Sharpen your Skills at SANS San Francisco Winter 2017. Save $200 thru 10/25.

SANS 2018

Orlando, FL | Tue, Apr 3 - Tue, Apr 10, 2018
Event starts in 162 Days
 

Threat Hunting via Windows Event Logs

  • Eric Conrad
  • Tuesday, April 3rd, 7:15pm - 9:15pm

Windows event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, after making small tweaks the logging configuration.

Recent malware attacks leverage 'fileless malware', typically using PowerShell for post exploitation. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging.

We will discuss DeepBlueCLI, an open source Powershell framework for threat hunting via Windows Event Logs (including the latest PowerShell-fueled post exploitation). DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging.

We will also discuss DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of EXE, DLL and driver hashes via a free Virustotal Community API key.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
Tuesday, April 3
Session Speaker Time Type
General Session - Welcome to SANS Bryan Simon Tuesday, April 3rd, 8:00am - 8:30am Special Events
Threat Hunting via Windows Event Logs Eric Conrad Tuesday, April 3rd, 7:15pm - 9:15pm Keynote
Wednesday, April 4
Session Speaker Time Type
Stuck in the Box, a SIEM's Tale Justin Henderson Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
Infosec Rock Star: Geek Will Only Get You So Far Ted Demopoulos Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
Malware Vaccination: Its Potential and Limitations Lenny Zeltser Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
Hacking Dumberly, Just Like the Bad Guys Tim Medin and Derek Banks Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
So, You Wanna be a Pentester? Adrien de Beaupre Wednesday, April 4th, 8:15pm - 9:15pm SANS@Night
Let's Go Hunting Bad Guys John Strand Wednesday, April 4th, 8:15pm - 9:15pm SANS@Night
Secure DevOps: A Puma's Tail Aaron Cure Wednesday, April 4th, 8:15pm - 9:15pm SANS@Night
Thursday, April 5
Session Speaker Time Type
The 14 Absolute Truths of Security Keith Palmgren Thursday, April 5th, 7:15pm - 8:15pm SANS@Night
Defeating Advanced Adversaries - Dismantling their attacks one step at a time Erik Van Buggenhout Thursday, April 5th, 7:15pm - 8:15pm SANS@Night
An Evening of Hacking the Internet of Things (IoT) James Lyne, Stephen Sims, Jim Shewmaker, and Guests Thursday, April 5th, 7:15pm - 10:00pm Special Events
The Seven Deadly Sins of Incident Response Jake Williams Thursday, April 5th, 8:15pm - 9:15pm SANS@Night
Saturday, April 7
Session Speaker Time Type
Take Your Awareness Program to the Next Level Lance Spitzner Saturday, April 7th, 7:15pm - 8:15pm SANS@Night
Securing Your Kids Lance Spitzner Saturday, April 7th, 8:15pm - 9:15pm SANS@Night