OS Analysis with RegRipper
Course info



Course info



Description
Windows Registry analysis is a fundamental step during any incident response scenario, as it provides conclusive evidence needed to support or deny any suspicious activity on a Windows system. In this course, you’ll cover how to utilize RegRipper to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll demonstrate the RegRipper plugins which are a unique approach for Registry analysis. Next, you’ll operate RegRipper to run against various registry hives using a custom set of plugins. Finally, you’ll analyze Windows Registry to detect adversary activity on a Windows host. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Create or Modify System Process (T1543), Boot or Logon Autostart Execution (T1547), Exfiltration Over Physical Medium (T1052), using RegRipper.
Section Introduction Transcripts
Course Overview (Tool Introduction)
Welcome to Pluralsight and this blue teams course featuring RegRipper, the open‑source Windows Registry analysis tool developed and maintained by Harlan Carvey. Windows Registry has always been central to forensics investigations, since most of the user activity as well as system activity can be determined from the Windows Registry. And RegRipper is an easy‑to‑use tool that helps us quickly extract specific information from the Windows Registry. RegRipper comes with a huge list of plugins that can help us quickly detect and analyze a long list of MITRE ATT&CK techniques. And what makes RegRipper really valuable to the blue team is that RegRipper plugins are preconfigured with all of the important registry key locations. So come join me in learning how to use RegRipper for Windows Registry analysis and conduct successful cyber crime investigations.