You're reading from Incident Response for Windows Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems

Product type Paperback

Published in Aug 2024

Publisher Packt

ISBN-13 9781804619322

Length 244 pages

Edition 1st Edition

Concepts

Cybersecurity

Authors (2):

Anatoly Tykushin

Svetlana Ostrovskaya

View More author details

Table of Contents (20) Chapters

Preface

1. Part 1: Understanding the Threat Landscape and Attack Life Cycle

2. Chapter 1: Introduction to the Threat Landscape FREE CHAPTER

3. Chapter 2: Understanding the Attack Life Cycle

4. Part 2: Incident Response Procedures and Endpoint Forensic Evidence Collection

5. Chapter 3: Phases of an Efficient Incident Response on Windows Infrastructure

6. Chapter 4: Endpoint Forensic Evidence Collection

7. Part 3: Incident Analysis and Threat Hunting on Windows Systems

8. Chapter 5: Gaining Access to the Network

9. Chapter 6: Establishing a Foothold

10. Chapter 7: Network and Key Assets Discovery

11. Chapter 8: Network Propagation

12. Chapter 9: Data Collection and Exfiltration

13. Chapter 10: Impact

14. Chapter 11: Threat Hunting and Analysis of TTPs

15. Part 4: Incident Investigation Management and Reporting

16. Chapter 12: Incident Containment, Eradication, and Recovery

17. Chapter 13: Incident Investigation Closure and Reporting

18. Index

Why subscribe?

19. Other Books You May Enjoy

Detecting discovery

During network discovery, threat actors may use a variety of techniques that can be implemented using specialized tools, scripts, system utilities, and sometimes manual analysis of files on the victim’s system. Accordingly, when searching for traces, we need to focus on the programs and scripts being run, as well as access to different files and locations. Moreover, during the investigation, attackers may save scan results or collected information on the victim’s hosts, which means that traces of new file creation will also be relevant to us.

Using specialized programs

Depending on the specifics of the threat actors, both self-written and well-known publicly available tools, such as various scanners or post-exploitation frameworks, can be used in attacks. For example, the most popular network scanning tools are SoftPerfect Network Scanner, Advanced IP Scanner, Advanced Port Scanner, Nmap, and Zenmap. ADRecon, ADFind, LDAP Browser, CrackMapExec...