Part I Prepare 1
Chapter 1 The Threat Landscape 3
Attacker Motivations 3
Intellectual Property Theft 4
Supply Chain Attack 4
Financial Fraud 4
Extortion 5
Espionage 5
Power 5
Hacktivism 6
Revenge 6
Attack Methods 6
DoS and DDoS 7
Worms 8
Ransomware 8
Phishing 9
Spear Phishing 9
Watering Hole Attacks 10
Web Attacks 10
Wireless Attacks 11
Sniffing and MitM 11
Crypto Mining 12
Password Attacks 12
Anatomy of an Attack 13
Reconnaissance 13
Exploitation 14
Expansion/Entrenchment 15
Exfiltration/Damage 16
Clean Up 16
The Modern Adversary 16
Credentials, the Keys to the Kingdom 17
Conclusion 20
Chapter 2 Incident Readiness 21
Preparing Your Process 21
Preparing Your People 27
Preparing Your Technology 30
Ensuring Adequate Visibility 33
Arming Your Responders 37
Business Continuity and Disaster Recovery 38
Deception Techniques 40
Conclusion 43
Part II Respond 45
Chapter 3 Remote Triage 47
Finding Evil 48
Rogue Connections 49
Unusual Processes 52
Unusual Ports 55
Unusual Services 56
Rogue Accounts 56
Unusual Files 58
Autostart Locations 59
Guarding Your Credentials 61
Understanding Interactive Logons 61
Incident Handling Precautions 63
RDP Restricted Admin Mode and Remote Credential Guard 64
Conclusion 65
Chapter 4 Remote Triage Tools 67
Windows Management Instrumentation Command-Line Utility 67
Understanding WMI and the WMIC Syntax 68
Forensically Sound Approaches 71
WMIC and WQL Elements 72
Example WMIC Commands 79
PowerShell 84
Basic PowerShell Cmdlets 87
PowerShell Remoting 91
Accessing WMI/MI/CIM with PowerShell 95
Incident Response Frameworks 98
Conclusion 100
Chapter 5 Acquiring Memory 103
Order of Volatility 103
Local Memory Collection 105
Preparing Storage Media 107
The Collection Process 109
Remote Memory Collection 117
WMIC for Remote Collection 119
PowerShell Remoting for Remote Collection 122
Agents for Remote Collection 125
Live Memory Analysis 128
Local Live Memory Analysis 129
Remote Live Memory Analysis 129
Conclusion 131
Chapter 6 Disk Imaging 133
Protecting the Integrity of Evidence 133
Dead-Box Imaging 137
Using a Hardware Write Blocker 139
Using a Bootable Linux Distribution 143
Live Imaging 149
Live Imaging Locally 149
Collecting a Live Image Remotely 154
Imaging Virtual Machines 155
Conclusion 160
Chapter 7 Network Security Monitoring 161
Security Onion 161
Architecture 162
Tools 165
Snort, Sguil, and Squert 166
Zeek (Formerly Bro) 172
Elastic Stack 182
Text-Based Log Analysis 194
Conclusion 197
Chapter 8 Event Log Analysis 199
Understanding Event Logs 199
Account-Related Events 207
Object Access 218
Auditing System Configuration Changes 221
Process Auditing 224
Auditing PowerShell Use 229
Using PowerShell to Query Event Logs 231
Conclusion 233
Chapter 9 Memory Analysis 235
The Importance of Baselines 236
Sources of Memory Data 242
Using Volatility and Rekall 244
Examining Processes 249
The pslist Plug-in 249
The pstree Plug-in 252
The dlllist Plug-in 255
The psxview Plug-in 256
The handles Plug-in 256
The malfi nd Plug-in 257
Examining Windows Services 259
Examining Network Activity 261
Detecting Anomalies 264
Practice Makes Perfect 273
Conclusion 274
Chapter 10 Malware Analysis 277
Online Analysis Services 277
Static Analysis 280
Dynamic Analysis 286
Manual Dynamic Analysis 287
Automated Malware Analysis 299
Evading Sandbox Detection 305
Reverse Engineering 306
Conclusion 309
Chapter 11 Disk Forensics 311
Forensics Tools 312
Time Stamp Analysis 314
Link Files and Jump Lists 319
Prefetch 321
System Resource Usage Monitor 322
Registry Analysis 324
Browser Activity 333
USN Journal 337
Volume Shadow Copies 338
Automated Triage 340
Linux/UNIX System Artifacts 342
Conclusion 344
Chapter 12 Lateral Movement Analysis 345
Server Message Block 345
Pass-the-Hash Attacks 351
Kerberos Attacks 353
Pass-the-Ticket and Overpass-the-Hash Attacks 354
Golden and Silver Tickets 361
Kerberoasting 363
PsExec 365
Scheduled Tasks 368
Service Controller 369
Remote Desktop Protocol 370
Windows Management Instrumentation 372
Windows Remote Management 373
PowerShell Remoting 374
SSH Tunnels and Other Pivots 376
Conclusion 378
Part III Refine 379
Chapter 13 Continuous Improvement 381
Document, Document, Document 381
Validating Mitigation Efforts 383
Building On Your Successes, and Learning from Your Mistakes 384
Improving Your Defenses 388
Privileged Accounts 389
Execution Controls 392
PowerShell 394
Segmentation and Isolation 396
Conclusion 397
Chapter 14 Proactive Activities 399
Threat Hunting 399
Adversary Emulation 409
Atomic Red Team 410
Caldera 415
Conclusion 416
Index 419
