Free Resources for Incident Response Professionals

To help make your tough job a bit easier.

Lateral Movement Analyst Reference

Learn to detect lateral movement within your environment.

Lateral Movement Analyst Reference

Event Log Analyst Reference

Windows Event Logs store an increasingly rich set of data. This reference walks you through configuring, storing and analyzing Windows events.

Windows Event Log Analyst Reference

Memory Analysis with Volatility Analyst Reference

The battle for our boxes is increasingly being fought in RAM. Learn to use Volatility to hunt for evil on your systems.

Volatility Analyst Reference

Credential Defense Analyst Reference

Most attackers use credential theft as a key tactic. This document presents key defensive controls to make your environment a harder target.

Credential Defense Analyst Reference

Default Windows Processes Quick Reference

Quick Reference on normal system processes on a Windows system, including their executable’s path on disk, the usual process tree, and descriptions of each process. Perfect to help during memory analysis and system triage.

Default Windows Processes Quick Reference

WMIC Quick Reference

Windows Management Instrumentation Command-line utility is a great resource for incident responders. This quick reference will help you with examples and syntax.

WMIC Quick Reference

PowerShell Quick Reference

A quick reference starting point for exploring the immense value of PowerShell for incident response. Also see the Light Side of the Force presentation below for more on PowerShell.

PowerShell Quick Reference

The Light Side of the Force:PowerShell for Incident Response

High profile tools like Empire and Death Star harness PowerShell for offensive purposes. This presentation examines ways that IT security professionals can leverage PowerShell to protect their assets.

Light Side of the Force Presentation

Pivot and Pillage: Lateral Movement within a Victim Network

Modern attackers are like ninjas, stealthily skulking in the shadows, using existing tools to blend in with everyday network activity. This presentation accompanies our Lateral Movement Analysis Analyst Reference PDF to highlight ways to detect and defeat these hidden adversaries.

Pivot and Pillage Presentation

BYOD or Bring Your Own Destruction

Bring Your Own Device is a paradigm that allows employees to access critical data from almost anywhere using devices that cost the employer nothing. Or do they? We’ll take a look at many of the challenges and assumptions that have gone into BYOD policies, or lack thereof, and take a moment to evaluate how reasonable our rush to embrace this approach has been. We’ll consider technical challenges such as vulnerability management, mobile device management platforms, and mobile device forensic challenges and look at what countermeasures we can employ to acknowledge and address the reality of this model.

BYOD Presentation

A Network Defender’s Guide to
Credential Attacks

Since the traditional network perimeter has disappeared, network defense increasingly relies upon authenticated access to resources as a primary security control. Unfortunately, attackers have become extremely proficient at stealing and reusing credentials of all types, resulting in stealthy attacks that blend in with normal network activity. This talk will explain how these attacks are possible on premise, in the cloud, and across the Internet with a goal of understanding how to prevent and detect them in your environment.


A Network Defender’s Guide to Credential Attacks Presentation

Do You Want to Build a Test Lab?

You can get free Microsoft licenses from here:

You can configure a test domain using the Config-LabSystem.ps1 script and the associated UserList.csv here ⤵

Additional Links

If you would like some recommendations for other sites to get great IT security information, click here.