IT-Defense 2025System Forensics, Incident Handling and Threat Hunting with Entra ID Management

System Forensics, Incident Handling and Threat Hunting with Entra ID Management

Instructor: Paula Januszkiewicz

Duration: 2 days -  February 10 - 11, 2025

This comprehensive masterclass equips participants with the essential skills to effectively find, collect and preserve data, analyze incidents and maximize their understanding of cybersecurity events. The course is designed to be highly interactive and hands-on, providing in-depth knowledge across several critical areas.

The training begins with an introduction to Windows internals, covering processes, threads and techniques for gathering and analyzing system data. Participants will learn about securing monitoring operations and threat hunting, focusing on identifying and mitigating malware and uncovering hidden network activities.

The program also explores handling malicious code incidents, including preparation, detection, containment and recovery strategies. Advanced topics such as static and behavioral malware analysis, memory dumping and analysis and disk storage acquisition are thoroughly covered.

Participants will gain critical skills in managing Entra ID, including multi-factor authentication, passwordless authentication, identity protection, and privileged identity management. This training emphasizes best practices for securing and administering Entra ID within an organization, integrating with on-premises Active Directory, and third-party applications.

This course also offers a well-rounded approach to forensics and incident handling, with a strong focus on practical skills and real-world applications. It is intended for cybersecurity professionals, IT administrators, incident responders, and anyone responsible for securing and managing IT infrastructure.

Agenda

Module 1: Introduction to Windows Internals

  • Introduction to Windows Internals
  • Processes and Threads
  • PID and TID
  • Information Gathering from Running Operating System
  • Obtaining Volatile Data
  • A Deep Dive into Autoruns
  • Effective Permissions Auditing
  • PowerShell Get NTFS Permissions
  • Obtaining Permissions Information with Access Check
  • Unnecessary and Malicious Services
  • Detecting Unnecessary Services with PowerShell

Module 2: Securing Monitoring Operations & Threat Hunting

  • Types of Hunting
  • Defining Hunt Missions
  • Malware Hiding Techniques
  • Uncovering Internal Reconnaissance
  • Uncovering Lateral Movement
  • Uncovering Hidden Network Transmissions

Module 3: Handling Malicious Code Incidents

  • Count of Malware Samples
  • Virus, Worms, Trojans, and Spywares
  • Incident Handling Preparation
  • Incident Prevention
  • Detection of Malicious Code
  • Containment Strategy
  • Evidence Gathering and Handling Eradication and Recovery

Module 4: Static Malware Analysis

  • Static Malware Analysis Scenarios
  • Types and Goals of Malware Analysis
  • Cloud-Based Malware Analysis
  • Incident Prevention and Response Steps
  • Containment and Mitigation
  • Executable analysis
  • Static Analysis Tools

Module 5: Behavioral Malware Analysis and Threat Hunting

  • Malware Detonation
  • Sysinternals Suite
  • Network Communication Analysis
  • Monitoring System Events
  • Memory Dump Analysis
  • Simulation of a Real Environment

Module 6: Memory: Dumping and Analysis

  • Introduction to Memory Dumping and Analysis
  • Creating Memory Dump - Belkasoft RAM Capturer and DumpIt
  • Utilizing Volatility to Analyze Windows Memory Image
  • Analyzing Stuxnet Memory Dump with Volatility
  • Automatic Memory Analysis with Volatile

Module 7: Disk: Storage Acquisition and Analysis

  • Introduction to Storage Acquisition and Analysis
  • Drive Acquisition
  • Mounting Forensic Disk Images
  • Signature vs. File Carving 
  • Introduction to NTFS File System 
  • Windows File System Analysis 
  • Autopsy with Other filesystems 
  • External Device Usage Data Extraction (USB Usage etc.) 
  • Reviving the Account Usage 
  • Extracting Data Related with the Recent Use of Application, File etc. 
  • Recovering Data after Deleting Partitions 
  • Extracting Delete File and File Related Information 
  • Extracting Data from File Artifacts Like $STANDARD_INFORMATION etc. 
  • Password Recovery 
  • Extracting Windows Indexing Service data 
  • Deep-dive into Automatic Destinations 
  • Detailed Analysis of Windows Prefetch 
  • Extracting Information about Program execution (UserAssist, RecentApps, Shimcache, appcompatcache etc.) 
  • Extracting information about browser usage (web browsing history, cache, cookies etc.) 
  • Communicator Apps Data Extraction 
  • Extracting Information about Network Activity 
  • Building Timelines 

Module 8: Entra ID 

  • Introduction to Entra ID 

Module 9: Secure Identity 

  • Multi-factor Authentication 
  • Passwordless Authentication, FIDO2, Windows Hello 
  • Self-service password reset (SSPR) 
  • Entra ID Identity Protection 
  • Entra ID Privileged Identity Management (PIM) 
  • Entra ID Password Protection 

Price: € 2.100

Date: February 10-11, 2025

Location: 
The Westin Leipzig Hotel
Gerberstraße 15
04105 Leipzig
Tel.: +49 341 988-0
info@westin-leipzig.com