We’re excited to announce a major content update to the SANS FOR508TM: Advanced Incident Response, Threat Hunting, and Digital ForensicsTM course. This release reflects our continued mission to ensure FOR508 evolves alongside attacker tradecraft and the changing enterprise environment.
This Spring 2025 version includes a broad refresh across nearly half of the course. Starting with revised introductory material, we’ve updated incident response statistics to reflect current industry trends and added new insights into threat hunting methodology, cyber threat intelligence integration, and modern use of the MITRE ATT&CK® framework.
To help students sharpen their analytical mindset, we’ve added new explainer slides focused on practical detection challenges, including:
- Structuring a threat hunting investigation
- Common C2 frameworks and evasion techniques
- File hiding tricks using homoglyphs and misspellings
- Malicious use of legitimate third-party tools (e.g., remote access or file sharing)
- Dynamic-link library (DLL) hijacking and abuse
One of the most significant upgrades is a complete rewrite of the credential theft material. This revamp emphasizes core concepts like the difference between authentication and authorization, while expanding coverage of modern attack techniques like coercion attacks, relays, and delegation abuse. We’ve also added visualizations that illustrate how Windows logs events across different systems during credential use, helping students understand the distributed nature of authentication and authorization logging.
The lateral movement section has also been significantly enhanced. We’ve increased coverage of attacks that generate network logon events, including lesser-known but highly relevant techniques like Remote Registry and DCOM abuse. The material on detecting these movements has been reorganized for improved clarity and now includes walk-throughs of log anomalies caused by credential attacks.
We’ve also added important updates on Microsoft Entra ID (formerly Azure AD) and its growing integration with on-premises environments. We examine how these hybrid setups affect logging visibility and interpretation, equipping students with the context needed to hunt and investigate across cloud-connected infrastructures.
In the area of memory forensics, we’ve refreshed our list of acquisition tools and hibernation processing techniques and updated the course virtual machines (VMs) and hands-on labs to support the latest memory forensics tools. We also introduced new content on detecting malicious Windows drivers (aka “LOLdrivers”)—a growing challenge in modern investigations.
Although not changed significantly, a variety of small improvements were made to our sections on malware discovery, timeline analysis, and anti-forensics detection.
We view FOR508 as an ever-evolving course—one that equips incident responders and threat hunters with the most relevant and actionable skills and knowledge. The Spring 2025 update is a thoughtful, forward-looking enhancement to the material, and we can’t wait for students to dig into it.
Whether you're hunting for credential abuse, investigating attacker lateral movement, analyzing memory dumps, or interpreting Windows artifacts in a forensic timeline — the FOR508 course is here to sharpen your skills and prepare you for the challenges that lie ahead.
Explore the Latest Updates to the FOR508 Course
See how the Spring 2025 refresh of SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics prepares you to tackle modern threats with practical techniques and hands-on experience. Register for an upcoming course or sign up for a demo to learn more.
.jpg "DFIR - Blog - SANS Threat Analysis Rundown in Review- Breaking Down March 2025’s Discussion_340 x 340 (1).jpg")
