SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
DFIR Summit & Training 2025
- Thu, Jul 24 - Thu, Jul 31, 2025
- 9 Courses
- 12 CPEs (Summit Only)
- 1 Tournament
- English
Salt Lake City, UT & Virtual (MT)
75 South West Temple, Salt Lake City, UT
- Slide 1 of 2
- Slide 2 of 2
Summit Highlights
Highly Technical Talks and Sessions
The industry's top practitioners will share their latest digital forensics and incident response research, solutions, tools, and case studies.
One-Of-A-Kind Networking With The Top Minds In DFIR
You’ll have the chance to engage with Summit Chairs, speakers, and your peers in the community for deep-dive discussions, and casual chats over breaks, meals, and evening receptions.
Summit Night Out
The days will be filled with the latest in DFIR, but the fun goes up a notch at night for those joining us in Salt Lake City.
Solutions Expo Hall
Explore the latest tools and solutions in digital forensics, incident response, and threat hunting.
World-Class SANS DFIR Courses
Enhance your knowledge base and add to your toolkit by bundling your Summit experience with a hands-on, immersive course taught by top SANS instructors and course authors.
Register
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
FOR508Digital Forensics and Incident Response
- GIAC Certified Forensic Analyst
- 6 Days
- 36 CPEs
- Eric Zimmerman
- Starts 26 Jul 2025 at 8:30 AM MT
- $8,780 USD (Course)
- $999 USD (Certification)
- *Prices exclude applicable local taxes
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
FOR610Digital Forensics and Incident Response
- GIAC Reverse Engineering Malware
- 6 Days
- 36 CPEs
- Evan Dygert
- Starts 26 Jul 2025 at 8:30 AM MT
- $8,780 USD (Course)
- $999 USD (Certification)
- *Prices exclude applicable local taxes
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
FOR572Digital Forensics and Incident Response
- GIAC Network Forensic Analyst
- 6 Days
- 36 CPEs
- Philip Hagen
- Starts 26 Jul 2025 at 8:30 AM MT
- $8,780 USD (Course)
- $999 USD (Certification)
- *Prices exclude applicable local taxes
Break
Summit Day 109:45AM - 10:00AM MDTIn-Person & Virtual
A North Korean Cyber Operation: Exposing ARP-Based Covert C2s, WebSocket Malware, and Video Conference Software Abuse
This research uncovers a real-world covert remote-control system designed by a North Korean IT worker, who was caught operating within an unsuspecting organization.
In-Person & Virtual
Playbook Power-Up: Applying Modular Design to Maintain IR Playbooks at Scale
With only 23% of surveyed security professionals stating their incident response (IR) playbooks are updated frequently enough to keep up with best practices, a new approach is needed to “power up” the way organizations maintain their playbooks.
In-Person & Virtual
Backdoors & Breadcrumbs: How Threat Actors Persist In Your Microsoft 365
Threat actors don’t just break in, they find creative ways to remain persistent. In this session, we will explore persistence techniques used in real-life Microsoft 365 incidents and how to identify them in your environment.
Virtual
Think Like an Examiner: Strengthening Your Forensic & Response Mindset
Cybersecurity professionals are often faced with complex, high-stakes investigations where quick decision-making and investigative accuracy are critical.
In-Person & Virtual
From Identity Admins to Cloud Compromise: Detecting Modern Ransomware Attacks in the Financial Sector
Human-operated ransomware groups have increased their focus on cloud environments, targeting identity administrators and cloud misconfigurations to gain persistent access.
Virtual
Investigating a Malicious Script in Microsoft Intune: A DFIR Case Study
The proliferation of cloud-based solutions has significantly transformed the landscape of enterprise security, with Microsoft Intune emerging as a pivotal tool for device and application management.
