Build crucial cyber security skills through interactive training during SANS Cyber Security Mountain 2021. Save $150 thru 6/30.
No classes scheduled at this time.

Lethal Threat Hunting and Incident Response Techniques

Course Syllabus  ·  12 CPEs  ·   Laptop Requirements


The chances are very high that hidden threats are already in your organization's networks. Organizations can't afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools.

The key, however, is to look constantly for attacks that get past security systems and to catch intrusions in progress rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is referred to as "threat hunting." Threat Hunting is using know adversary behaviors to examine proactively the network and endpoints identifying new data breaches.

Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford antiquated incident response and threat hunting techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident. Incident response and threat hunting teams are the keys to identifying and observing malware indicators, patterns of activity, to help generate accurate threat intelligence that can be used to help detect current and future intrusions.




  • Threat Hunting
    • Hunting Versus Reactive Response
    • Intelligence Driven Incident Response
    • Building a Continuous Incident Response | Threat Hunting Capability
    • Forensic Analysis Versus Threat Hunting
    • Threat Hunt Team Roles
  • Threat Hunting in the Enterprise
    • Identification of Compromised Systems
    • Finding Active and Dormant Malware
    • Digitally Signed Malware
    • Malware Characteristics
    • Common Hiding Mechanisms
    • Finding Evil by Understanding Normal
    • Understanding Common Windows Services and Processes
    • svchost.exe abuse
  • Malware Persistence Identification
    • AutoStart Locations
    • Service Creation/Replacement
    • Service Failure Recovery
    • Scheduled Tasks
    • DLL Hijacking
    • WMI Event Consumers
    • More Advanced - Local Group Policy, MS Office Add-In, or BIOS Flashing
  • Advanced Evidence of Execution Detection
    • Application Compatibility Cache
    • Prefetch and Shimcache Extraction Via Memory
    • RecentFileCache
    • Amcache
  • Lateral Movement Adversary Tactics, Techniques, and Procedures (TTPs)
    • Legitimate Credentials Stealing and Utilization
    • Compromising Credentials Techniques
    • Remote Desktop Services Misuse
    • Windows Admin Shares Abuse
    • PsExec Utilization
    • Windows Remote Management Tool Techniques
    • PowerShell Remoting / WMIC Hacking
    • Vulnerability Exploitation
  • Event Log Analysis for Incident Responders and Hunters
    • Profiling Account Usage
    • Tracking and Hunting Lateral Movement
    • Identifying Suspicious Services
    • Detecting Rogue Application Installation
    • Finding Malware Execution and Process Tracking
    • Capturing Command Lines and Scripts
    • Anti-Forensics and Event Log Clearing
  • Super Timeline Creation and Analysis
    • Super Timeline Artifact Rules
    • Program Execution, File Knowledge, File Opening, File Deletion
    • Timeline Creation with log2timeline/Plaso
    • log2timeline Input Modules
    • log2timeline Output Modules
    • Filtering the Super Timeline Using psort
    • Targeted Super Timeline Creation
    • Automated Super Timeline Creation
    • Super Timeline Analysis
  • Evolution of Incident Response Scripting
    • WMIC
    • PowerShell
    • Incident Response Triage Investigations with PowerShell


  • Malware Autostart Persistence Analysis
  • Hunting and Detecting Evidence of Execution with Shimcache
  • Shimcache Memory RAM Examinations
  • Prefetch Carving and Extraction from Memory and Unallocated Space
  • Hunting and Tracking Lateral Movement with Event Log Analysis
  • Track APT activity second-by-second through in-depth super timeline analysis
  • Observe targeted attackers laterally move to other systems in the enterprise by watching a trail left in filesystem times, registry, shimcache, and other temporal-based artifacts


Course Syllabus

CPE/CMU Credits: 6

CPE/CMU Credits: 6

Additional Information


You can use any 64-bit version of Windows, Apple OS X, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

