WEBVTT

0:00:03.760000 --> 0:00:07.540000
 Windows log analysis with
 chainsaw and sigma.

0:00:07.540000 --> 0:00:08.540000
 So welcome everyone.

0:00:08.540000 --> 0:00:15.540000
 This is going to be the final video
 in the Windows event log analysis

0:00:15.540000 --> 0:00:19.060000
 subsection of this course.

0:00:19.060000 --> 0:00:25.060000
 And we're going to be finishing what
 we started with regards to analyzing

0:00:25.060000 --> 0:00:32.720000
 or I should say collecting exporting,
 passing and analyzing the Windows

0:00:32.720000 --> 0:00:40.620000
 event logs on the endpoint system
 that we were analyzing in the lab.

0:00:40.620000 --> 0:00:44.360000
 So in the previous video, we took a
 look at how to utilize a tool like

0:00:44.360000 --> 0:00:52.180000
 timeline explorer to view
 or analyze past logs.

0:00:52.180000 --> 0:00:58.800000
 Now we're going to take a look at how
 to utilize a tool like in conjunction

0:00:58.800000 --> 0:01:04.880000
 with sigma to actually make the process
 of identifying malicious activity

0:01:04.880000 --> 0:01:11.000000
 even easier. So I'll introduce you to
 chainsaw and sigma shortly in terms

0:01:11.000000 --> 0:01:14.300000
 of what they are, what they used for.

0:01:14.300000 --> 0:01:19.360000
 And we'll then take a look at how to
 use them both or in conjunction with

0:01:19.360000 --> 0:01:20.540000
 each other in the lab.

0:01:20.540000 --> 0:01:24.740000
 So again, we're still using
 the same lab environment.

0:01:24.740000 --> 0:01:28.500000
 Windows event log analysis,
 that's the name of the lab.

0:01:28.500000 --> 0:01:34.080000
 So pretty much we are, we actually are
 not going to require the past logs

0:01:34.080000 --> 0:01:41.700000
 that we exported or that
 we passed with EVTX ECMD.

0:01:41.700000 --> 0:01:45.580000
 So I'm going to switch over
 into the lab environment.

0:01:45.580000 --> 0:01:51.860000
 And we can take a look at how to analyze
 the Windows event logs with chainsaw

0:01:51.860000 --> 0:01:57.740000
 and sigma. And get some very good indicators
 as to what exactly is malicious

0:01:57.740000 --> 0:02:02.080000
 activity. So using the
 default sigma rule set.

0:02:02.080000 --> 0:02:05.740000
 So I'm going to switch into the lab
 environment and I'll see you then

0:02:05.740000 --> 0:02:08.620000
 in a couple of seconds.

0:02:08.620000 --> 0:02:14.620000
 All right, so I'm back
 in the lab environment.

0:02:14.620000 --> 0:02:25.820000
 And I'm just on the GitHub page, through
 Windows forensic artifacts.

0:02:25.820000 --> 0:02:29.480000
 So it's not just limited to Windows
 event logs, but just going through

0:02:29.480000 --> 0:02:33.980000
 the description here, as you can see
 chainsaw provides a powerful first

0:02:33.980000 --> 0:02:36.000000
 response. Remember that.

0:02:36.000000 --> 0:02:40.340000
 Okay, so you get the idea, everything's
 coming together now, that's why

0:02:40.340000 --> 0:02:44.960000
 introduced you to it so that you understand
 when a tool like chainsaw

0:02:44.960000 --> 0:02:48.660000
 uses the term first response, you
 actually understand what it means.

0:02:48.660000 --> 0:02:53.940000
 In any case, chainsaw provides a powerful
 first response capability to

0:02:53.940000 --> 0:02:58.160000
 quickly identify threats within Windows
 forensic artifacts, such as event

0:02:58.160000 --> 0:03:00.860000
 logs and the MFT file.

0:03:00.860000 --> 0:03:04.800000
 Chainsaw offers a generic and fast method
 of searching through event logs

0:03:04.800000 --> 0:03:09.120000
 for keywords and by identifying threats
 using built in support for sigma

0:03:09.120000 --> 0:03:12.940000
 detection rules via custom
 chainsaw detection rules.

