Save $400 on InfoSec Training at SANS Pen Test Austin 2018. Ends Tomorrow!

SANS 2018

Orlando, FL | Tue, Apr 3 - Tue, Apr 10, 2018
Event starts in 70 Days
 

Threat Hunting via Windows Event Logs

  • Eric Conrad
  • Tuesday, April 3rd, 7:15pm - 9:15pm

Windows event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, after making small tweaks the logging configuration.

Recent malware attacks leverage 'fileless malware', typically using PowerShell for post exploitation. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging.

We will discuss DeepBlueCLI, an open source Powershell framework for threat hunting via Windows Event Logs (including the latest PowerShell-fueled post exploitation). DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging.

We will also discuss DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of EXE, DLL and driver hashes via a free Virustotal Community API key.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Vendor: Events hosted by external vendor exhibitors.
  • Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Tuesday, April 3
Session Speaker Time Type
General Session - Welcome to SANS Bryan Simon Tuesday, April 3rd, 8:00am - 8:30am Special Events
Threat Hunting via Windows Event Logs Eric Conrad Tuesday, April 3rd, 7:15pm - 9:15pm Keynote
Wednesday, April 4
Session Speaker Time Type
Stuck in the Box, a SIEM's Tale Justin Henderson Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
Infosec Rock Star: Geek Will Only Get You So Far Ted Demopoulos Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
Malware Vaccination: Its Potential and Limitations Lenny Zeltser Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
Hacking Dumberly, Just Like the Bad Guys Tim Medin and Derek Banks Wednesday, April 4th, 7:15pm - 8:15pm SANS@Night
So, You Wanna be a Pentester? Adrien de Beaupre Wednesday, April 4th, 8:15pm - 9:15pm SANS@Night
Let's Go Hunting Bad Guys John Strand Wednesday, April 4th, 8:15pm - 9:15pm SANS@Night
Secure DevOps: A Puma's Tail Aaron Cure Wednesday, April 4th, 8:15pm - 9:15pm SANS@Night
Container Centric Intrusions: Assessing the Efficacy of Intrusion Detection and Analysis Methods for Container Based Environments Alfredo Hickman Wednesday, April 4th, 8:15pm - 8:55pm Master's Degree Presentation
Thursday, April 5
Session Speaker Time Type
Vendor Solutions Expo Thursday, April 5th, 12:00pm - 1:30pm Vendor Event
Vendor Solutions Expo Thursday, April 5th, 5:30pm - 7:30pm Vendor Event
The 14 Absolute Truths of Security Keith Palmgren Thursday, April 5th, 7:15pm - 8:15pm SANS@Night
Defeating Advanced Adversaries - Dismantling their attacks one step at a time Erik Van Buggenhout Thursday, April 5th, 7:15pm - 8:15pm SANS@Night
An Evening of Hacking the Internet of Things (IoT) James Lyne, Stephen Sims, Jim Shewmaker, and Guests Thursday, April 5th, 7:15pm - 10:00pm Special Events
Responding to the European Union's new General Data Protection Regulation Ben Wright Thursday, April 5th, 7:15pm - 8:15pm SANS@Night
The State of Honeypots: Understanding the Use of Honey Technologies Today Andrea Dominguez Thursday, April 5th, 7:15pm - 7:55pm Master's Degree Presentation
The Seven Deadly Sins of Incident Response Jake Williams Thursday, April 5th, 8:15pm - 9:15pm SANS@Night
Three Keys for SecDevOps Success Frank Kim Thursday, April 5th, 8:15pm - 9:15pm SANS@Night
Saturday, April 7
Session Speaker Time Type
Speaking to the Board on Cybersecurity Lance Spitzner Saturday, April 7th, 7:15pm - 8:15pm SANS@Night
Securing Your Kids Lance Spitzner Saturday, April 7th, 8:15pm - 9:15pm SANS@Night