for user enumeration
• Watering hole attack
• Command injection attacks for web server remote command injection
• SQL Injection: Manipulating back-end databases
• Session Cloning: Grabbing other users’ web sessions
• Cross-Site Scripting: Manipulating victim browser sessions

Defense Spotlight: Effective Web Server Log Analysis

• Using SIEM tools for post-attack log analysis
• Hunting for some attack signatures
• Decoding obfuscated attack signatures with CyberChef

Endpoint Security Bypass

• Evading EDR analysis with executable manipulation: ghostwriting
• Manipulating Windows Defender for attack signature disclosure
• Using LOLBAS to evade application whitelisting
• Adapting Metasploit payloads on protected platforms

Pivoting and Lateral Movement

• Pivoting from initial compromise to internal networks
• Effective port forwarding with Meterpreter payloads
• Leveraging compromised hosts for internal network scanning, exploitation
• Windows netsh and attacker internal network access

Covering Tracks

• Maintaining access by manipulating compromised hosts
• Editing log files on Linux and Windows systems
• Hiding data in Windows ADS
• Network persistence through hidden Command & Control

Defense Spotlight: Real Intelligence Threat Analytics (RITA)

• Characterizing advanced Command & Control activity over the network
• Capturing and processing network data with Zeek
• Network threat hunting: beacons, long connections, strobes, and DNS analysis

Post-Exploitation Data Collection

• Harvesting passwords from compromised Linux hosts
• Password dumping with Mimikatz and EDR bypass
• Data exfiltration over blended network protocol