
Windows Enterprise Incident Response: A MITRE ATT&CK & Unified Kill Chain Approach // Field Effect
In-Person | November 2-4 | 3 Days
BOOK NOWABSTRACT
Modern intrusions don't stop at a single host, and neither can the responder. This hands-on course builds the investigative tradecraft to detect, scope, and respond to attacks across a Windows enterprise, from the first compromised endpoint to domain-wide control. Using the Unified Kill Chain as the story of how an intrusion unfolds and MITRE ATT&CK as the technique-level map of adversary behavior, participants follow a real attack through its full lifecycle: initial access and persistence, defense evasion and command-and-control, credential theft and lateral movement, and finally data theft, impact, and remediation. Roughly seventy percent of class time is spent hands-on with an open-source DFIR toolset, culminating in a capstone investigation that runs an intrusion end-to-end. Participants leave able to reconstruct an attacker's path, scope a compromise at scale, and hunt proactively for the techniques that matter most.
This course teaches the investigative tradecraft needed to detect, scope, and respond to intrusions in Windows enterprise environments. Rather than following a single vendor's methodology, the course is structured around two open, community-maintained frameworks:
- The Unified Kill Chain (UKC) — provides the end-to-end narrative of how a modern intrusion unfolds, from reconnaissance to impact, organized into the In, Through, and Out phases.
- MITRE ATT&CK — provides the granular catalogue of adversary tactics, techniques, and procedures (TTPs) that map to forensic evidence and detection opportunities at each step.
Participants learn to walk an investigation backward and forward across the kill chain: from a single triaged host, to enterprise-scale scoping, to intelligence-driven threat hunting. Every module ties observed Windows artifacts to specific ATT&CK techniques and to the UKC phase the adversary was operating in. While the labs use Windows, the analytic methodology transfers to any platform.
KEY LEARNING OBJECTIVES
By the end of the course, students will be able to:
- Describe the IR lifecycle and explain how the Unified Kill Chain and MITRE ATT&CK frame an investigation.
- Map observed Windows artifacts to ATT&CK techniques and to UKC phases.
- Triage a single Windows host and extract high-fidelity indicators of compromise.
- Reconstruct an attacker's path: initial access, persistence, privilege escalation, lateral movement, and credential theft.
- Identify data collection, exfiltration, and impact activity.
- Manage investigation data and drive remediation.
- Conduct intelligence-led and anomaly-based threat hunts using known adversary TTPs.
INTENDED AUDIENCE
- Incident response team members and DFIR analysts
- SOC analysts and detection engineers moving into investigations
- Threat hunters
- Blue/purple team members and security engineers
- System and Active Directory administrators responsible for security
COURSE AGENDA
Module 1 — Foundations and Threat Modeling
Foundations — Module 1 establishes fondational IR concepts like the threat landscape, threat modeling, and IR Processes and Management. This day will focus on understanding the modern threat landscape, how modern attacks progress, and how the IR process works to stop, analyze, and remediate these threats.
What's covered:
- Framing the adversary — The current threat landscape, types of threat actors, their motivations, behaviours, trajectories, and TTPs.
- The IR process — How an investigation actually runs: the response lifecycle, the investigative loop (lead → analyze → IOC → sweep), and proper evidence handling and chain of custody. This will also cover scoping and analyzing incidents to determine the extent of compromise, the data you will need to initially gather, where to gather it and how.
- Windows evidence sources — An over view of the Windows Operating System from the perspective of an incident response. We will cover file systems and metadata, event logs, the registry, and execution/usage artifacts (Prefetch, Amcache, Shimcache, SRUM, UserAssist), and which data sources are best used to find the different types of threat actor activities.
- Triage, data management, and data processing — How to safely and effectively capture data in various environments and network configurations, setting up collaborative team environments and workflows, triaging and prioritizing data collection, and processing the right data to get into analysis quickly and effeciently.
Module 2 — Deep Host Forensics
Single Host Analysis — Module 2 will be a deep dive into the forensic analysis of Windows Operating System. It will cover analyzing Windows operating system artifacts to determine how the attackers gain initial access, execute code, maintain persistence, evaded defenses, and establish command and control on a system. This day is focused on Windows evidence sources and other common external application logs like VPN, web application, and firewall logs. Participants will be taught how to hunt, where to hunt, what to prioritize, and the ways that threat actors will try to stop you from being able to do it.
What's covered:
- Event log analysis — The richest source on a modern Windows host. Security, System, PowerShell, WMI, Task Scheduler, and Sysmon logs; finding delivery, exploitation, and execution evidence; and triaging logs with event log analysis tooling.
- Registry forensics — Hive structure, transaction logs, and recovering deleted keys; mining the registry for defense-evasion and user-activity artifacts that corroborate the log evidence.
- Persistence mechanisms — The two faces of persistence: the standard, autoruns-detectable kind (Run/RunOnce keys, scheduled tasks, services, startup folder, WMI subscriptions) that a routine sweep catches, and the non-standard, stealthy kind (DLL planting and search-order hijacking, phantom DLLs, COM hijacking, IFEO/accessibility debugger hijacks, shimming) that you have to hunt for deliberately.
- Defense evasion on the host — How attackers hide: log clearing, timestomping, masquerading, and indicator removal, plus the LOLBins / signed-binary proxy execution that let them run without dropping obvious malware.