Lunch
Summit Day 112:20PM - 01:30PM MDTIn-Person
MDR to IR Handoffs: Stick The Landing
Security leaders and teams rely on MDR providers to deliver 24/7 monitoring of security events, augment the expertise of internal SOC analysts, assist with or perform response actions, and offer assurance that adversaries are not present in the environment through threat hunting.
In-Person & Virtual
Making Sense of the Chaos: When to Conduct Structured and Unstructured Threat Hunts
Making Sense of the Chaos explores two distinct threat hunting approaches. Structured, hypothesis-driven hunts, and Unstructured hunts, where data leads the way.
In-Person & Virtual
Does Slicing Onions Make You Cry - Forensic Analysis of TAILs
Adversaries leverage the TAILs (The Amnesic Incognito Live System) operating system for conducting criminal activity.
In-Person & Virtual
Break
Summit Day 103:15PM - 03:25PM MDTIn-Person & Virtual
Ensuring Data Integrity in Incident Response: Tools and Techniques for Forensically Sound Log Extraction
Logs are foundational to nearly all DFIR engagements, yet reliably extracting logs from sources such as network appliances, SaaS applications, and cloud environments can be challenging.
In-Person & Virtual
Finding Relevant Alerts, Events and Logs
In modern cybersecurity, the ability to connect isolated security alerts into coherent, actionable attack chains is essential. However, traditional detection methods often struggle to contextualize vast amounts of security data, leaving slow and stealthy attacks undetected within a sea of noise and false positives.
In-Person & Virtual
MacOS Endpoint Security Framework: Not Another MacOS Log Source
As many Mac DFIR professionals know, MacOS is constantly changing. New features are regularly being added to the platform that may provide a new source of information that an examiner can use during an investigation.
In-Person & Virtual
Closing Remarks
Summit Day 105:00PM - 05:10PM MDTIn-Person & Virtual
Summit Night In
Get ready for high-energy fun at the DFIR Summit! Join us on the evening of July 24 for Best Corporate Feud—a fast-paced, game show-style competition where teams go head-to-head guessing the most popular answers to fun survey questions. Whether you're on stage or in the audience, everyone gets in on the action!
In-Person
Keynote | TBA
More to come.
In-Person & Virtual
Break & Release to Workshops
Summit Day 210:00AM - 10:15AM MDTIn-Person
Workshop 1 | Not So Private Browsing!
Private browsing, often referred to as "Incognito Mode," is widely considered a way to maintain privacy during internet use. However, while this mode may obscure browsing activity from casual users and the device’s history logs, it does not guarantee complete anonymity.
In-Person
Workshop 2 | Google Cloud Lateral Movement: Leveraging Default Service Accounts
This hands-on workshop uncovers the critical configurations of roles, permissions, and service accounts, with a special focus on the often-overlooked risks posed by default service accounts and their excessive permissions.
In-Person
Lunch
Summit Day 212:45PM - 01:45PM MDTIn-Person
Workshop 3 | Finding Answers Fast – Extracting Knowledge From the Noise
Today more than ever, we are faced with the daunting task of protecting our environment and stopping attacks. At the same time, the adversary is getting smarter and more effective by the day.
In-Person
Break
Summit Day 202:35PM - 02:50PM MDTIn-Person
Closing Remarks
Summit Day 204:15PM - 04:30PM MDTIn-Person
SANS@Night: Skynet for Incident Response - What Problems Can AI Solve For Us?
Artificial intelligence is still one of the most popular buzzwords we use in cybersecurity. We see it added to everything, to the point that we use it to write emails that end up being read by other AI agents.
In-Person
DFIR NetWars Tournament
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.
In-Person
DFIR NetWars Tournament
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.
In-Person
Salt Lake Marriott Downtown at City Creek
A special discounted rate of $209.00 S/D plus applicable taxes will be honored based on space availability.
A limited number of Government Per Diem rooms at the prevailing rate are available with proper ID.
These rates include Internet in your room and are only available through Tuesday, July 1, 2025
3 Reasons To Stay At The Event Venue
