Advanced MIR [ILT]

Version 14

    Courses cannot be purchased or accessed from this site. If you would like to register for this course, please contact your FireEye account manager.

    This information is also available as a downloadable data sheet

    The Mandiant Intelligent Response (MIR) appliance finds evidence of compromise and forensic artifacts on your endpoints left behind by attacker activity. With MIR you can rapidly sweep tens of thousands of endpoints using Mandiant's latest intelligence about advanced attacker activity.

     

    This two-day instructor-led course provides an advanced look at what MIR can do to find evil within your organization. Utilizing advanced IOC creation techniques and hunting methodology, students will learn how to proactively search for indications of wrong-doing on the network.

     


     

    Course Objectives

    Upon completion of the course the learner should be able to:

    • Create advanced IOCs, that look for malware activity based on prefetch, services, scheduled tasks, registry keys, and more
    • Perform file and service stacking
    • Build PCRE regex based content and path filters for audit modules
    • Hunt within scheduled tasks and application compatibility cache

     

    Course Outline

    1. Moving Beyond Audit Modules
      • A look at why it is necessary to move beyond simple audit modules within MIR
      • Exploring Log analysis
    2. Windows Artifacts
      • Look at the Windows OS and how its various subsystem components operate
    3. Writing and Testing Advanced IOCs
      • Using IOC Editor to create IOCs and Redline to test IOCs
    4. Hunting Methodology and Framework
    5. Stacker 1.2.03
      • Theory and lab
    6. PCRE (PERL Compatible Regular Expressions)
      • Theory and lab
    7. Scheduled Task Hunting
      • Theory and lab
    8. Application Compatibility Cache Hunting:
      • Theory and demo/walkthrough, as well as lab availability

     

    Lessons are typically a blend of lecture and hands-on lab activities.

     

    Prerequisites

    Students should have:

    • A working understanding of networking and network security, the Windows OS, file system, registry, and use of the CLI
    • Completed the course Enterprise Incident Response with MIR

     

    Target Audience

    Network security professionals and incident responders.