NEW Managing Security Vulnerabilities: Enterprise and Cloud Course in Boston. Save $300 thru 2/26

Milan June 2018

Milan, Italy | Mon, Jun 11 - Sat, Jun 16, 2018
This event is over,
but there are more training opportunities.

Event Logs? What Event Logs?

  • Matt Bromiley
  • Tuesday, June 12th, 6:00pm - 7:00pm

Many analysts rely on Windows Event Logs to help gain context of attacker activity on a system, with log entries serving as the correlative glue between other artifacts. Almost each stage of an attack touches these logs, including malware execution, persistence, credential access, and lateral movement. But what happens when attackers find ways to remove, or worse, stop logs find writing. We must improvise, adapt, and overcome!

In this @Night, we'll examine techniques attackers use to delete, subvert, intercept, or alter Windows Event logging. We'll discuss how defenders can detect these techniques and catch attackers before they can cause too much harm. We'll also look at steps your organization can take to preserve these important atrifacts in the event your attacker(s) want to remove them from the environment.

Lastly, we will also examine artifacts of lateral movement and identify attacker activity without looking at a single log. Defenders will gain new skills in identifying malicious actiity, and offensive teams will learn just how noisy their methods are.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
Tuesday, June 12
Session Speaker Time Type
Event Logs? What Event Logs? Matt Bromiley Tuesday, June 12th, 6:00pm - 7:00pm SANS@Night