0:03:12.940000 --> 0:03:21.540000
 So sigma detection rules and custom
 chainsaw detection rules, you can

0:03:21.540000 --> 0:03:25.280000
 then search and extract forensic artifacts
 by string matching so on and

0:03:25.280000 --> 0:03:31.320000
 so forth. So sigma is already in the
 tools directory here, I believe,

0:03:31.320000 --> 0:03:36.100000
 as well as chainsaw.

0:03:36.100000 --> 0:03:40.060000
 So in here, let's take
 a look at chainsaw.

0:03:40.060000 --> 0:03:50.420000
 Yeah, we have that in here and I believe
 this particular version or release

0:03:50.420000 --> 0:03:56.460000
 of chainsaw that has the suffix all
 platforms plus rules already has the

0:03:56.460000 --> 0:04:01.640000
 sigma rules built in and under the
 rules directory, sorry, under sigma

0:04:01.640000 --> 0:04:04.360000
 rules. There we are.

0:04:04.360000 --> 0:04:17.140000
 So in order to use this, I'm going
 to be under exports, I'll be using

0:04:17.140000 --> 0:04:22.940000
 the we want to do first and foremost
 is under the chainsaw folder in here

0:04:22.940000 --> 0:04:29.940000
 where we have the executable chains
 for x8664 PC Windows MSVC.exe.

0:04:29.940000 --> 0:04:34.060000
 We are going to want to
 open up a one second.

0:04:34.060000 --> 0:04:40.220000
 Let me there we are open up
 partial window in here.

0:04:40.220000 --> 0:04:48.780000
 And and we are going to execute
 the chainsaw executable here.

0:04:48.780000 --> 0:04:51.540000
 So Windows, that's what we want.

0:04:51.540000 --> 0:04:53.460000
 And then we're going to say hunt.

0:04:53.460000 --> 0:04:58.200000
 Okay, now you can set on the GitHub
 repo, you can take a look at what

0:04:58.200000 --> 0:05:00.420000
 hunt means. There we are.

0:05:00.420000 --> 0:05:02.720000
 So hunting logic for Windows event log.

0:05:02.720000 --> 0:05:07.080000
 So using the sigma and mapping parameters,
 you can specify a directory

0:05:07.080000 --> 0:05:11.920000
 containing a subset of sigma detection
 rules or just the entire sigma

0:05:11.920000 --> 0:05:16.200000
 git repo and chainsaw will automatically
 load convert and run these rules

0:05:16.200000 --> 0:05:22.480000
 against the provided event logs, the
 mapping file tells chainsaw, which

0:05:22.480000 --> 0:05:28.240000
 fields in the event logs to use for rule
 matching by default and chainsaw

0:05:28.240000 --> 0:05:31.220000
 supports a wide range of event log types.


0:05:31.220000 --> 0:05:35.780000
 But including but not limited to,
 you know, the sigma and stuff.

0:05:35.780000 --> 0:05:42.520000
 So you actually have the those ones highlighted
 here or referenced specifically.

0:05:42.520000 --> 0:05:46.780000
 So that's what the hunt functionality
 is all about.

0:05:46.780000 --> 0:05:53.380000
 So hunt and then we need to specify
 the path to the EVTX file that we

0:05:53.380000 --> 0:05:54.160000
 would like to analyze.

0:05:54.160000 --> 0:06:00.620000
 So we say see this needs to be the
 absolute so see users administrator

0:06:00.620000 --> 0:06:07.320000
 desktop. And then we want to take
 a look at the exports folder.

0:06:07.320000 --> 0:06:11.280000
 Oh, my bad. Let me go ahead and fix that.


0:06:11.280000 --> 0:06:34.380000
 Oh, boy. All right, let me go ahead
 and see users administrator exports.

0:06:34.380000 --> 0:06:41.860000
 And then initial, I believe is
 what the folder is called.

0:06:41.860000 --> 0:06:44.260000
 Let me just take a step back there.

