Adversaries move from system to system once they compromise a network. Learn to detect lateral movement within your environment.

Windows Event Logs store an increasingly rich set of data. This reference walks you through configuring, storing and analyzing Windows events.

The battle for our boxes is increasingly being fought in RAM. Learn to use Volatility to hunt for evil on your systems.

Most attackers use credential theft as a key tactic. This document presents key defensive controls to make your environment a harder target.

Quick Reference on normal system processes on a Windows system, including their executable’s path on disk, the usual process tree, and descriptions of each process.

Windows Management Instrumentation Command-line utility is a great resource for incident responders. This quick reference will help you with examples and syntax.

A quick reference for exploring the immense value of PowerShell for incident response, including basic syntax and useful cmdlets.

Review pass-the-hash, pass-the-ticket, and other classic attacks. Then look at Microsoft’s Modern Authentication, attacks against it, and how it relates to your environment.

A high-level look at how PowerShell and PowerShell Remoting can benefit incident responders and network defenders using built-in capabilities.

This presentation accompanies our Lateral Movement Analyst Reference PDF to highlight ways to detect and defeat hidden adversaries.

Examine the assumptions that have gone into BYOD policies and take a moment to evaluate how reasonable our rush to embrace this approach has been.

A look at common credential attacks on premise, in the cloud, and across the Internet with a goal of understanding how to prevent and detect them.

You can get free Microsoft licenses from here:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

https://www.microsoft.com/en-us/evalcenter/

You can configure a test domain using the Config-LabSystem.ps1 script and the associated UserList.csv below