Windows Log Analysis

مهدی میرسلطانی

• متوسط
• مسیر آبی
• ۳ درس

دربارۀ این دوره

مخاطبان

• تحلیلگران و مهندسان SOC در لایۀ یک
• کارشناسان امنیت سایبری در سازمان‌ها
• علاقه‌مندان به شکار تهدیدهای سایبری
• ادمین‌های ویندوز

پیش‌نیازها

• آشنایی با مفاهیم و اصول شبکه
• آشنایی با مفاهیم و تعاریف حمله‌های سایبری
• حداقل یک سال تجربۀ کار در زمینه‌های مرتبط

• Mastering the Art of Log Analysis
  • Understanding the Crucial Role of Windows Logs in Cybersecurity
    • Unpacking the forensic potential of logs for incident reconstruction.
    • Establishing the link between log analysis and threat detection.
  • Real-world Applications of Proactive Log Monitoring
    • Thwarting security breaches through proactive log analysis.
    • Identifying Indicators of Compromise (IoCs) through meticulous log inspection.
    • Environment Monitoring
    • What is Log Management
    • Log Management vs SIEM
    • ELK to Log management
    • Log Collection
    • Visualizing
    • Dashboard Analysis
• Decoding Windows Logs: A MITRE ATT&CK Approach
  • DATA AQUSITION
    • Advanced Audit Policy
    • How to prioritize activation?
  • User Behavior Logs: Mapping to MITRE ATT&CK TacticsB. User Behavior Logs: Mapping to MITRE ATT&CK Tactics
    • Authentication and Authorization Events
    • Example Attack: Sub-Technique - T1110.002 - Password Cracking
    • Analysis of authentication logs revealing multiple failed login attempts, indicative of password cracking attempts.
    • User Access Patterns
    • Correlating user behavior with MITRE ATT&CK tactics for precise threat identification.
    • Example Attack: Sub-Technique - T1550.001 - Use Alternate Authentication Material
    • Identification of abnormal access patterns in logs, suggesting an attacker using alternate authentication credentials.
  • Process Behavior Logs: MITRE ATT&CK Techniques Unveiled
    • Execution and Termination Events
    • Identifying malicious processes through MITRE ATT&CK execution techniques.
    • Example Attack: Sub-Technique - T1055.002 - Process Injection
    • Detection of process injection in logs, revealing attempts to hide malicious code within legitimate processes.
    • Application and Service Events
    • Uncovering unauthorized changes using MITRE ATT&CK framework for application-based attacks.
    • Example Attack: Sub-Technique - T1543.003 - Service Stop
    • Analysis of service events indicating unauthorized service stops, potentially part of an attack to disrupt operations.
  • Operating System Behavior Logs: MITRE ATT&CK Mappings for System Security
    • System Health
    • Utilizing logs to detect indicators aligned with MITRE ATT&CK system-related tactics.
    • Security and Audit Logs
    • Identifying deviations from secure system behavior through MITRE ATT&CK security tactics.
    • Example Attack: Sub-Technique - T1136.003 - Create Account
    • Analysis of security logs indicating the creation of unauthorized accounts, potentially part of an account manipulation attack.
• Windows Attacks and Threats: MITRE ATT&CK In-Depth Analysis
  • sysmon
    • What is Sysmon
    • How to configure
    • How to install
    • Sysmon Event IDs to Analysis
  • Powershell
    • Background
    • Module Logging (Technique: PowerShell (T1059.003)
    • Script Block Logging (Technique: PowerShell (T1059.002) - Scripting
    • Transcription
  • Comprehensive Mapping to MITRE ATT&CK Tactics and Techniques
    • Analyzing each phase of an attack through the lens of MITRE ATT&CK tactics.
  • Case Studies: Real-world Examples of Threat Identification
    • Practical demonstrations of identifying specific attacks using Windows logs and MITRE ATT&CK techniques.

گواهینامه‌ی دوره