OS Analysis with RegRipper

RegRipper is an open-source application for extracting, correlating, and displaying specific information from Windows Registry hive files. In this course, you will learn to detect adversary activity on a Windows host using RegRipper.
Course info
Level
Intermediate
Updated
Sep 1, 2020
Duration
39m
Table of contents
Description
Course info
Level
Intermediate
Updated
Sep 1, 2020
Duration
39m
Description

Windows Registry analysis is a fundamental step during any incident response scenario, as it provides conclusive evidence needed to support or deny any suspicious activity on a Windows system. In this course, you’ll cover how to utilize RegRipper to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll demonstrate the RegRipper plugins which are a unique approach for Registry analysis. Next, you’ll operate RegRipper to run against various registry hives using a custom set of plugins. Finally, you’ll analyze Windows Registry to detect adversary activity on a Windows host. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Create or Modify System Process (T1543), Boot or Logon Autostart Execution (T1547), Exfiltration Over Physical Medium (T1052), using RegRipper.

About the author
About the author

Shoaib is a Senior Cyber Security Professional with a strong background in the Information Security domain. He has worked in various roles such as Security Engineer, Pentester, Forensic Examiner, Incident Handler, IT Auditor and also as a Cyber Security Consultant.

More from the author
Digital Forensics: Getting Started
Beginner
2h 27m
Jun 12, 2020
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview (Tool Introduction)
Welcome to Pluralsight and this blue teams course featuring RegRipper, the open‑source Windows Registry analysis tool developed and maintained by Harlan Carvey. Windows Registry has always been central to forensics investigations, since most of the user activity as well as system activity can be determined from the Windows Registry. And RegRipper is an easy‑to‑use tool that helps us quickly extract specific information from the Windows Registry. RegRipper comes with a huge list of plugins that can help us quickly detect and analyze a long list of MITRE ATT&CK techniques. And what makes RegRipper really valuable to the blue team is that RegRipper plugins are preconfigured with all of the important registry key locations. So come join me in learning how to use RegRipper for Windows Registry analysis and conduct successful cyber crime investigations.