{"id":10399,"date":"2023-01-10T11:05:13","date_gmt":"2023-01-10T11:05:13","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/"},"modified":"2023-04-17T05:30:12","modified_gmt":"2023-04-17T05:30:12","slug":"linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams","status":"publish","type":"product","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/","title":{"rendered":"Linux Forensics Inspection and Incident Response at Scale (Ams)"},"content":{"rendered":"<h2><strong><span style=\"color: #993300\">REGISTRATION CLOSED<\/span><\/strong><\/h2>\n<h4><strong>DATE: 17-19 April 2023<\/strong><\/h4>\n<h4><strong>TIME: 09:00 to 17:00 CEST\/GMT+2<\/strong><\/h4>\n<table style=\"height: 120px\" width=\"719\">\n<tbody>\n<tr>\n<td><strong>Date<\/strong><\/td>\n<td><strong>Day<\/strong><\/td>\n<td><strong>Time<\/strong><\/td>\n<td><strong>Duration<\/strong><\/td>\n<\/tr>\n<tr>\n<td>17 Apr<\/td>\n<td>Monday<\/td>\n<td>0900-17:00 CEST\/GMT+2<\/td>\n<td>8 Hours<\/td>\n<\/tr>\n<tr>\n<td>18 Apr<\/td>\n<td>Tuesday<\/td>\n<td>0900-17:00 CEST\/GMT+2<\/td>\n<td>8 Hours<\/td>\n<\/tr>\n<tr>\n<td>19 Apr<\/td>\n<td>Wednesday<\/td>\n<td>0900-17:00 CEST\/GMT+2<\/td>\n<td>8 Hours<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<hr \/>\n<div class=\"page\" title=\"Page 3\">\n<div class=\"layoutArea\">\n<div>\n<div class=\"page\" title=\"Page 1\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<h4 style=\"text-align: center\"><em><span style=\"color: #993300\">Full access to the PurpleLabs environment for 30 days post-training!<\/span><\/em><\/h4>\n<hr \/>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 1\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<h5>Through the hands-on labs, you will gain a perfect understanding of important DFIR Linux\/Network internals and investigation steps needed to get the full picture of post-exploitation activities and artifacts left behind. At scale.<\/h5>\n<p>Attackers constantly find new ways to attack and infect Linux boxes using more and more sophisticated techniques and tools. As defenders we need to stay up to date with adversaries, understand their TTPs and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieve that goal. For DFIR needs we could go even further with proactive forensics inspections. This training will guide you through different attack-detection-inspection-response use-cases and teach critical aspects of how to handle Linux incidents properly.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>For a comprehensive mindmap of this training, <a href=\"https:\/\/www.defensive-security.com\/storage\/uploads\/Linux_Attack_and_Forensics_Inspection_at_scale-v4.png\">click here<\/a><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Topics Covered<\/strong><\/h5>\n<ul>\n<li>Introduction to PurpleLabs Hunting and Detection tools including Velociraptor, Wazuh, HELK+Sigma, Splunk, Elastiflow, Moloch\/Arkime, Kolide Fleet, Graylog, theHive, Sandfly and more<\/li>\n<li>Linux profile baselining<\/li>\n<li>How to run DFIR tasks at scale across many Linux endpoints<\/li>\n<li>Recent Linux APT analysis<\/li>\n<li>RE&amp;CT Enterprise Matrix<\/li>\n<li>The importance of timeline analysis and NTP synchronization<\/li>\n<li>Triage \/ collecting artifacts<\/li>\n<li>Privileged user and group enumeration<\/li>\n<li>Identification of logged accounts<\/li>\n<li>Searching for files at scale<\/li>\n<li>Establishing a baseline for different OS components (cron, at, rc.local, ACLs, hosts, resolv.conf, SELinux, filesystem hashing, packages and checksums)<\/li>\n<li>Process call chains \/ pstree \/ process arguments<\/li>\n<li>Collecting and analyzing important process data (\/proc)<\/li>\n<li>Finding hidden processes, network connections and kernel modules<\/li>\n<li>Detecting capabilities in ELF, shellcode files<\/li>\n<li>Detecting loaded shared libraries per process<\/li>\n<li>Dropping web shells vs File Integrity Monitoring<\/li>\n<li>Hunting for packers, extracting binary versions and exports<\/li>\n<li>Searching for exploitation attempts in logs<\/li>\n<li>Hunting for Linux rootkits (user space \/ kernel space)<\/li>\n<li>Hunting for artifacts of process injection techniques<\/li>\n<li>Sysmon Events + Linux Sigma detection rules<\/li>\n<li>Runtime Security Analysis (Falco, Tracee) for host and docker containers<\/li>\n<li>Syscall filtering<\/li>\n<li>Open source ways for memory acquisition and memory forensics<\/li>\n<li>Creating Volatility profiles<\/li>\n<li>Filesystem and Linux process memory yara scans<\/li>\n<li>Linux Endpoint data correlation and hunting for suspicious network events<\/li>\n<li>Network visibility with \/ without signature rules<\/li>\n<li>Searching for different persistence methods in use<\/li>\n<li>Data correlation and hunting for suspicious network events + RITA<\/li>\n<li>Direct interaction with endpoint: command execution on demand, system modification and active quarantine examples<\/li>\n<li>Hunts enrichment<\/li>\n<li>Using theHive for incident