This course covers the fundamentals of live analysis and investigation for endpoints with Trellix Endpoint Security (HX).

Hands-on activities span the entire investigations process, beginning with a Trellix-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Analysis of computer systems will be performed using Trellix products and freely available tools.

• Describe methods of live analysis
• Use core analyst features of Endpoint Security (HX) such as alerting, enterprise search, and containing endpoints
• Validate and provide further context for Trellix alerts
• Demonstrate the ability to plan, execute and report on a digital investigation
• Analyze a data collection from Endpoint Security (HX) using a defined methodology
• Identify malicious activity hidden among common Windows events

Day 1

1. Threats and Malware Trends

• Threat landscape
• Attack motivations
• MITRE ATT&CK framework
• Emerging threat actors

2. Initial Alerts

• Trellix Endpoint Security (HX) alerts
• Triage with Triage Summary
• Trellix Network Security alerts
• Identifying forensic artifacts in the OS Change detail
• Mapping artifacts in an alert to host activity

3. Using Audit Viewer and Redline®

• Access triage and data collections for hosts.
• Navigate a triage collectionor acquisition using Redline® or Audit Viewer
• Apply tags and comments to a triage collection to identify key events

4. Windows Telemetry

• Live investigation overview
• Windows telemetry
  • Memory artifacts
  • System information
  • Processes
  • File system
  • Configuration files
  • Services
  • Scheduled tasks
  • Logging
• Choosing Data to acquire

Day 2

1. Acquisitions

• Triage and real-time events
• Live system acquisitions
• Bulk Acquisitions
• Endpoint Security (HX)REST API

2. Endpoint Security (HX) extended capabilities

• Endpoint Security (HX) modules
• HXTool

Day 3

1. Investigation Methodology

• MITRE ATT&CK framework
• Mapping evidence to attacker activity:
  • Evidence of initial compromise
  • Evidence of persistence
  • Evidence of lateral movement
  • Evidence of internal reconnaissance
  • Evidence of data exfiltration

2. Capstone Capture the Flag (CTF)

This course is intended for Network security professionals and incident responders who must use Endpoint Security (HX) to investigate, identify and stop cyber threats, as well as security analysts who want to learn investigation techniques used to respond to today’s cyber threats.

Students taking this course should have a working knowledge of Windows operating systems, networking and network security, file system, registry, and regular expressions. Scripting experience with Python or PowerShell is beneficial.