0:06:44.260000 --> 0:06:47.240000
 So exports, yeah, initial exports.

0:06:47.240000 --> 0:06:50.840000
 So initial exports.

0:06:50.840000 --> 0:06:55.880000
 And then let's do sismon.

0:06:55.880000 --> 0:06:59.920000
 So sismon.evtx, we don't
 need the past version.

0:06:59.920000 --> 0:07:06.100000
 And then we use the s parameter
 to specify the rules.

0:07:06.100000 --> 0:07:11.380000
 So in this case, they would be stored
 under see users administrator as

0:07:11.380000 --> 0:07:19.240000
 well. Um, under the desktop
 and under tools.

0:07:19.240000 --> 0:07:27.080000
 Here we want a chainsaw platforms,
 all platforms and rules.

0:07:27.080000 --> 0:07:30.580000
 And then under this, there
 is the chainsaw folder.

0:07:30.580000 --> 0:07:36.600000
 And then under this, we
 have sigma, like so.

0:07:36.600000 --> 0:07:41.660000
 And then we need a mapping, we need
 to specify the mapping files.

0:07:41.660000 --> 0:07:44.540000
 So this can be found.

0:07:44.540000 --> 0:07:49.960000
 Um, let's see, where can this be found?

0:07:49.960000 --> 0:07:51.720000
 Let me just check this here.

0:07:51.720000 --> 0:08:05.500000
 So we have tools, chainsaw.

0:08:05.500000 --> 0:08:09.100000
 And then this should be in sigma master.

0:08:09.100000 --> 0:08:13.560000
 Let's see rules.

0:08:13.560000 --> 0:08:19.320000
 Rules. Actually hold on.

0:08:19.320000 --> 0:08:23.840000
 So this sigma master rule.

0:08:23.840000 --> 0:08:34.180000
 No, one second chainsaw.

0:08:34.180000 --> 0:08:40.420000
 Okay. So one second chainsaw rules.

0:08:40.420000 --> 0:08:43.480000
 No, that's there.

0:08:43.480000 --> 0:08:50.660000
 So we had in here, we would have.

0:08:50.660000 --> 0:08:52.340000
 Yeah, there we are.

0:08:52.340000 --> 0:08:55.160000
 So chainsaw mappings.

0:08:55.160000 --> 0:08:58.420000
 Then we want all dot yaml.

0:08:58.420000 --> 0:09:03.340000
 So let me actually copy this here.

0:09:03.340000 --> 0:09:17.720000
 Like so, okay. Okay.

0:09:17.720000 --> 0:09:18.560000
 That's interesting.

0:09:18.560000 --> 0:09:27.900000
 I copied that. And we also mapping
 see users, mappings.

0:09:27.900000 --> 0:09:34.060000
 And then we have the
 sigma event logs all.

0:09:34.060000 --> 0:09:38.860000
 Then we specify we want to output this
 in CSV, which means we can then

0:09:38.860000 --> 0:09:43.620000
 analyze it with timeline
 explorer as well.

0:09:43.620000 --> 0:09:49.400000
 We want to output this into, I believe
 I created an output folder in my

0:09:49.400000 --> 0:09:53.300000
 chainsaw directory that
 I extracted your output.

0:09:53.300000 --> 0:09:57.900000
 Let me get rid of those results there.

0:09:57.900000 --> 0:10:02.040000
 Those were earlier exports of mine.

0:10:02.040000 --> 0:10:07.860000
 So output and so we'll say output because
 we're working in that directory

0:10:07.860000 --> 0:10:11.300000
 anyway. Let's see.

0:10:11.300000 --> 0:10:15.780000
 So output and then we will say sigma.

0:10:15.780000 --> 0:10:21.380000
 Okay. So it's going to load
 the detection rules.

0:10:21.380000 --> 0:10:27.600000
 And then there we are.

0:10:27.600000 --> 0:10:32.820000
 It's going to load one forensic artifact
 and then it's going to perform

0:10:32.820000 --> 0:10:36.840000
 the hunter. It shouldn't take more
 than a minute here, actually.

