Sans - For508 Index

| Exam Question Trigger | Artifact / Path | Tool / Command | Red Flag / Page | | :--- | :--- | :--- | :--- | | "Find process hollowing in memory dump" | N/A - Volatility | vol -f mem.dmp windows.malfind | Checks VadFlags.Protection = PAGE_EXECUTE_READWRITE (B5-p87) | | "Last time USB was plugged in" | SYSTEM hive: CurrentControlSet\Enum\USBSTOR | RegRipper or RECmd | Look for FriendlyName and LastInsertion time (B2-p112) | | "Bypass of Autoruns via WMI" | WMI Persistence -> ActiveScriptEventConsumer | wmic or AutorunsSC | Look for CommandLineTemplate containing powershell (B6-p45) |

To ace the practical, build an on a single laminated sheet of paper. Sans For508 Index

Look up: Process Injection -> See: Book 5, Page 87 (Malfind) / Page 102 (Hollowing). | Exam Question Trigger | Artifact / Path

When you sit for the GCFA exam, and you see a question about parsing the $J journal to find a deleted Ransomware note, you will smile. You will glance at your laminated, 4-page, gold-standard index. You will flip directly to Book 3, Page 144. And you will pass. You will glance at your laminated, 4-page, gold-standard

This inversion allows you to react to the verb of the question, not just the noun. Building the FOR508 index should take you exactly three days. Do not start it before you have read the books once.

Take the top 20 hardest commands and sort them by action rather than artifact .

Submit a Comment

Ihre E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahren Sie, wie Ihre Kommentardaten verarbeitet werden.

Skills

Posted on

30. Oktober 2024

Cookie Consent Banner von Real Cookie Banner