What you’ll learn

  • Learn how to triage Windows systems for evidence of compromise quickly
  • Learn about key artifacts used for targeted persistence analysis
  • Learn Splunk logic for fast triage
  • Learn by doing – practical exercises – basic python with some powershell
  • Learn by doing – practical exercises – convert EVTX files to CSV with open-source tools


Research conducted on malicious campaigns found the successful establishment of a persistence mechanism(s) necessary for the attacker to achieve their goals. Installing persistence is a choke point in the attack method and provides an opportunity for detection through the analysis of affected system artifacts.

The identification of a compromised system is a high priority. Discovering the compromise early during an investigation improves scoping, containment, mitigation, and remediation efforts. If persistence is not detected, it may reduce the perceived risk of the system. Either finding is valuable for making resource assignment decisions.

This class teaches you how to utilize readily available artifacts to uncover persistence mechanisms quickly. Each module breaks down the artifact from a DFIR point of view, identifying key elements and analysis strategy guidelines along the way. Just about any forensic platform or security appliance may be used once you understand how to approach the artifact. Splunk is used to provide SIEM logic examples. Open-source tools, with a little python scripting, is used for the practical exercises. The completed python scripts are provided as well.

The main artifact categories covers evidence that appears in investigations repeatedly:

  • Windows event logs for services
  • Windows event logs for scheduled tasks
  • Windows registry autoruns and registry modification events.

Link description