0:10:36.840000 --> 0:10:41.100000
 So just 15.1 megabytes.

0:10:41.100000 --> 0:10:48.720000
 So let's see actually whether I am
 correct with regards to this here.

0:10:48.720000 --> 0:10:49.400000
 So there we are.

0:10:49.400000 --> 0:10:52.940000
 243 detections found on 184 documents.

0:10:52.940000 --> 0:10:55.820000
 Remember documents means logs.

0:10:55.820000 --> 0:10:58.040000
 So sigma on here, we have the CSV.

0:10:58.040000 --> 0:11:04.640000
 So now we can go into tools
 and timeline explorer.

0:11:04.640000 --> 0:11:07.820000
 Open this up here.

0:11:07.820000 --> 0:11:10.260000
 And hopefully I don't have any filters.

0:11:10.260000 --> 0:11:14.520000
 Okay, it doesn't look like
 I do not yet at least.

0:11:14.520000 --> 0:11:17.340000
 And then we just want to drag and drop.

0:11:17.340000 --> 0:11:23.180000
 And if the formatting was done correctly,
 then we should have the.

0:11:23.180000 --> 0:11:26.080000
 Let me bring this up here.

0:11:26.080000 --> 0:11:27.060000
 Okay, beautiful.

0:11:27.060000 --> 0:11:29.300000
 So we have timestamp detections.

0:11:29.300000 --> 0:11:32.740000
 So these are the detections now that
 you know pretty much conclusively

0:11:32.740000 --> 0:11:34.860000
 tell us what we're dealing with.

0:11:34.860000 --> 0:11:38.960000
 So let's take a look at this here.

0:11:38.960000 --> 0:11:40.360000
 Actually hold on.

0:11:40.360000 --> 0:11:45.300000
 So timestamp. Yeah, the oldest
 are at the very top.

0:11:45.300000 --> 0:11:50.300000
 So you know, partial execution, non
 interactive partial process spawned.

0:11:50.300000 --> 0:11:52.960000
 And I believe the other fields.

0:11:52.960000 --> 0:11:53.900000
 Yeah, there we are.

0:11:53.900000 --> 0:11:59.120000
 So we have the event data and then.

0:11:59.120000 --> 0:12:01.860000
 Yeah, I think that's it.

0:12:01.860000 --> 0:12:08.520000
 But this is really just to identify
 those specific logs that have been

0:12:08.520000 --> 0:12:12.520000
 deemed suspicious in alignment with the.

0:12:12.520000 --> 0:12:17.780000
 Sigma rules. So this is really dependent
 on the rules that you're using,

0:12:17.780000 --> 0:12:20.340000
 but you can see the image here.

0:12:20.340000 --> 0:12:24.220000
 So yeah, this is fairly accurate or
 you know, pretty much as accurate

0:12:24.220000 --> 0:12:28.740000
 as it gets. We then have
 partial execution here.

0:12:28.740000 --> 0:12:31.140000
 Let me just take that.

0:12:31.140000 --> 0:12:34.280000
 So there's signature here is nothing.

0:12:34.280000 --> 0:12:36.500000
 Okay, interesting.

0:12:36.500000 --> 0:12:41.100000
 Sysmon file creation detected partial
 office file micro file.

0:12:41.100000 --> 0:12:42.300000
 That's interesting.

0:12:42.300000 --> 0:12:43.900000
 What's this about?

0:12:43.900000 --> 0:12:50.580000
 Okay, so possibly something
 to investigate.

0:12:50.580000 --> 0:12:55.140000
 So we can see the timestamp
 here, the detections.

0:12:55.140000 --> 0:12:58.240000
 Let's take a closer look at this here.

0:12:58.240000 --> 0:13:04.200000
 So just one count the event ID.

0:13:04.200000 --> 0:13:07.020000
 Yeah, there's nothing else.

0:13:07.020000 --> 0:13:10.080000
 So nothing too interesting there.

0:13:10.080000 --> 0:13:15.000000
 We also have here a very interesting
 dynamic.net compilation.

0:13:15.000000 --> 0:13:18.920000
 Yeah, that was me installing the dot net.


