Last Day to Save $300 on 4-6 Day Cyber Security Courses at SANS Cyber Defense Initiative® in Washington, DC!

Security West 2019

San Diego, CA | Thu, May 9 - Thu, May 16, 2019
This event is over,
but there are more training opportunities.

Threat Hunting via Windows Event Logs

  • Eric Conrad
  • Thursday, May 9th, 7:15pm - 9:15pm

Windows event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, after making small tweaks the logging configuration.

Recent malware attacks leverage 'fileless malware', typically using PowerShell for post exploitation. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging.

We will discuss DeepBlueCLI, an open source Powershell framework for threat hunting via Windows Event Logs (including the latest PowerShell-fueled post exploitation). DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging.

We will also discuss DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of EXE, DLL and driver hashes via a free Virustotal Community API key.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Vendor: Events hosted by external vendor exhibitors.
  • Lunch & Learn: Short presentations given during the lunch break.
Thursday, May 9
Session Speaker Time Type
General Session - Welcome to SANS Bryan Simon Thursday, May 9th, 8:00am - 8:30am Special Events
The Importance of Threat Intelligence Management Julio Martin, Sales Engineer Thursday, May 9th, 12:30pm - 1:15pm Lunch and Learn
SOAR-driven SOC Transformation: What You Need to Know Steve Salinas, Director of Product Marketing Thursday, May 9th, 12:30pm - 1:15pm Lunch and Learn
Breaking Bad Bots - The New #1Threat and How to Stop Them Shreyans Mehta, C0-Founder Cequence Security Thursday, May 9th, 12:30pm - 1:15pm Lunch and Learn
Uptycs Product Test Drive Thursday, May 9th, 6:00pm - 8:00pm Vendor Event
Threat Hunting via Windows Event Logs Eric Conrad Thursday, May 9th, 7:15pm - 9:15pm Keynote
Friday, May 10
Session Speaker Time Type
Coffee & Donuts with the Graduate Students Friday, May 10th, 7:30am - 9:00am Reception
Vendor Solutions Expo Friday, May 10th, 12:15pm - 1:30pm Vendor Event
Vendor Solutions Expo Friday, May 10th, 5:00pm - 6:15pm Vendor Event
Women's CONNECT Friday, May 10th, 6:00pm - 7:00pm Reception
The Data Privacy Imperative Ben Wright Friday, May 10th, 7:15pm - 8:15pm SANS@Night
Come to the Dark Side: Python's Sinister Secrets Mark Baggett Friday, May 10th, 7:15pm - 8:15pm SANS@Night
Blockchain Rebooted G. Mark Hardy Friday, May 10th, 8:15pm - 9:15pm SANS@Night
Automating NIST Risk Management Framework (RMF) / 800-53 Peter Szczepankiewicz Friday, May 10th, 8:15pm - 9:15pm SANS@Night
Saturday, May 11
Session Speaker Time Type
Automating your Threat Hunting and Responses Using Pervasive Data Collection, Full Spectrum Detection, AI and Automation. John Peterson, Chief Product Officer Saturday, May 11th, 12:30pm - 1:15pm Lunch and Learn
The New Internet (and it has nothing to do with IPv6 or PiedPiper) Dr. Johannes Ullrich Saturday, May 11th, 7:15pm - 8:15pm SANS@Night
CYA by Using CIA Correctly For A Change Keith Palmgren Saturday, May 11th, 7:15pm - 8:15pm SANS@Night
Modern Information Security: Forget Cyber, It's All About AppSec Adrien de Beaupre Saturday, May 11th, 8:15pm - 9:15pm SANS@Night
Next-Gen Vulnerability Management: Clarity, Consistency, and Cloud David Hazar Saturday, May 11th, 8:15pm - 9:15pm SANS@Night
Sunday, May 12
Session Speaker Time Type
How to Hack the GIAC Jonathan Ham Sunday, May 12th, 7:15pm - 8:15pm SANS@Night
From Apple Seeds to Apple Pie Sarah Edwards Sunday, May 12th, 7:15pm - 8:15pm SANS@Night
DevSecOps: Key Controls For Modern Security Success Frank Kim Sunday, May 12th, 7:15pm - 8:15pm SANS@Night