LogonSessions for Incident Response [FREE COURSE CONTENT]

In this tutorial from our Security Incident Response course you will see how to use the LogonSessions tool from Windows Sysinternals in incident response. Want to add something to your toolbox? Let's dive in! 

Participants will be able to clearly define a security incident and know the proper way to handle it. The participants will also be able to define the steps needed to lead the incident to a desired outcome throughout the process of investigation.

You will find out how to:

• Detect, identify, and mitigate threats
• Assess potential security risks
• Account for human error
• Create an Incident Response Plan
• Identify High Value Targets
• Set up Incident Response tooling
• Create IoCs and implement them
• Recover systems, data and connectivity
• Return to production state
• Document the incident

Example tools used in the course:

• Windows built-in tools;
• Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview; LogonSessions);
• Volatility;
• dd/windd;
• Logparser;
• grep and Windows Event Log Explorer

In module 1, we will study:

• Assessing potential security risks
• Accounting for human error
• Creating Incident Response Plan
• Identifying High Value Targets
• Identifying Stakeholders
• Setting up incident Response tooling
• System instrumentation
• Employees security trainings

Module 1 exercises:

Familiarizing with Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview; logonsessions) and Windows Event Log analysis

Check out other modules here! 

[custom-related-posts title="Related content:" none_text="None found" order_by="title" order="ASC"]