0:13:18.920000 --> 0:13:29.060000
 And then let's take a look at this here.

0:13:29.060000 --> 0:13:32.260000
 So called detections.

0:13:32.260000 --> 0:13:37.000000
 We can now see some very good intelligence
 or correlation here.

0:13:37.000000 --> 0:13:40.980000
 So bypass you a C using event viewer, we
 would not have been able to determine

0:13:40.980000 --> 0:13:43.060000
 that without, you know, additional
 investigation.

0:13:43.060000 --> 0:13:47.940000
 So in this case, image, C windows
 system 32 windows partial.

0:13:47.940000 --> 0:13:51.060000
 There we are. And then we can take a
 look at some of the other activities.

0:13:51.060000 --> 0:13:54.000000
 So a new partial instance created here.

0:13:54.000000 --> 0:13:57.820000
 What is that in reference
 to nothing there?

0:13:57.820000 --> 0:13:59.960000
 Partial execution.

0:13:59.960000 --> 0:14:02.680000
 Who am I? There we are.

0:14:02.680000 --> 0:14:06.100000
 Potential persistence attempt by
 existing service tamperings.

0:14:06.100000 --> 0:14:09.500000
 This is suspicious service
 path modification.

0:14:09.500000 --> 0:14:11.480000
 Let's take a look at that there.

0:14:11.480000 --> 0:14:13.880000
 Let's see what exactly is going on.

0:14:13.880000 --> 0:14:28.480000
 So let's just see config facts binary
 path is partial dot exe no exit

0:14:28.480000 --> 0:14:35.300000
 right host. Yeah, so that was the simulation
 I'd done for in this case,

0:14:35.300000 --> 0:14:40.740000
 persistence. We can see that here.

0:14:40.740000 --> 0:14:45.620000
 So we have a parent user, all that
 good stuff, current directory.

0:14:45.620000 --> 0:14:48.140000
 And it should point towards.

0:14:48.140000 --> 0:14:51.020000
 Yeah, okay, so that is perfect.

0:14:51.020000 --> 0:14:53.800000
 And then we have this
 one right over here.

0:14:53.800000 --> 0:14:55.640000
 What mapping do we have here?

0:14:55.640000 --> 0:14:57.820000
 So service tampering.

0:14:57.820000 --> 0:15:01.240000
 There we are scheduled task registry.

0:15:01.240000 --> 0:15:03.940000
 So via registry modification.

0:15:03.940000 --> 0:15:05.740000
 We can see that in here.

0:15:05.740000 --> 0:15:08.600000
 Then we have the actual
 scheduled task here.

0:15:08.600000 --> 0:15:14.920000
 So again, the only reason we're seeing
 that, at least with regards to

0:15:14.920000 --> 0:15:20.560000
 the actual the command line argument.

0:15:20.560000 --> 0:15:23.360000
 The reason why you're seeing the technique
 highlighted is because again,

0:15:23.360000 --> 0:15:28.420000
 I utilize the atomic red team framework
 to emulate these attacks.

0:15:28.420000 --> 0:15:30.660000
 So at least you have an idea
 as to what they look like.

0:15:30.660000 --> 0:15:35.280000
 But we can see the scheduled ask created
 here, count dot exe, which I

0:15:35.280000 --> 0:15:39.220000
 did observe as malicious activity
 when I restarted the system.

0:15:39.220000 --> 0:15:45.380000
 Yeah, so hopefully you can start to see
 now that there's quite a few tools

0:15:45.380000 --> 0:15:50.180000
 that can actually make your job much
 easier with regards to narrowing

0:15:50.180000 --> 0:15:58.640000
 down, you know, the logs to just the
 ones that again are malicious.

0:15:58.640000 --> 0:16:02.060000
 And of course, you know, it goes without
 saying that this is based on

0:16:02.060000 --> 0:16:05.340000
 the Sigma rule set.

0:16:05.340000 --> 0:16:08.220000
 But you can see right over here.

0:16:08.220000 --> 0:16:10.720000
 What was this one specifically?

