Day 1
1. Threats and Malware Trends
- Threat landscape
- Attack motivations
- MITRE ATT&CK framework
- Emerging threat actors
2. Initial Alerts
- Trellix Endpoint Security (HX) alerts
- Triage with Triage Summary
- Trellix Network Security alerts
- Identifying forensic artifacts in the OS Change detail
- Mapping artifacts in an alert to host activity
3. Using Audit Viewer and Redline®
- Access triage and data collections for hosts.
- Navigate a triage collectionor acquisition using Redline® or Audit Viewer
- Apply tags and comments to a triage collection to identify key events
4. Windows Telemetry
- Live investigation overview
- Windows telemetry
- Memory artifacts
- System information
- Processes
- File system
- Configuration files
- Services
- Scheduled tasks
- Logging
- Choosing Data to acquire
Day 2
1. Acquisitions
- Triage and real-time events
- Live system acquisitions
- Bulk Acquisitions
- Endpoint Security (HX)REST API
2. Endpoint Security (HX) extended capabilities
- Endpoint Security (HX) modules
- HXTool
Day 3
1. Investigation Methodology
- MITRE ATT&CK framework
- Mapping evidence to attacker activity:
- Evidence of initial compromise
- Evidence of persistence
- Evidence of lateral movement
- Evidence of internal reconnaissance
- Evidence of data exfiltration
2. Capstone Capture the Flag (CTF)