management<\/li>\n<\/ul>\n<div class=\"page\" title=\"Page 3\">\n<div class=\"layoutArea\">\n<div class=\"page\" title=\"Page 1\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"page\" title=\"Page 4\">\n<div class=\"section\">\n<div class=\"layoutArea\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>REGISTRATION CLOSED DATE: 17-19 April 2023 TIME: 09:00 to 17:00 CEST\/GMT+2 Date Day Time Duration 17 Apr Monday 0900-17:00 CEST\/GMT+2 8 Hours 18 Apr Tuesday 0900-17:00 CEST\/GMT+2 8 Hours 19 Apr Wednesday 0900-17:00 CEST\/GMT+2 8 Hours &nbsp; Full access to the PurpleLabs environment for 30 days post-training! Through the hands-on labs, you will gain a [&hellip;]<\/p>\n","protected":false},"featured_media":10398,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false},"product_cat":[59,55,64],"product_tag":[],"class_list":{"0":"post-10399","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-3-day-training","7":"product_cat-hitb2023ams","8":"product_cat-virtual","10":"first","11":"instock","12":"featured","13":"shipping-taxable","14":"purchasable","15":"product-type-simple"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Linux Forensics Inspection and Incident Response at Scale (Ams) - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Linux Forensics Inspection and Incident Response at Scale (Ams) - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"REGISTRATION CLOSED DATE: 17-19 April 2023 TIME: 09:00 to 17:00 CEST\/GMT+2 Date Day Time Duration 17 Apr Monday 0900-17:00 CEST\/GMT+2 8 Hours 18 Apr Tuesday 0900-17:00 CEST\/GMT+2 8 Hours 19 Apr Wednesday 0900-17:00 CEST\/GMT+2 8 Hours &nbsp; Full access to the PurpleLabs environment for 30 days post-training! Through the hands-on labs, you will gain a [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-04-17T05:30:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/\",\"name\":\"Linux Forensics Inspection and Incident Response at Scale (Ams) - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg\",\"datePublished\":\"2023-01-10T11:05:13+00:00\",\"dateModified\":\"2023-04-17T05:30:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#primaryimage\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg\",\"contentUrl\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg\",\"width\":1200,\"height\":900},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Products\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/shop\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Linux Forensics Inspection and Incident Response at Scale (Ams)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Linux Forensics Inspection and Incident Response at Scale (Ams) - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/","og_locale":"en_US","og_type":"article","og_title":"Linux Forensics Inspection and Incident Response at Scale (Ams) - HITBSecConf2023 - Amsterdam","og_description":"REGISTRATION CLOSED DATE: 17-19 April 2023 TIME: 09:00 to 17:00 CEST\/GMT+2 Date Day Time Duration 17 Apr Monday 0900-17:00 CEST\/GMT+2 8 Hours 18 Apr Tuesday 0900-17:00 CEST\/GMT+2 8 Hours 19 Apr Wednesday 0900-17:00 CEST\/GMT+2 8 Hours &nbsp; Full access to the PurpleLabs environment for 30 days post-training! Through the hands-on labs, you will gain a [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-04-17T05:30:12+00:00","og_image":[{"width":1200,"height":900,"url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/","name":"Linux Forensics Inspection and Incident Response at Scale (Ams) - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"primaryImageOfPage":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#primaryimage"},"image":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#primaryimage"},"thumbnailUrl":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg","datePublished":"2023-01-10T11:05:13+00:00","dateModified":"2023-04-17T05:30:12+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#primaryimage","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg","contentUrl":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/leszek.jpg","width":1200,"height":900},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/linux-forensics-inspection-and-incident-response-at-scale-hitb2023ams\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Products","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/shop\/"},{"@type":"ListItem","position":3,"name":"Linux Forensics Inspection and Incident Response at Scale (Ams)"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product\/10399"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/product"}],"replies":[{"embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/comments?post=10399"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media\/10398"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=10399"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product_cat?post=10399"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product_tag?post=10399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}