kape.exe --tsource C:\ --tdest D:\output --target Windows --module !SANS_SIFT </code></pre> <hr> <h2>🔍 Threat Hunting Queries (KQL / Sigma)</h2> <h3>Suspicious Process Creation (KQL – Defender for Endpoint)</h3> <pre><code class="language-kusto">DeviceProcessEvents | where FolderPath contains "temp" or ProcessCommandLine contains "powershell -enc" | where InitiatingProcessAccountName != "SYSTEM" </code></pre> <h3>LSASS Dump Detection (Sigma)</h3> <pre><code class="language-yaml">title: LSASS Access via Procdump logsource: product: windows category: process_access detection: TargetImage: *\lsass.exe CallTrace: *procdump* condition: selection </code></pre> <hr> <h2>📅 Timeline Analysis (Plaso / Timesketch)</h2> <p>| Command | Purpose | |---------|---------| | <code>log2timeline.py</code> | Build timeline | | <code>pinfo.py</code> | Verify timeline | | <code>psort.py</code> | Filter events |</p> <p><strong>Example:</strong></p> <pre><code class="language-bash">log2timeline.py --storage-file timeline.plaso /mnt/evidence/ psort.py -o l2tcsv timeline.plaso > timeline.csv </code></pre> <hr> <h2>🗂️ Key Artifacts (Windows)</h2> <p>| Artifact | Tool to Parse | |----------|----------------| | Prefetch | <code>PECmd.exe</code> | | AmCache | <code>AmCacheParser.exe</code> | | ShimCache | <code>AppCompatCacheParser.exe</code> | | RecentDocs | <code>RecentFileCacheParser.exe</code> | | BAM/DAM | <code>BAMParser.exe</code> | | $MFT | <code>MFTECmd.exe</code> | | Event Logs | <code>EvtxeCmd.exe</code> / <code>Get-WinEvent</code> | | LNK Files | <code>LECmd.exe</code> | | Jump Lists | <code>JumpListParser.exe</code> |</p> <hr> <h2>📝 Exam Quick Reference (GIAC GCFA / GDAT)</h2> <p>| Topic | Key Points | |-------|-------------| | <strong>MFT entries</strong> | $STANDARD_INFORMATION vs $FILE_NAME timestamps | | <strong>USN Journal</strong> | <code>$USN_JRNL</code> – change journal | | <strong>Prefetch</strong> | Last 8 run times, path, hash | | <strong>ShimCache</strong> | App compat, execution evidence | | <strong>AmCache</strong> | SHA1 hashes of executed files | | <strong>Event IDs</strong> | 4624 (logon), 4688 (process), 7045 (service) | | <strong>Time skew</strong> | UTC vs local vs file system | | <strong>Anti-forensics</strong> | Timestomping, USN journal deletion |</p> <hr> <h2>🛠️ Tools List (Aligned with SEC508)</h2> <ul> <li><a href="https://github.com/volatilityfoundation/volatility3">Volatility 3</a></li> <li><a href="https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape">KAPE</a></li> <li><a href="https://ericzimmerman.github.io/">Eric Zimmerman's Tools</a> (MFTECmd, PECmd, etc.)</li> <li><a href="https://docs.velociraptor.app/">Velociraptor</a></li> <li><a href="https://github.com/log2timeline/plaso">Plaso</a> / <a href="https://github.com/google/timesketch">Timesketch</a></li> <li><a href="https://github.com/SigmaHQ/sigma">Sigma</a></li> <li><a href="https://github.com/Yamato-Security/hayabusa">Hayabusa</a></li> </ul> <hr> <h2>🤝 Contributing</h2> <p>Feel free to submit PRs to add:</p> <ul> <li>New Volatility 3 plugins</li> <li>Threat hunting queries for KQL/Sigma/ES-QL</li> <li>Updated artifact locations for Windows 10/11</li> <li>GCFA/GDAT exam mnemonics or indexes</li> </ul> <hr> <h2>⚠️ Disclaimer</h2> <p>This repository is not official SANS material. All content is derived from public resources, open-source tools, and personal study notes.</p> <pre><code> ---
: A fast terminal-based program inspired by the "Voltaire" and "Pancakes" indexing methods. 3. Specialized Incident Response Resources
Remember: The best index is the one you understand. GitHub provides the template; your hard work provides the mastery. sans 508 index github
Tracking attacker movement across the network.
Seeking a "deep piece" on the SANS 508 index via GitHub refers to the strategic preparation required for the GIAC Certified Forensic Analyst (GCFA) , which accompanies the Seeking a "deep piece" on the SANS 508
The SANS 508 index is a list of the top vulnerabilities in web applications, as identified by the SANS Institute, a leading organization in cybersecurity education and research. The index is based on data from various sources, including the SANS Internet Storm Center, which monitors and analyzes internet traffic and security incidents. The SANS 508 index provides a prioritized list of vulnerabilities, along with recommendations for mitigation and remediation.
SANS updates its course material frequently to keep up with evolving operating systems and attacker techniques. GitHub allows creators to maintain branches for different course versions (e.g., 2024 vs. 2026 editions). always verify current status and licensing.
Methodology for creating super-timelines and identifying "pivoting" points.
Based on community feedback and contribution activity, here are three standout repositories (as of this writing). Note: These links are illustrative; always verify current status and licensing.
A GitHub-hosted index provides a community-vetted starting point. It allows students to:
This is the most critical and manual step. You will build this yourself during your studies. Open a new spreadsheet and create these columns: