Windows and AD Eventlog Analysis
Product information
This DFIR course focuses on forensic analysis of Windows and Active Directory event logs. Participants will learn how to use tools like Event Viewer, Sysmon, Elastic XDR, KQL, Lucene, Zimmerman Tools, and Timeline Explorer to identify anomalies and attack patterns.
The theoretical part covers relevant event IDs, modern attack techniques, persistence mechanisms, lateral movement, and fileless malware. In addition, participants will learn about log formats, query techniques, and how to use KQL and Lucene effectively.
The lab portion includes real-world scenarios such as webshells, reverse RDP, enumeration, fileless injection, Powershell misuse, AD compromise, and service account abuse.
This course aims to equip security professionals to not only react to incidents but also proactively detect threats through log analysis.
Target audience
This course is designed for participants interested in analyzing Windows and Active Directory event logs in the context of modern attack techniques and DFIR strategies.
- AdministratorsResponsible for Windows infrastructures and Active Directory
- SOC AnalystsTasked with monitoring and analyzing security-relevant events
- DFIR SpecialistsExperts in Digital Forensics and Incident Response
- Threat HuntersHunting for signs of advanced attacks
- Network and System AdminsAdmins wanting to understand logs as a defense source
- Security StudentsStudents focusing on Blue Teaming and DFIR
Technical requirements
- Online training is conducted via Zoom.
- Access to lab environment requires Remote Desktop.
- For on-site training: Ethernet and projector required.
