AX310 Axiom Incident Response Examinations

AX310 will give participants the knowledge and skills they need to track incidents where unauthorized computer access and file usage has taken place on a computer system. This course utilizes Magnet Axiom, Axiom Cyber, Axiom Ignite (Cloud investigation tool), Magnet Response and third-party tools to explore the evidence in greater depth by learning about volatile data will be created to capture volatile data in class that students can take with them for use in applications beyond the classroom.

In this course, a deeper understanding of investigating incidents involving malware and network intrusions into Windows computers will be provided. Students will conduct a static analysis of malware and learn about sandbox malware.

After the static analysis of the malware, students will activate the malware in the virtual environment and conduct a dynamic analysis. They will also capture packets during the malware activation to capture information from the malware regarding its command and control server. An analysis of the captured information from the network communication will then be conducted to determine what the malware is designed to do, such as spread laterally on the network, escalate user privileges, create new users, search for PII or send collected data back to the command and control server.

By searching through artifacts like Windows Prefetch, SRUM, AMCACHE, Jumplists, LNK files, SHIMCACHE, MUICACHE, UserAssist, Windows Event logs, and the $Logfile, participants will determine the initial attack vector of the malware and the chain of events that took place thereafter.

Course Modules

Module 1: Course introduction
• Students will be introduced to each other, to the instructor(s) and to Magnet Axiom.

Module 2: Course overview
• An overview of the course will be presented to students along with the learning objectives and expected outcomes for the four-day training event.

Module 3: Mitre attack navigator and NIST controls
• This module focuses on how you can map and plot an adversary in your network, understand the goals a threat tries to obtain and what techniques are available under each attack goal.
• The participant will also see how the NIST controls can be used to help organisations prepare policies and help identify areas in your policies or procedures that may need to be updated.
• Also, this module will show the Cyber Kill Chain and PRESENT mitigation steps used against attackers.

Module 4: Malware overview
• A high-level overview of the different types of malwares seen and what they can do.
• Showing how threat actors utilise tools that come on a Windows computer by default, like PowerShell or Scheduled Tasks, so they can maintain persistence and other tools.

Module 5: Where do we start?
• The student will examine the information provided by the initial incident reporter and then determine if the information can be corroborated.
• The investigator will also check to see if the time frame needs to be widened, thereby increasing the scope of the investigation.

Module 6: Packet captures (PCAP)
• Network traffic is sometimes key to understanding how malware arrived at the network and how it allows nefarious actors to travel through the network.
• This module focuses on capturing, filtering, and analysing network traffic to track down network intrusions and perform network forensics.

Module 7: IRTK & Magnet Response
• During this module, students will learn the necessity of collecting volatile data from a suspect computer.
• They will use the output to determine a starting point for the examination while the forensic images are being processed by Axiom.

Module 8: RAM
• Participants will parse RAM from a computer involved in a malware incident and determine what programmes were running and from what location.
• Students will also investigate the malware to determine which computer user was associated with it.

Module 9: Axiom Cyber investigator
• Using the Axiom Cyber licence, the participant will understand the benefits of having a tool that can connect to a remote computer and collect volatile data, make full disk images and retrieve important files and folders.
• They will learn how to create a Cyber agent, configure it for the remote, deploy it and pull the data back to the investigating computer in real time.

Module 10: Static analysis of malware
• Participants will set up and learn how to mark their tools if used to conduct investigations, thereby identifying rogue tools.
• Using third-party tools to examine potential malware files without detonating them and pulling strings from within the suspicious file.

Module 11: Pattern matching & searching with YARA
• This module will use information obtained from the previous module to create a pattern matching rule using YARA.
• The participant will understand the makeup of a YARA rule and how to correctly security mark the rule using the TLP protocol.
• Once the rule is created, it will be used to search the data set for hits.

Module 12: Online analysis of malware
• In this module, students will use online sandbox environments to monitor the activity of the malware.
• They will learn some of the pitfalls of using online sandboxes.

Module 13: Log files and why they are important
• Students will understand an important step of the investigation is to gather log files.
• They will learn where they can be found, and the different types of logs or other areas that can provide information about what the computer was doing, such as Prefetch, SRUM, AMCACHE, JUMPLIST, LNK, USERASSIST.

Module 14: Bringing our investigation to a close
• During the module, students will learn how to put all the pieces of the investigation together through the correlation of all the data they have collected during the preceding modules.

Module 15: Another type of incident response investigation?
• To further reinforce the instructional goals of the course, students are presented with a final scenario, which represents a cumulative review of the exercises conducted in each of the previous modules.