Investigations with Endpoint Security (HX)

This course covers the fundamentals of live analysis forensics and investigation for endpoints.

Hands-on activities span the entire forensics process, beginning with a FireEye-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Analysis of computer systems will be performed using FireEye products and freely available tools.

For FireEye Endpoint Security (HX) customers, activities focus on investigation techniques using HX features such as the Triage Summary and Audit Viewer. Optionally, students can work with the HX API to automate actions and explore integrating HX with other systems.

Learning Objectives

After completing this course, learners should be able to:

  • Describe methods of live analysis
  • Demonstrate the ability to plan, execute and report on a digital forensic examination
  • Investigate a Redline triage package using a defined methodology
  • Validate and provide further context for FireEye alerts
  • Identify malicious activity hidden among common Windows events

Who Should Attend

Network security professionals and incident responders who must use FireEye Endpoint Security to investigate, identify and stop cyber threats.

Prerequisites

Completion of the Endpoint Security Deployment course. A working understanding of networking and network security, the Windows operating system, file system, registry and regular expressions, and experience scripting in Python.

Duration

2 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1
  1. Framing an Investigation: Mandiant Attack Lifecycle and Fin7 Case Study
    • Using the Mandiant Attack Framework
    • Mapping attacker actvity to the stages of an APT attack
  2. Initial Alerts
    • Helix Alerts
    • FireEye Endpoint Security Alerts
    • Triage and Triage Summary
    • FireEye Network Security Alerts
    • Identifying forensic artifacts in the OS Change detail
    • Mapping artifacts in an alert to events recorded by the FireEye agent
  3. Knowing Your Operating System
    • Common system processes and attributes
    • Identifying malicious processes
    • Windows Registry
    • Services and Tasks
    • Window Event Logs
    • Audit Viewer and Redline
  4. Data Acquisitions
    • Acquiring data using Endpoint Security
    • Redline collections
    • Other acquisition methods, such as Powershell
    • Locations of evidence as they map to the Mandiant Attack Lifecycle
Day 2
  1. Investigation Methodology
    • Areas of Evidence
    • MITRE ATT&CK Framework
    • Mapping evidence to Attacker Actvity
  2. Memory Analysis
    • Collating evidence
    • Memory Analysis
Optional Content
  1. Using Redline
    • Access triage collections for hosts for offline analysis
    • Navigate a data acquisition using Redline*
    • Apply tags and comments
  2. Using Audit Viewer
    • Navigate a data acquisition using Audit Viewer
    • Apply tags and comments
  3. Endpoint Security: Extended Capabilities
    • FireEye Market
    • Open IOC Editor
    • HXTool
    • Endpoint Security REST API