Please download and install VMware Workstation 11 or VMware Fusion 7 or higher versions on your system before class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

    • CPU: 64-bit Intel i5 x64 2.0+ GHz (4th generation or above) processor or higher based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
    • RAM: 8 GB (Gigabytes) of RAM minimum (Note: Operating with less than 8GB of RAM will prevent you from experiencing all of the labs in the course!)
    • Host Operating System: Fully patched & updated Windows (7+), Apple OS X (10.10+), or a recent version of Linux operating system (released 2014 or later) that can install and run VMware virtualization products (VMware Workstation 11 or VMware Fusion 7). Please note: It is necessary to fully update your host operating system before the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
    • Networking: Wireless 802.11 B, G, N, or AC; Ethernet is also nice to have, if possible.
    • USB 3.0 Port(s) - highly recommended
    • 150 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical. Consider bringing a USB3 external hard drive as a backup in case space becomes an issue. Not having enough hard drive space is one of the most common issues students have with their laptops.
    • The student should have local Administrator access within the host operating system and administrative access to the system's BIOS or equivalent pre-boot firmware
    • PLEASE NOTE: Do NOT use the version of the SANS SIFT Workstation downloaded from the Internet. We will provide a custom FOR508 version specifically configured for training on Day 1 of the course.

MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS (Please install the following before the beginning of the class):

1. Install VMware Workstation 11 or VMware Fusion 7 (or a higher version)

2. Download and install on your Windows host: 7Zip

a. Apple OS X users should install 7Zip or Keka

3. Microsoft Office 2013 (version 15.0) or later with Microsoft Excel. Note you can download Office Trial Software online (free for 60 days)

4. If you use Apple OSX, you must bring a Microsoft Windows Virtual Machine (Win7 or higher) to class

Additional notes:

  • If you have attended FOR408 in the past, you may want to bring your copy of the FOR408 - Windows SANS SIFT Workstation Virtual Machine, as you can use it for the final challenge
  • Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use them.
  • Again, DO NOT use the version of the SANS SIFT Workstation downloaded from the Internet. We will provide you with a version specifically configured for the FOR508 materials on Day 1 of the course.

If you have additional questions about the laptop specifications, please contact

  • Incident Response Team Members who regularly respond to complex security incidents/intrusions from an APT group/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
  • Threat Hunters who are seeking to understand threats more fully and how to learn from them to be able to more effectively hunt threats and counter their tradecraft
  • Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of memory and timeline forensics, investigating technically advanced individuals, incident response tactics, and advanced intrusion investigations.
  • Information Security Professionals who may encounter data breach incidents and intrusions
  • Federal Agents and Law Enforcement who want to master advanced intrusion investigations and incident response, and expand their investigative skills beyond traditional host-based digital forensics
  • Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.
  • SANS FOR408 and SEC504 Graduates looking to take their skills to the next level.

This is an advanced course focusing on detecting and responding to advanced persistent threats and organized crime threat groups. We do not cover the introduction or basics of incident response, windows digital forensics, or hacker techniques in the course.

We recommend that you should have a background in one of the following SANS courses: SEC504, FOR408, or equivalent training.

  • SIFT Workstation
    • This course extensively uses the SIFT Workstation to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks.
    • SIFT contains hundreds of free and open-source tools, easily matching any modern forensic and incident response commercial response tool suite.
    • A virtual machine is used with many of the hands-on class exercises.
    • Ubuntu Linux LTS Base.
    • 64-bit base system.
    • Better memory utilization.
    • Auto-DFIR package update and customizations.
    • Latest forensics tools and techniques.
    • VMware Appliance ready to tackle forensics.
    • Cross-compatibility between Linux and Windows.
    • Expanded file system support (NTFS, HFS, EXFAT, and more).
  • 128 GB Course USB
    • USB loaded with APT case images, memory captures, SIFT Workstation 3, tools, and documentation.