0:16:10.720000 --> 0:16:11.980000
 So yeah, there we are bloodhound.

0:16:11.980000 --> 0:16:16.840000
 So it actually detects execution of tools
 or malware, bloodhound sharphound.

0:16:16.840000 --> 0:16:19.700000
 That's a active directory
 enumeration tool.

0:16:19.700000 --> 0:16:21.560000
 And we have this one here.

0:16:21.560000 --> 0:16:26.460000
 That's interesting because yeah, that
 just shows up as PowerShell might

0:16:26.460000 --> 0:16:31.540000
 be interesting. Okay, let's
 take a look at this here.

0:16:31.540000 --> 0:16:36.300000
 So there we are, non interactive PowerShell
 process spawn PowerShell web

0:16:36.300000 --> 0:16:41.560000
 download usage of web request
 command and commandlets.

0:16:41.560000 --> 0:16:50.240000
 So was that when I tried to fetch a
 particular, let's bring it up here.

0:16:50.240000 --> 0:16:58.560000
 One second, yeah, process, yeah,
 we can see that PowerShell.

0:16:58.560000 --> 0:17:02.580000
 Yeah, it actually downloaded this particular
 atomic file for phishing.

0:17:02.580000 --> 0:17:04.420000
 So it actually downloaded the attachment.


0:17:04.420000 --> 0:17:08.000000
 So yeah, chainsaw and Sigma
 is a game change.

0:17:08.000000 --> 0:17:10.420000
 And I just wanted to show you this here.

0:17:10.420000 --> 0:17:13.780000
 Now, that's pretty much all
 that I wanted to highlight.

0:17:13.780000 --> 0:17:15.220000
 As I said, there's no real incident.

0:17:15.220000 --> 0:17:19.100000
 It was me pretty much just emulating
 or simulating attacks and then, you

0:17:19.100000 --> 0:17:24.080000
 know, giving you an idea as to how
 you can collect or export the logs,

0:17:24.080000 --> 0:17:28.580000
 pass them, analyze them, and then enhance
 your analysis with tools like

0:17:28.580000 --> 0:17:35.880000
 Timeline Explorer augmenting that with,
 you know, chainsaw and Sigma to

0:17:35.880000 --> 0:17:42.200000
 actually give you what is deemed or,
 you know, to give you a set of events

0:17:42.200000 --> 0:17:48.140000
 or logs to start with or that are malicious
 or, you know, are confirmed

0:17:48.140000 --> 0:17:57.620000
 malicious based or when mapped to particular
 rules in this case, I'll

0:17:57.620000 --> 0:18:02.280000
 give you that, you know, give you
 an understanding of the process.

0:18:02.280000 --> 0:18:05.740000
 Now, this lab is fairly robust.

0:18:05.740000 --> 0:18:09.940000
 I will be making some changes to it
 before you actually get to play it.

0:18:09.940000 --> 0:18:16.200000
 So before this course is even released,
 which means you will be able to

0:18:16.200000 --> 0:18:28.440000
 at any given point in time export, you
 know, logs will not be overwritten

0:18:28.440000 --> 0:18:31.020000
 or anything like that.

0:18:31.020000 --> 0:18:33.740000
 And, you know, you'll be able
 to follow along with it.

0:18:33.740000 --> 0:18:38.040000
 And as I said, all the tools
 have been installed.

0:18:38.040000 --> 0:18:43.500000
 Now, if you want to simulate your own
 attacks, I have included the Atomic

0:18:43.500000 --> 0:18:48.380000
 Red Team folder in here so you can
 just invoke and the only difference

0:18:48.380000 --> 0:18:50.840000
 is because the lab will not be
 connected to the internet.

0:18:50.840000 --> 0:18:56.240000
 Some atomic tests require an internet
 connection like the phishing atomic

0:18:56.240000 --> 0:19:01.120000
 test that actually tries to fetch,
 you know, a particular attachment.

0:19:01.120000 --> 0:19:06.640000
 So you'll only be able to execute the
 ones that are, that don't require

0:19:06.640000 --> 0:19:08.160000
 internet connection.