- External log sources analysis — Pulling delivery and beaconing evidence from the perimeter (firewall, web/proxy, DNS, VPN, and email gateway logs, plus IDS/IPS alerts and NetFlow), then correlating it with the host artifacts to confirm C2 and exfil paths.
- Timelining — Fusing all of the above using super-timelines (Timesketch) and targeted timelines (Timeline Explorer), anchoring each event to a kill-chain phase to produce a coherent narrative of the initial compromise.
Module 3 — Enterprise Investigations
Enterprise Investigations — Module 3 moves from one host to the whole environment, reconstructing threat actor activity across multiple hosts in a Windows Active Directory environment. It follows the attacker's path through Active Directory: enumerating the environment, stealing credentials, escalating privilege, and moving laterally from machine to machine. Analysis on this day shifts from "what happened on this box" to "where else has the attacker been, and how do I scope it across thousands of hosts."
What's covered:
- Active Directory & authentication — AD structure and the authentication protocols attackers abuse (NTLM, Kerberos); the domain-level evidence sources (domain controller logs, authentication events, and directory changes) that anchor an enterprise investigation.
- Internal reconnaissance & discovery — How attackers map the environment once inside (host, account, network, and domain enumeration) and the footprints that recon tooling (e.g. BloodHound/SharpHound collection) leaves behind in logs and on hosts.
- Privilege escalation — Local and domain privilege-escalation techniques and the evidence each one produces, from misconfiguration abuse to token manipulation and AD attack paths.
- Credential theft — The core of enterprise compromise: LSASS dumping, SAM/NTDS extraction, DCSync, Kerberoasting, and AS-REP roasting, and how to detect credential access across hosts and on the domain controller.
- Lateral movement — Remote-execution techniques (RDP, SMB, WMI, WinRM/PSRemoting, DCOM) and pass-the-hash/pass-the-ticket; correlating source-host and destination-host artifacts with logon events to trace the attacker's path through the network.
- Investigating at scale — Fleet-wide collection and hunting with Velociraptor; stacking, frequency analysis, and IOC sweeps to scope a compromise across thousands of hosts from a single confirmed lead.
Module 4 — Action on Objectives, Remediation & Threat Hunting
Action on Objectives — Module 4 focuses on the final stages of an attack, covering data exfiltration, ransomware, and remediation. It covers the range of modern threat actor TTPs for impact and then focuses on the final phases of the IR process to include managing the investigation's findings, driving remediation, and getting ahead of the next intrusion through proactive threat hunting. The day, and the course, ends with a capstone that runs an intrusion end-to-end across all three kill-chain phases.
What's covered:
- Collection & staging — How attackers find and gather target data before stealing it (data discovery, staging directories, archiving (rar/7z/zip), cloud syncing tools) and the host evidence that reveals what was targeted.
- Exfiltration — Moving data out: exfil over C2, web services, and alternative protocols; using volume and connection analysis to detect and quantify what left the environment.
- Impact — Destructive objectives (ransomware, data destruction, defacement, account manipulation, and inhibiting recovery) and how to reconstruct the impact stage of an intrusion.
- Investigation management — Tracking leads, IOCs, systems, and timelines at scale; documentation, reporting, and stakeholder communication; and producing an ATT&CK Navigator layer that summarizes the whole intrusion.
- Remediation — Tactical containment vs. strategic eradication; running a coordinated remediation event to close persistence and access simultaneously; and hardening posture against the specific techniques observed.
- Threat hunting — The three hunt approaches (intelligence-led (IOC), TTP-based (ATT&CK), and anomaly/analytics-driven); building hypotheses from kill-chain phases and turning findings into detection rules.
- Capstone — full kill chain investigation. An end-to-end investigation of a multi-host intrusion spanning the In, Through, and Out phases. Students triage, scope, reconstruct, and report, delivering an incident timeline, IOC list, ATT&CK Navigator layer, and remediation recommendations.
Lab Environment & Tooling
Labs are built on open-source and free tooling so students can reproduce them after class:
- Acquisition / triage: Velociraptor, FTK Imager
- Artifact parsing: Eric Zimmerman's tools (MFTECmd, EvtxECmd, RECmd, PECmd, AmcacheParser, LECmd, SrumECmd)
- Event logs: event log analysis tooling, EvtxECmd
- Timeline: Timeline Explorer, Timesketch
- Enterprise / hunting: Velociraptor (fleet), Elastic/OpenSearch, ATT&CK Navigator
- Mapping & reference: MITRE ATT&CK Navigator, Unified Kill Chain reference model
Prerequisites
Students should have a working background in one or more of: forensic analysis, log analysis, network traffic analysis, security assessment, penetration testing, or systems/AD administration.
Essential prior knowledge:
- Windows OS internals fundamentals (processes, services, accounts)
- NTFS file system concepts
- Windows Registry structure and use
- Comfort with the command line (cmd / PowerShell)
- Basic Active Directory concepts (domains, GPOs, authentication)
- Awareness of common Windows security controls (Defender, AppLocker, audit policy)
This course is intended for people with a background in conducting forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, or security architecture and system administration. Participants should have a working understanding of the Windows operating system, file system, registry, and use of the command line. Familiarity with Active Directory and basic Windows security controls, plus common network protocols, is beneficial.
Cancellations are not permitted but attendee changes can be accommodated anytime prior to the start of the course.
Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.