Intrusion Analysis and DFIR Labs: A Hands-On Workshop

Listen to this Post

Featured Image
This workshop focuses on intrusion analysis and Digital Forensics and Incident Response (DFIR) techniques. Participants will engage in a CTF-style lab, analyzing real-world intrusions using Elastic or Splunk, with additional tools like Wireshark for network forensics.

You Should Know:

1. Basic Intrusion Analysis Commands (Linux/Windows)

  • Linux:
    Check running processes
    ps aux | grep -i "suspicious_process"
    
    Analyze network connections
    netstat -tulnp 
    ss -tulnp
    
    Check for unusual cron jobs
    crontab -l 
    ls -la /etc/cron.
    
    Search for hidden files
    find / -name "." -type f -exec ls -la {} \;
    
    Analyze log files
    grep -i "failed" /var/log/auth.log 
    journalctl -u sshd --no-pager 
    

  • Windows (PowerShell):

    Check active connections
    Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}
    
    List scheduled tasks
    Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}
    
    Check for persistence (Registry)
    reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    
    Analyze event logs
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625} 
    

2. Wireshark for Network Forensics

  • Key Filters:

    Detect suspicious HTTP traffic
    http.request.method == "POST" && http.host contains "malicious.com"
    
    Find DNS exfiltration attempts
    dns.qry.name contains "exfil"
    
    Filter by IP
    ip.src == 192.168.1.100 || ip.dst == 192.168.1.100 
    

3. Splunk & Elasticsearch Queries for DFIR

  • Splunk:

    Detect brute-force attacks
    index=security sourcetype=linux_secure "Failed password" | stats count by src
    
    Find unusual process execution
    index=sysmon EventID=1 | search process_name=".exe" | table _time, host, process_name 
    

  • Elasticsearch (KQL):

    Search for suspicious file modifications
    file where event.action == "creation" and file.extension == ".exe"
    
    Detect lateral movement
    winlog where event_id == 4624 and user.name != "SYSTEM" 
    

4. Timeline Analysis with Plaso/log2timeline

 Generate a super timeline
log2timeline.py --storage-file timeline.plaso /evidence/image.dd

Analyze with psort
psort.py -o l2tcsv -w timeline.csv timeline.plaso 

What Undercode Say:

This workshop is a goldmine for DFIR analysts. Mastering timeline analysis, log parsing, and network forensics is crucial. Real-world intrusions often leave traces in logs, memory, and network traffic. Automation with Splunk/Elastic accelerates investigations, while Wireshark helps uncover hidden C2 traffic.

Expected Output:

  • A structured timeline of attack events
  • Identified malicious processes & persistence mechanisms
  • Extracted IOCs (IPs, domains, hashes)
  • Network-based exfiltration detection

Prediction:

As attackers evolve, memory forensics and cloud-based DFIR will dominate future investigations. Analysts must adapt by learning Kubernetes logging and AWS GuardDuty integrations.

Relevant URLs:

( extracted from LinkedIn DFIR workshop post.)

References:

Reported By: Kostastsale I – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram