Windows Forensics Inspections

and Incident Response at scale

Learn more


Attackers constantly find new ways to attack and infect Windows boxes using more and more sophisticated techniques and tools. As defenders, we need to stay up to date with adversaries, understand their TTPs and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieving that goal. For DFIR needs we could go even further with proactive forensics inspections. This training will guide you through different attack-detection-inspection-response use-cases and teach critical aspects of how to handle Windows incidents properly. Going through the hands-on labs, you will gain a perfect understanding of important DFIR Windows/Network internals and investigation steps needed to get the full picture of post-exploitation activities and artifacts they leave behind. At scale.


  • How to run DFIR tasks at scale across many endpoints
  • RE&CT Enterprise Matrix
  • The importance of timeline analysis
  • Privileged user and group enumeration
  • Identification of logged users
  • Interactive Triage 
  • Searching for files, searching for IoC (URLs, IP, signatures, patterns, CC data)
  • Web browsers history analysis
  • Establish a baseline for different OS components (system32 file hashing, shim cache / amcache / SRUM DB, BAM records, ACLs, running services, run/runonce keys, scheduled tasks, autoexec, envs, VSS)
  • Detecting capabilities in PE, shellcode files
  • Analyzing process memory regions (loaded DLLs / .NET assemblies per process)
  • Process call chains / pstree / process arguments
  • IMPHashing
  • Detecting suspicious child processes of wmi, psexec, smbexec
  • Prefetch analysis
  • Timestomping detection
  • Finding LNK files
  • Recovering deleted files from a directory
  • Playing with USN.journal
  • Searching in MFT for exploitation attempts
  • Open source ways for memory acquisition and memory forensics
  • Filesystem and process memory Yara scans
  • Finding and analyzing Office documents with macros
  • Checking Windows Event Logs / EVTX with Sigma detection rules
  • Registry modification events HKCU / HKLM
  • Detecting mutants / named mutex
  • Raw NTFS parsing / ADS
  • Detecting parent-process spoofing
  • Data correlation and hunting for suspicious network events + RITA 
  • Finding and analyzing Office documents with macros enabled
  • Searching for persistence methods in use
  • Direct interaction with the endpoint: command execution on demand, system modification, and quarantine examples
  • Hunts enrichment and pivoting between data sources
  • Playing with offline Mordor Datasets / EVTX-Attack-Samples
  • Using theHive for incident management

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

  • CSIRT / Incident Response Specialists
  • Red and Blue team members
  • Penetration testers
  • Threat Hunters
  • Security / Data Analytics
  • IT Security Professionals, Experts & Consultants
  • SOC Analysts and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.


If you are interested in dedicated, private training for your Security Operations team let us know. We love delivering on-site training sessions!