0:19:08.160000 --> 0:19:12.620000
 But this is a great opportunity for
 you to, you know, emulate particular

0:19:12.620000 --> 0:19:15.520000
 attacks or TTPs as it were.

0:19:15.520000 --> 0:19:20.360000
 And then, you know, try and see whether
 you can identify them in the,

0:19:20.360000 --> 0:19:26.440000
 you know, security channel, SISMON, etc.

0:19:26.440000 --> 0:19:30.200000
 And yeah, so that is pretty much it.

0:19:30.200000 --> 0:19:33.820000
 And that brings us to the end of the
 practical demonstration section of

0:19:33.820000 --> 0:19:39.200000
 this video. All right, so that was
 how to enhance Windows log analysis

0:19:39.200000 --> 0:19:40.780000
 with chainsaw and Sigma.

0:19:40.780000 --> 0:19:43.640000
 Hopefully you found that useful.

0:19:43.640000 --> 0:19:48.080000
 As I said, it's not really important
 that there wasn't an incident for

0:19:48.080000 --> 0:19:51.940000
 you to analyze. In fact, it's better
 this way because if I, you know,

0:19:51.940000 --> 0:19:55.020000
 if you're a beginner getting into incident
 response and I give you this

0:19:55.020000 --> 0:20:00.860000
 brief or intro right now, and we use
 an incident or, you know, sort of

0:20:00.860000 --> 0:20:06.060000
 semi semi realistic instant for you to analyze,
 it's leaving out the fundamentals

0:20:06.060000 --> 0:20:10.860000
 of using the tools, exploring, playing
 around with them, getting comfortable

0:20:10.860000 --> 0:20:14.700000
 with them. So it's only when you get
 comfortable with these tools and

0:20:14.700000 --> 0:20:22.480000
 you understand, you know, the process
 or processes from a, from both a

0:20:22.480000 --> 0:20:26.420000
 theoretical and practical perspective,
 and you're able to sort of picture

0:20:26.420000 --> 0:20:30.780000
 the methodology behind, you know, a specific
 process like, you know, Windows

0:20:30.780000 --> 0:20:36.800000
 event log analysis, are you able then
 to apply it when you are actually

0:20:36.800000 --> 0:20:38.000000
 handling an incident?

0:20:38.000000 --> 0:20:44.380000
 So hopefully, you know, this gave you
 an idea as to what endpoint log

0:20:44.380000 --> 0:20:46.300000
 analysis is like.

0:20:46.300000 --> 0:20:52.720000
 And, you know, we pretty much covered
 the entire process or lifecycle

0:20:52.720000 --> 0:20:58.880000
 or went through it from exporting them
 to passing them to analyzing what

0:20:58.880000 --> 0:21:03.960000
 we've passed, and then sort of augmenting
 our analysis using a tool like

0:21:03.960000 --> 0:21:11.360000
 chainsaw to hunt for, you know, malicious
 activity or correlate the logs

0:21:11.360000 --> 0:21:16.260000
 that we're analyzing to malicious activity
 based on, you know, sigma rules.

0:21:16.260000 --> 0:21:20.080000
 Don't worry if you're not, if you don't
 understand what sigma is, it's

0:21:20.080000 --> 0:21:22.940000
 not really appropriate to introduce
 it right now, because this course

0:21:22.940000 --> 0:21:24.460000
 has been very long.

0:21:24.460000 --> 0:21:29.320000
 And I will be introducing it in time
 when it becomes even more relevant,

0:21:29.320000 --> 0:21:32.960000
 more specifically in the threat intelligence
 and threat hunting course,

0:21:32.960000 --> 0:21:37.900000
 as well as the specialized digital
 forensics course, we will be diving

0:21:37.900000 --> 0:21:39.640000
 even deeper into analysis.

0:21:39.640000 --> 0:21:42.500000
 And it's from that point that we'll start
 to have, you know, more realistic

0:21:42.500000 --> 0:21:48.820000
 investigations. In any case, that's
 going to be it for this video.

0:21:48.820000 --> 0:21:51.200000
 And I will be seeing you
 in the next video.